RSS Atom Add a new post titled:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.

In July, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 18.5h.

My time was mostly spend on Front-Desk duties, as well as improving our scripts&docs.

Current vulnerabilities triage:

  • CVE-2019-13117/libxslt CVE-2019-13118/libxslt: triage (affected, dla-needed)
  • CVE-2019-12781/python-django: triage (affected)
  • CVE-2019-12970/squirrelmail: triage (affected)
  • CVE-2019-13147/audiofile: triage (postponed)
  • CVE-2019-12493/poppler: jessie triage (postponed)
  • CVE-2019-13173/node-fstream: jessie triage (node-* not supported)
  • exiv2: jessie triage (5 CVEs, none to fix - CVE-2019-13108 CVE-2019-13109 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114)
  • CVE-2019-13207/nsd: jessie triage (affected, posponed)
  • CVE-2019-11272/libspring-security-2.0-java: jessie triage (affected, dla-needed)
  • CVE-2019-13312/ffmpeg: (libav) jessie triage (not affected)
  • CVE-2019-13313/libosinfo: jessie triage (affected, postponed)
  • CVE-2019-13290/mupdf: jessie triage (not-affected)
  • CVE-2019-13351/jackd2: jessie triage (affected, postponed)
  • CVE-2019-13345/squid3: jessie triage (2 XSS: 1 unaffected, 1 reflected affected, dla-needed)
  • CVE-2019-11841/golang-go.crypto: jessie triage (affected, dla-needed)
  • Call for triagers for the upcoming weeks

Past undermined issues triage:

  • libgig: contact maintainer about 17 pending undetermined CVEs
  • libsixel: contact maintainer about 6 pending undetermined CVEs
  • netpbm-free - actually an old Debian-specific fork: contact original reporter for PoCs and attach them to BTS; CVE-2017-2579 and CVE-2017-2580 not-affected, doubts about CVE-2017-2581

Documentation:

Tooling - bin/lts-cve-triage.py:

  • filter out 'undetermined' but explicitely 'ignored' packages (e.g. jasperreports)
  • fix formatting with no-colors output, hint that color output is available
  • display lts' nodsa sub-states
  • upgrade unsupported packages list to jessie
Posted Wed Jul 31 13:32:27 2019 Tags:

planet.gnu.org logo

I did some clean-up / resync on the planet.gnu.org setup :)

  • Fix issue with newer https websites (SNI)
  • Re-sync Debian base config, scripts and packaging, update documentation; the planet-venus package is still in bad shape though, it's not officially orphaned but the maintainer is unreachable AFAICS
  • Fetch all Savannah feeds using https
  • Update feeds with redirections, which seem to mess-up caching
Posted Sun Jul 21 16:42:37 2019 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.

In June, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 17h.

I mostly spent time on tricky updates. Uploading one with literally thousands of reverse dependencies can be quite a challenge. Especially when, as is sadly common, the CVE description is (willingly?) vague, and no reproducer is available.

Posted Sun Jun 30 20:16:37 2019 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.

In May, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 18h.

  • firefox-esr: jessie-security update, security-ish issue with modules signing authority, backporting stretch's
  • CVE-2018-19969/phpmyadmin: attempt backporting the 49 patches and decide against it since they merely mitigate the CSRF issues but certainly break the testsuite
  • CVE-2018-20839/systemd: attempt to reproduce issue in Jessie, conclude no-dsa due to non-reproducibility and regressions introduced by the patch
  • CVE-2019-2697/openjdk-7: triage (sync with previous uploaders, conclude "not-affected")
  • CVE-2019-0227/axis: triage (clarify SSRF situation, sync with packager, conclude "unfixed")
  • dns-root-data: discuss potential update, conclude not relevent due to no reverse dependencies
  • gradle, kdepim: update triage info

Incidentally, last month I mentioned how regularly updating a 19MB text file caused issues in Git - it appears it's even breaking salsa.debian.org! Sadly conversation between involved parties appears difficult.

If you'd like to know more about LTS security, I recommend you check:

Posted Fri May 31 15:22:10 2019 Tags:

Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.

In April, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 17.25h.

Most of my time was spent on frontdesk duties, in particular vulnerabilities (CVE) triaging, so other contributors quickly know what to work on.
In all honesty I spent more time than assigned, as I took upon myself to dig how things work. Fun facts:

  • The (stable, non-LTS) Debian Security Team has a dozen members but the vast majority of the work is done by 2 people - every single day.
  • The main workflow is: import a daily list of new (public) CVEs from MITRE, batch classify for-us/not-for-us, locate information (patches...), determine severity, and possibly fix. I'm not sure how we're notified of private (embargoed) issues, they are rare.
  • The CVE list grew to a 19MB text file, which Git is pathologically bad at handling. Be ready to git gc regularly and forget about git blame (which is annoying when tracking the evolution of a particular vulnerability).
  • We discussed how to justify whether to fix a vulnerability, with topics on funding and light justifications ("minor issue").
  • Dealing with MITRE is still difficult, I couldn't get CVE-2018-19211 properly marked as duplicate and we had to de-dup on our side; however they did right on not rejecting CVE-2018-19217 as I asked since we eventually tracked a totally different affected version.

Anyway, for a more formal report:

  • triage of new and past undetermined vulnerabilities for jessie: samba (dla-needed), evolution-ews (dla-needed + open bug), libpodofo (ignored), claws-mail (dla-needed + open bug), kgb-bot (refresh status), systemd (dla-needed), cacti (dla-needed), wireshark (5 dla-needed, 5 not-affected jessie, 3 not-affected stretch), android-platform-system-core (NFU/not for us), exiv2 (not-affected), spip (not-affected), twitter-bootstrap (no-dsa, minor), ncurses (undetermined to duplicate + already fixed, clarify with upstream and MITRE), xslt (still no info from Apple), wpa (2 ignored + dla-needed), webkit2gtk (unsupported), epiphany-browser (not affected), gradle (dla-needed + open bug), qt4-x11 (dla-needed), libxslt (dla-needed), axis (dla-needed + report wrong link), gpac (dla-needed)
  • ghostscript: jessie-security update, backporting stretch-security's
  • answer user request on debian-lts
  • workflow discussions: double-posting annoucements, justifying (non-)updates
  • doc updates (reference logos page, update mailing-lists URLs, clamav handling, triage process, www update rationale

If you'd like to know more about LTS security, I recommend you check:

Posted Mon Apr 29 11:17:16 2019 Tags:

Debian LTS Logo

In February I had requested to join the Debian LTS project, which extends the security support for past Debian releases, as a paid contributor.
Kuddos to Freexian for pulling this project out.

I was asked to demonstrate a full security update on my own (non paid) which I did with 2 DLAs (Debian LTS Advisory):

  • freedink-dfarc: jessie-security update, applying my own path traversal security fix
  • phmyadmin: jessie-security update, assessing 1 CVE as not affected and fixing another

Incidentally, every Debian Developer can make a direct security upload to jessie-security without prior validation (just follow the guide).

-

Following the spirit of transparency that animates Debian and Debian Security, here's my report for my first paid month.

In March, the monthly sponsored hours were split evenly among contributors depending on their max availability.
I got 29.5h, which I spent on:

  • nettle/gnutls: investigate local side-channel attack and conclude no-dsa / minor issue
  • symfony: helped test Roberto's update
  • sqlalchemy: jessie-security update for SQL injection, tested and discussed upstream's own backported patch
  • glib2.0: investigate denial of service and mark as no-dsa / no reproducible
  • ghostscript: investigate sandbox break and (lack of) test suite, and conclude we'll backport the next upstream release
  • pdns: jessie-security update for the 'remote' backend
  • Fixes/updates in dla-needed.txt, our (public) list of triaged security issues
  • Fixes in LTS wiki, templates and scripts, in particular wrt https://www.debian.org/lts/security/ integration

If you'd like to know more about LTS security, I recommend you check:

Posted Wed Apr 3 13:55:56 2019 Tags:

Android Rebuilds, which provides freely-licensed Android development tools, starts a public repository with F-Droid :)

https://mirror.f-droid.org/android-free/repository/

We're now trying to make it usable for sdkmanager, which should vastly ease the installation process (download what you need, rather than huge mono-version bundles).
Help is welcome to format the repository and possibly adding a way to override sdkmanager's default repositories, join the conversation!

https://forum.f-droid.org/t/call-for-help-making-free-software-builds-of-the-android-sdk/4685

Posted Sun Feb 24 19:28:40 2019 Tags:

I like the Ren'Py project, a popular game engine aimed at Visual Novels - that can also be used as a portable Python environment.

One limitation was that it required downloading games, while nowadays people are used to Flash- or HTML5- based games that play in-browser without having to (de)install.

Can this fixed? While maintaining compatibility with Ren'Py's several DSLs? And without rewriting everything in JavaScript?
Can Emscripten help? While this is a Python/Cython project?
After lots of experimenting, and full-stack patching/contributing, it turns out the answer is yes!

Live demo:
https://renpy.beuc.net/
The Question Tutorial Your game

At last I finished organizing and cleaning-up, published under a permissive free software / open source license, like Python and Ren'Py themselves.
Python port:
https://www.beuc.net/python-emscripten/python/dir?ci=tip
Build system:
https://github.com/renpy/renpyweb

Development in going on, consider supporting the project!
Patreonhttps://www.patreon.com/Beuc

Posted Tue Feb 19 18:38:01 2019 Tags:

As described in a previous post, Google is still click-wrapping all Android developer binaries with a non-free EULA.

I recompiled SDK 9.0.0, NDK r18b and SDK Tools 26.1.1 from the free sources to get rid of it:

https://android-rebuilds.beuc.net/

with one-command, Docker-based builds:

https://gitlab.com/android-rebuilds/auto

This triggered an interesting thread about the current state of free dev tools to target the Android platform.

Hans-Christoph Steiner also called for joining efforts towards a repository hosted using the F-Droid architecture:

https://forum.f-droid.org/t/call-for-help-making-free-software-builds-of-the-android-sdk/4685

What do you think?

Posted Sun Dec 2 14:57:30 2018 Tags:

Why try to choose the host that sucks less, when hosting a single-file (S)CGI gets you decentralized git-like + tracker + wiki?

Fossil

https://www.fossil-scm.org/

We gotta take the power back.

Posted Wed Jun 6 17:12:45 2018 Tags:

This blog is powered by ikiwiki.