Free software activities in May 2024

Here is my monthly update covering what I have been doing in the free software world during May 2024 (previous month):

Debian

• bfs (3.2-1) — New upstream release.

• lastpass-cli (1.5.0-1) — New upstream release.

• memcached (1.6.27-1) — New upstream release.

• python-django:

  • 4.2.13-1 — New upstream bugfix release.
  • 5.0.6-1 — New upstream bugfix release to Debian experimental
  • 5.1~alpha1-1 — New upstream 'alpha' release to Debian experimental.

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Kept isdebianreproducibleyet.com up to date. […]

• Submitted a number of patches to fix specific reproducibility issues, including:

  • gensio
  • python-tld
  • ruby-pgplot
  • screenkey
  • tkgate

• Categorised a very large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised monthly report for April 2024.

• Updated the main Reproducible Builds website and documentation to make the print CSS stylesheet nicer. […]

• strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build. This month, I merged an important dependency change, and then dropped the Depends, Build-Depends and Makefile.PL PREREQ_PM entry for the libsub-override-perl package […] before uploading.

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 266, 267, 268 and 269 to Debian:

• New features:

  • Use xz --list to supplement output when comparing .xz archives; essential when metadata differs. (#1069329)
  • Include xz --verbose --verbose (ie. double) output. (#1069329)
  • Strip the first line from the xz --list output. […]
  • Only include xz --list --verbose output if the xz has no other differences. […]
  • Actually append the xz --list after the container differences, as it simplifies a lot. […]

• Testing improvements:

  • Allow Debian testing to fail right now. […]
  • Drop apktool from Build-Depends; we can still test APK functionality via autopkgtests. (#1071410)
  • Add a versioned dependency for at least version 5.4.5 for the xz tests as they fail under (at least) version 5.2.8. (#374)
  • Fix tests for 7zip 24.05. […][…]
  • Fix all tests after additon of xz --list. […][…]

• Misc:

  • Update copyright years. […]

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Overhauled the ./check-eol script for ELTS in order to make it more Pythonic.

• Investigated and triaged: tpm2-tss (CVE-2024-29040), roundcube, gst-plugins-base1.0 (CVE-2024-4453), libcrypto++ (CVE-2024-28285), requests (CVE-2024-35195), iperf3 (CVE-2024-26306), intel-microcode (CVE-2023-45733, CVE-2023-45745, CVE-2023-46103 & CVE-2023-47855), pymongo (CVE-2024-21506) and gst-plugins-base1.0 (CVE-2024-4453).

• Issued ELA-1101-1 because three vulnerabilities were fixed in Django, a popular Python-based web development framework:

  • CVE-2023-36053: Prevent a potential regular expression denial of service (DoS) vulnerability in the EmailValidator and URLValidator classes. These two routines were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs.

  • CVE-2023-43665: Fix a DoS vulnerability in the django.utils.text.Truncator class. Following the fix for CVE-2019-14232, the regular expressions used in the implementation of Truncator's chars() and words() methods were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.

  • CVE-2024-24680: Prevent a potential DoS in the intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

• Issued DLA 3822-1 and ELA 1100-1 as it was discovered that there was a potential SQL injection attack in python-pymysql, a MySQL client library for Python. This was exploitable when python-pymysql was used with untrusted JSON input as keys were not escaped by the escape_dict routine.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.