Free software activities in March 2023

Here is my monthly update covering what I have been doing in the free software world during March 2023 (previous month).

• As a proof-of-concept, I put together a set of ICS files for the UK Picturehouse Cinema chain. This allows them to be displayed within, for instance, Google Calendar. (Git repo).

Reproducible Builds

The Reproducible Build project's mission is to ensure the security of the 'supply chains' used in open source software — that is, preventing attacks targeting the complex systems that build our shared digital infrastructure. This month, I:

• Kept isdebianreproducibleyet.com up to date. [...]

• Updated the main Reproducible Builds website and documentation.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for February.

• Submitted 2 patches to fix specific reproducibility issues (in esda & gle-graphics-manual).

• I made the following changes to diffoscope, including preparing and uploading versions 238, 239 and240` to Debian:

  • Fix compatibility with PyPDF 3.x, and correctly restore test data. [...]
  • Rework PDF annotation handling into a separate method. [...]

Debian

• python-django (4.2~rc1-1) — New Django 4.2 release candidate.

• memcached (1.6.19-1) — New upstream release (release notes).

• redis:

  • 7.0.9-1 — New upstream security release.
  • 7.0.10-1 — New upstream security release.
  • 7.2~rc1-1 — New upstream 7.2 branch release candidate.

• I also filed an unblock request for Redis version 5:7.0.10-1. (#1033677)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: cairosvg (CVE-2023-27586), dino-im (CVE-2023-28686), gpac (CVE-2023-1654 & CVE-2023-1655), knot-resolver (CVE-2023-26249), libde265 (CVE-2023-27102 & CVE-2023-27103), liferea (CVE-2023-1350), musescore (CVE-2023-26923), nheko (CVE-2022-39264), node-matrix-js-sdk (CVE-2023-28427), ruby-loofah, runc (CVE-2023-25809) and xdrp (CVE-2022-23480, etc.)

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 3361-1 to address an potential remote denial of service vulnerability in redis, a popular key-value database. Authenticated users could have used string matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack, causing it to hang and consume 100% CPU time.

• Issued DLA-3375-1 for the xrdp Remote Desktop Protocol (RDP) server:

  • CVE-2022-23480: Prevent a series of potential buffer overflow vulnerabilities in the devredir_proc_client_devlist_announce_req() function.

  • CVE-2022-23481: Fix an out-of-bounds read vulnerability in the xrdp_caps_process_confirm_active() function.

  • CVE-2022-23482: Fix an out-of-bounds read vulnerability in the xrdp_sec_process_mcs_data_CS_CORE() function.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.