Here is my monthly update covering what I have been doing in the free software world during October 2024 (previous month).
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no malicious flaws have (or can) be introduced during software compilation processes.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. […]
-
I submitted patches to fix specific reproducibility issues in
nickle,python-roborock,pywayland&readsb. -
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository. -
Drafted, published and publicised our monthly report for September.
-
Updated the main Reproducible Builds website and documentation, helping to land a large number of merge requests from outside contributors, as well as made the following changes:
- Correct the name of Civil Infrastructure Platform name and update image on the Projects page. […]
- Update broken link on the Value Initialization page. […]
- Try and make pipeline/branch builds of the website easier to browse. […][…][…][…]
In our tooling, I made the following changes to diffoscope, including preparing and uploading versions 279, 280, 281 and 282 to Debian:
- Ignore errors when listing
.ararchives (#1085257). […] - Don't try and test with
systemd-ukifyin the Debian stable distribution. […] - Drop Depends on the deprecated
python3-pkg-resources(#1083362). […]
Debian
Patches contributed
-
cpio: Please run the testsuite in autopkgtests. (#1086445) -
xraylarch: Ships coverage data directly under/usr/lib/python3/dist-packages. (#1085381)
Uploads
-
bfs(4.0.3-1) — New upstream release. -
1.6.32-1— New upstream release.1.6.32-2— Enable the built-in proxy server support. (#1086113)
-
python-django(5.1.2-1) — New upstream release. -
7.0.15-2— New upstream security release.7.2.5-2— New upstream security release (to experimental)
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged:
python2.7(CVE-2024-9287),nvidia-graphics([CVE-2024-0126](https://tracker.debian.org/tracker/CVE-2024-0126)), [suricata](https://security-tracker.debian.org/tracker/source-package/suricata) ([CVE-2024-45795](https://tracker.debian.org/tracker/CVE-2024-45795), [CVE-2024-45796](https://tracker.debian.org/tracker/CVE-2024-45796), [CVE-2024-47187](https://tracker.debian.org/tracker/CVE-2024-47187), [CVE-2024-47188](https://tracker.debian.org/tracker/CVE-2024-47188) & [CVE-2024-47522](https://tracker.debian.org/tracker/CVE-2024-47522)), [twitter-bootstrap4](https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap4)(CVE-2024-6531),cacti(CVE-2024-43362,CVE-2024-43363,CVE-2024-43364&CVE-2024-43365),xhtml2pdf(CVE-2024-25885),glibc(CVE-2023-4806),openvpn(CVE-2024-5594) &shadow(CVE-2018-7169). -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, attending meetings, etc.
-
Issued DLA 3919-1 ELA 1204-1 as it was discovered that there was a configuration issue in
libapache-mod-jk, an Apache web server module used to forward requests from Apache to Tomcat using the AJP protocol. An issue with incorrect default permissions could have allowed local users to view and modify shared memory containingmod_jk's configuration, which may have potentially led to information disclosure and/or a denial of service attack. -
Issued DLA 3934-1 and ELA 1211-1 for the
libheifpackage because it was discovered that there was a potential out-of-bounds read vulnerability this a decoder and encoder for the HEIF and AVIF image formats. It was revealed that insufficient checks in theImageOverlay::parse()function could have been exploited by an overlay image with forged offsets which could, in turn, have led to undefined behaviour.
You can find out more about the Debian LTS project via the following video: