Here is my monthly update covering what I have been doing in the free software world during June 2026 (previous month):
Reproducible Builds
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. […]
-
Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
-
I also submitted a large number of patches to fix specific reproducibility issues in
bingo,golang-github-cyclonedx-cyclonedx-go,golang-github-tobischo-gokeepasslib,golang-github-ysmood-got,libecoli,lmarbles,meshy,mkdocs-include-markdown-plugin,nfstest,node-chartjs-adapter-date-fns,node-egjs-hammerjs,node-fuse.js&rocm-docs-core, etc. -
I also filed a bug against the
nanopub, alas without a patch, after noticing that their binaries differ when built usingnocheckin order to share my initial findings. (#1140687) -
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository. -
Drafted, published and publicised our monthly report for May 2026.
-
I performed a sponsored upload of
cairocffiversion1.7.1-6in Debian (prepared by Arian Ott) to remove various test files before installation. (#1138232)
- Updated the main Reproducible Builds website and documentation to add a reminder re. using the UTC variants of the Javascript
Datemethods. […]
-
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 319, 320, 321, 322 and 323 to Debian:
- Debian adds an extra
Flags:line in the output ofocamlobjinfo, so adjust the test for cross-distribution compatibility. […] - Bump debhelper compatibility level to 14. […]
- Fix compatibility with Ocaml 5.4.1. […]
- Use
--long-form-style arguments when callingapktoolin order to support apktool version 3. […] - Support Androguard version 4 and previous versions at the same time. […]
- Update copyright years. […]
- Debian adds an extra
-
I also made the following changes to strip-nondeterminism, our tool to remove specific non-deterministic results from a completed build:
Debian
-
bfs(4.1.3-1) — New upstream release. -
1.3.12-4.1— Non-maintainer upload to lix compatibility with Django 5.x, by applying an upstream patch to not rely on private test methods. (#1134838)1.3.12-4.2— Re-upload as a "source-only" upload.
-
1.3.13-1+deb13u1.1— Non-maintainer upload to update binary dependency to permit installation with Django 5.2. (#1135698)1.3.13-1+deb13u1.2— Re-upload as a "source-only" upload.
-
5.2.15-1— New upstream security release.5.2.15-2— Apply a patch from upstream to fix a build failure with GNU gettext version 0.26. (#1126978)5.2.15-2~bpo13+1— Upload totrixie-backports.6.0.6-1— New upstream security release.6.1~beta1-1— New upstream beta release.
I performed a sponsored upload of cairocffi version 1.7.1-6 (prepared by Arian Ott) to remove various test files before installation. (#1138232)
Debian LTS
This month I have worked 30 hours on Debian Long Term Support (LTS) and on its sister Extended LTS (ELTS) project.
-
Investigated and triaged:
async-http-client(CVE-2026-45300),cockpit(CVE-2026-4802),gpac(CVE-2025-55639),keras(CVE-2026-12479),libssh2,libxml-libxml-perl(CVE-2026-8177),nodejs,openslide(CVE-2026-48977),python-urllib3,python2.7(CVE-2026-11940&CVE-2026-0864),redis(CVE-2026-23479,CVE-2026-23631&CVE-2026-25243) andsogo(CVE-2026-46445,CVE-2026-46446,CVE-2025-71276,CVE-2026-33550,CVE-2026-8496&CVE-2026-8851). -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Issued DLA 4657-1 because multiple vulnerabilities were discovered in SOGo, the open-source webmail and groupware server:
-
CVE-2026-46445: Fix a SQL injection vulnerability when PostgreSQL is used as the user database. -
CVE-2026-46446: Address a SQL injection vulnerability when MariaDB or PostgreSQL is used as the user database and passwords are stored in cleartext. -
CVE-2025-71276: Fix a Cross-Site Scripting (XSS) vulnerability in events, tasks and contacts categories. -
CVE-2026-33550: Address a number of Time-Based One-Time Passwords (TOTP) vulnerabilities, including if a user disables/enables TOTP, various values not being renewed, and an issue around recommended TOTP lengths. -
CVE-2026-8496: Fix an issue where a maliciously crafted.icscalendar invitation file allowed arbitrary JavaScript execution within an authenticated webmail session. -
CVE-2026-8851: Fix an SQL injection vulnerability in the access control list management functionality which could have allowed authenticated users to extract arbitrary data from the database by injecting SQL subqueries through theuidparameter of theaddUserInAclsendpoint. -
In addition, a patch was added to fix a Cross-Site Scripting (XSS) vulnerability in message subject rendering.
-
-
Issued DLA 4658-1 and ELA 1764-1 as two issues were discovered in librabbitmq, a C-language client library used to communicate with RabbitMQ servers using the Advanced Message Queuing Protocol (AMQP):
-
CVE-2026-44235: Asize_t-related underflow in AMQP frame length computation could have led to an out-of-bounds read. -
CVE-2026-44236: A heap buffer overflow in AMQP login handshake via undersizedconnection.tune.frame_max.
-
You can find out more about the Debian LTS project via the following video:
