Here is my monthly update covering what I have been doing in the free software world during May 2025 (previous month):
Reproducible Builds
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. […]
-
Submitted a patch to fix a specific reproducibility issues in
golang-github-lucas-clemente-quic-go
. -
Categorised a large number of packages and issues in the Reproducible Builds
notes.git
repository. -
Drafted, published and publicised our monthly report for April.
-
Updated the main Reproducible Builds website and documentation:
- Merged four or five suggestions from Guillem Jover for the GNU Autotools examples on the
SOURCE_DATE_EPOCH
example page […] - Incorporated a number of fixes for the JavaScript
SOURCE_DATE_EPOCH
snippet from Sebastian Davis, which did not handle non-integer values correctly. […]
- Merged four or five suggestions from Guillem Jover for the GNU Autotools examples on the
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 295, 296 and 297 to Debian:
- Don't rely on zipdetails'
--walk
argument being available, and only add that argument on newer versions after we test for that. […] - Review and merge support for NuGet packages from Omair Majid. […]
- Update copyright years. […]
- Merge support for an
lzma
comparator from Will Hollywood. […][…]
… and I also merged an impressive changeset from Siva Mahadevan to make disorders more portable, especially on FreeBSD. disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues. […]
Debian
-
1.6.1-2
— Don't fail the build if the testsuite fails. The underlying package works successfully, but the test harness supplied by upstream is regrettably, currently buggy. (#1092429)1.6.1-3
— Apply patch from@ncopa
on upstream's Github issue to fix a compatibility issue with OpenSSL 3.5 worked around in the fix for #1092429.
-
4.2.21-1
— New upstream security release.5.2.1-1
— New upstream security release.
-
2.29.0-1
— New upstream release, intended to prevent anautopkgtest
regression that was causing a regression withinpython-redis
which was, in turn, preventing theredis
package from migrating.2.29.0-2
— Allow two specificautopkgtest
s to fail, as they appear to be flaky and/or nondeterministic.2.29.0-3
— Address a number ofautopkgtest
regression issues exposed by the previous two uploads, including requiring Redis 8 andpython3-mock
and disabling thetest_time
test due to an incompatibility with the new version of Mock andmock_use_standalone_module
. (#1105992)2.29.0-4
— Overhaul the list of flaky tests that are not run duringautopkgtest
execution; some of these had been renamed/reorganised since they were originally added. (#1105992)
-
6.1.0-1
— New upstream release required to support Redis 8.x; overhauled packaging somewhat.6.1.0-2
— Use Python's math.isclose() over testing for floating point equality. This should fix broken autopkgtests on thearm64
,ppc64el
,riscv64
ands390x
architectures. (#1106376)
I also submitted patches for:
-
libtest-redisserver-perl
: Fix an issue where the testsuite was relying on Redis emitting a particular error message that changed in Redis 8. (#1106425) -
python-hypothesis
: IgnoreDeprecationWarning
exceptions raised in the testsuite as it, in turn, causes interconnected compatibility issues with bothpython-fakeredis
andpython-redis
. (#1106438)
And, finally, I submitted a request to unblock redis
version 8.0.0-2 for inclusion in the next Debian stable release, trixie. (#1106871)
Debian LTS
This month I have worked 15.5 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
firefox-esr
(CVE-2025-4083
,CVE-2025-4087
,CVE-2025-4091
&CVE-2025-4093
),golang-golang-x-net
(CVE-2025-22872
),libeconf
(CVE-2023-22652
,CVE-2023-32181
),nodejs
(CVE-2025-47153
),openjdk-17
,python-django
(CVE-2024-24680
),qemu
(CVE-2024-3446
,CVE-2024-4467
&CVE-2024-7409
),request-tracker4
(CVE-2024-3262
,CVE-2025-30087
&CVE-2025-2545
) &rust-tokio
. -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc. Unfortunately, I could not make this month's IRC meeting.
-
I also performed a number of tests of debusine.debian.net, a new way of preparing packages for Debian. Through this, I filed a merge request regarding the number of work requests displayed on logged-in homepage.
-
Fully prepared an update for Django for jessie ELTS. This is to address three issues, and it will shortly be released (as 'ELA-1448-1') once the build finishes.
-
CVE-2025-32873
: Prevent an issue where thestrip_tags()
function indjango.utils.html
was vulnerable to a potential denial-of-service (DoS) attack when processing inputs containing large sequences of incomplete HTML tags. The|striptags
template filter was similarly vulnerable, for it is built on top ofstrip_tags()
. (#1104872) -
CVE-2024-24680
: Prevent an issue where the|intcomma
template filter was subject to a potential denial-of-service attack when (ab)used with very long strings. -
CVE-2023-36053
: Prevent an potential denial-of-service issue in theEmailValidator
andURLValidator
classes that could have been exploited via a very large number of domain name labels containing emails or web addresses. (#1040225)
-
-
Issued DLA 4164-1 because it was discovered that there was a potential buffer overflow vulnerability in
libeconf
, a configuration file parser used in openSUSE and openSUSE-related projects. This issue could have been exploited via maliciously crafted configuration files.
You can find out more about the Debian LTS project via the following video: