Here is my monthly update covering what I have been doing in the free software world during September 2023 (previous month):
Reproducible Builds
Whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes. The motivation behind the Reproducible Builds effort is therefore to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
Submitted 5 patches to fix specific reproducibility issues in
apophenia,blaspp,lapackpp,mkdocs-material&sphinxcontrib-mermaid.
-
Drafted, published and publicised our monthly report for August 2023.
-
Categorised a large number of packages and issues in the Reproducible Builds
notes.gitrepository.
- diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, I fixed compatibility with
file(1)version 5.45 [...] and updated some documentation [...].
Debian
-
bfs(3.0.2-1) — New upstream release. -
3.2.21-1— New upstream security release.4.2.5-1— New upstream security release.4.2.5-2— Upload of 4.x branch to Debian unstable.5.0~alpha1-1— New upstream 'alpha' release to Debian experimental.
Debian LTS
This month I have worked 17 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged cacti (
CVE-2023-30534), e2guardian (CVE-2021-44273), exiv2 (CVE-2020-18831), libraw (CVE-2020-22628), libtommath (CVE-2023-36328), memcached (CVE-2020-22570), node-cookiejar (CVE-2022-25901), poppler (CVE-2020-18839), python-django (CVE-2023-41164) python-mechanicalsoup (CVE-2023-34457), python-pyramidCVE-2023-40587), redis (CVE-2023-41053), xrdp (CVE-2023-40184) and zziplib (CVE-2020-18770). -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Issued DLA 3557-1 and ELA-943-1 as it was discovered that there was a potential Denial of Service (DoS) vulnerability in
memcached, a high-performance in-memory object caching system. A crash could have occurred when handling “multi-packet” uploads in UDP mode. Deployments of memcached that only use TCP are likely unaffected by this issue. (CVE-2022-48571) -
Issued DLA 3558-1 and ELA-944-1 because there was a denial of service vulnerability announced for Django, a popular Python-based web development framework. Upstream reported that there was a potential vulnerability in
django.utils.encoding.uri_to_iri(). This method was subject to a potential DoS attack via certain inputs with a very large number of Unicode characters. (CVE-2023-41164) -
Issued DLA 3561-1 as it was discovered that there was a potential Regular Expression Denial of Service (ReDoS) attack in
node-cookiejar, a Node.js library for parsing and manipulating HTTP cookies. An attack was possible via passing a large value to theCookie.parsefunction. (CVE-2022-25901) -
Issued DLA 3564-1. This was because it was discovered that there was a potential Man In the Middle (MITM) vulnerability in
e2guardian, a popular web content filtering engine. Validation of SSL certificates was missing ine2guardian's own MITM prevention engine. In standalone mode (ie. acting as a proxy or a transparent proxy) with SSL MITM enabled, e2guardian did not validate hostnames in certificates of the web servers that it connected to, and thus was itself (!) vulnerable to MITM attacks.
You can find out more about the Debian LTS project via the following video: