pages tagged securityBeuc's Bloghttps://blog.beuc.net/tags/security/Beuc's Blogikiwiki2020-10-01T16:26:43ZDebian LTS and ELTS - September 2020https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_September_2020/2020-10-01T16:26:43Z2020-10-01T16:08:50Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In September, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 19.75h for LTS (out of my 30 max; all done) and 20h for ELTS (out of my 20 max; all done).</p>
<p><em>ELTS - Jessie</em></p>
<ul>
<li>qemu: jessie triage: finish work started in August</li>
<li>qemu: backport 5 CVE fixes, perform virtual and physical testing, security upload <a href="https://deb.freexian.com/extended-lts/updates/ela-283-1-qemu/">ELA-283-1</a></li>
<li>libdbi-perl: global triage: clarifications, confirm <a href="https://rt.cpan.org/Public/Bug/Display.html?id=99508#txn-1911578">incomplete</a> and attempt to get upstream action, request <a href="https://blog.beuc.net/tags/security/CVE-2014-10402">new CVE</a> following discussion with security team</li>
<li>libdbi-perl: backport 5 CVE fixes, test, security upload <a href="https://deb.freexian.com/extended-lts/updates/ela-285-1-libdbi-perl/">ELA-285-1</a></li>
</ul>
<p><em>LTS - Stretch</em></p>
<ul>
<li>qemu: stretch triage, while working on ELTS update; mark several CVEs unaffected, update patch/status</li>
<li>wordpress: global triage: reference new patches, request proper <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25286">CVE</a> to fix our temporary tracking</li>
<li>wordpress: revamp package: upgrade to upstream's stable 4.7.5->4.7.18 to ease future updates, re-apply missing patches, fix past regression and notify maintainer, security upload <a href="https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html">DLA-2371-1</a></li>
<li>libdbi-perl: common work with ELTS, security upload <a href="https://lists.debian.org/debian-lts-announce/2020/09/msg00026.html">DLA-2386-1</a></li>
<li>public IRC <a href="http://meetbot.debian.net/debian-lts/2020/debian-lts.2020-09-24-14.58.html">team meeting</a></li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li><a href="https://wiki.debian.org/LTS/TestSuites/wordpress">LTS/TestSuites/wordpress</a>: new page with testsuite import and manual tests</li>
<li><a href="https://wiki.debian.org/LTS/TestSuites/qemu">LTS/TestSuites/qemu</a>: minor update</li>
<li><a href="https://wiki.debian.org/Sympa">wiki.d.o/Sympa</a>: update Sympa while using it as a libdbi-perl reverse-dep test (update for newer versions, explain how to bootstrap admin access)</li>
<li><a href="https://www.debian.org/lts/security/2020/">www.d.o/lts/security</a>: import a couple missing announcements and notify uploaders about procedures</li>
<li><a href="https://lists.debian.org/debian-lts/2020/09/msg00024.html">Check status</a> for pdns-recursor, following user request</li>
<li><a href="https://lists.debian.org/debian-lts/2020/09/msg00028.html">Check status</a> for golang-1.7 / CVE-2019-9514 / CVE-2019-9512</li>
<li><a href="https://lists.debian.org/debian-lts/2020/09/msg00051.html">Attempt</a> to improve cooperation after seeing my work discarded and redone as-is, which sadly isn't the first time; no answer</li>
<li>Historical analysis of our CVE fixes: experiment to gather per-CVE tracker history</li>
</ul>
Debian LTS and ELTS - August 2020https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_August_2020/2020-09-01T10:48:31Z2020-09-01T10:48:31Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In August, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 21.75h for LTS (out of my 30 max; all done) and 14.25h for ELTS (out of my 20 max; all done).</p>
<p>We had a <em>Birds of a Feather</em> <a href="https://meetings-archive.debian.net/pub/debian-meetings/2020/DebConf20/72-debian-lts-bof.webm">videoconf</a> <a href="https://debconf20.debconf.org/talks/72-debian-lts-bof/">session</a> at DebConf20, sadly with varying quality for participants (from very good to unusable), where we shared the first results of the LTS survey.</p>
<p>There were also discussions about evaluating our security reactivity, which proved surprisingly hard to estimate (neither CVE release date and criticality metrics are accurate nor easily available), and about when it is appropriate to use public naming in procedures.</p>
<p>Interestingly ELTS gained new supported packages, thanks to a new sponsor -- so far I'd seen the opposite, because we were close to the EOL.</p>
<p>As always, there were opportunities to de-dup work through mutual cooperation with the Debian Security team, and LTS/ELTS similar updates.</p>
<p><em>ELTS - Jessie</em></p>
<ul>
<li>Fresh build VMs</li>
<li>rails/redmine: investigate <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964432">issue</a>, initially no-action as it can't be reproduced on Stretch and isn't supported in Jessie; <a href="https://lists.debian.org/debian-lts/2020/08/msg00053.html">follow-up</a> when it's supported again</li>
<li>ghostscript: global triage: identify upstream fixed version, distinguish CVEs fixed within a single patch, bisect non-reproducible CVEs, reference missing commit (including at <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16299">MITRE</a>)</li>
<li>ghostscript: fix 25 CVEs, security upload <a href="https://deb.freexian.com/extended-lts/updates/ela-262-1-ghostscript/">ELA-262-1</a></li>
<li>ghostscript: cross-check against the later DSA-4748-1 (almost identical)</li>
<li>software-properties: jessie triage: mark back for update, at least for consistency with Debian Stretch and Ubuntu (all suites)</li>
<li>software-properties: security upload <a href="https://deb.freexian.com/extended-lts/updates/ela-266-1-software-properties/">ELA-266-1</a></li>
<li>qemu: global triage: update status and patch/regression/reproducer links for 6 pending CVEs</li>
<li>qemu: jessie triage: fix 4 'unknown' lines for qemu following changes in package attribution for XSA-297, work continue in September</li>
</ul>
<p><em>LTS - Stretch</em></p>
<ul>
<li>sane-backends: global triage: sort and link patches for 7 CVEs</li>
<li>sane-backends: fix dep-8 test and <a href="https://bugs.debian.org/968369">notify</a> the maintainer,</li>
<li>sane-backends: security upload <a href="https://lists.debian.org/debian-lts-announce/2020/08/msg00029.html">DLA-2332-1</a></li>
<li>ghostscript: security upload <a href="https://lists.debian.org/debian-lts-announce/2020/08/msg00032.html">DLA 2335-1</a> (cf. common ELTS work)</li>
<li>ghostscript: rebuild ("give back") on armhf, blame armhf, <a href="https://lists.debian.org/debian-lts/2020/08/msg00040.html">get told</a> it was a concurrency / build system issue -_-'</li>
<li>software-properties: security upload <a href="https://lists.debian.org/debian-lts-announce/2020/08/msg00035.html">DLA 2339-1</a> (cf. common ELTS work)</li>
<li>wordpress: global triage: reference regression for CVE-2020-4050</li>
<li>wordpress: stretch triage: update past CVE status, work continues in September with probably an upstream upgrade 4.7.5 -> 4.7.18</li>
<li>nginx: cross-check my July update against the later DSA-4750-1 (same fix)</li>
<li>DebConf BoF + IRC follow-up</li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li>Clarify/link <a href="https://salsa.debian.org/lts-team/lts-extra-tasks">salsa:lts-team/lts-extra-tasks</a> against <a href="https://salsa.debian.org/freexian-team/project-funding">salsa:freexian-team/project-funding</a> (description)</li>
<li>Historical analysis of our CVE fixes: check feasibility</li>
<li><a href="https://salsa.debian.org/webmaster-team/webwml/-/blob/master/english/security/find-missing-advisories">webwml:find-missing-advisories</a>: handle missing trailing slash, print DSA/DLA date, print affected package rather than committer</li>
<li><a href="https://lists.debian.org/debian-lts/2020/08/msg00031.html">discussion</a> on public naming (shaming?)</li>
<li><a href="https://wiki.debian.org/LTS/TestSuites/sane-backends">LTS/TestsSuites/sane-backends</a>: test with more complex DEP-8/autopkgtest setup</li>
</ul>
Debian LTS and ELTS - July 2020https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_July_2020/2020-08-03T13:52:10Z2020-08-03T13:52:10Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In July, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 25.25h for LTS (out of 30 max; all done) and 13.25h for ELTS (out of 20 max; all done).</p>
<p>We shifted suites: welcome Stretch LTS and Jessie ELTS. The LTS->ELTS switch happened at the start of the month, but the oldstable->LTS switch happened later (after finalizing and flushing proposed-updates to a last point release), causing some confusion but nothing major.</p>
<p><em>ELTS - Jessie</em></p>
<ul>
<li>New local build setup</li>
<li>ELTS buildds: request timezone harmonization</li>
<li>Reclassify in-progress updates from jessie-LTS to jessie-ELTS</li>
<li>python3.4: finish preparing update, security upload <a href="https://deb.freexian.com/extended-lts/updates/ela-239-1-python3.4/">ELA 239-1</a></li>
<li>net-snmp: global triage: bisect CVE-2019-20892 to identify affected version, jessie/stretch not-affected</li>
<li>nginx: global triage: clarify CVE-2013-0337 status; locate CVE-2020-11724 original patch and regression tests, update <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11724">MITRE</a></li>
<li>nginx: security upload <a href="https://deb.freexian.com/extended-lts/updates/ela-247-1-nginx/">ELA-247-1</a> with 2 CVEs</li>
</ul>
<p><em>LTS - Stretch</em></p>
<ul>
<li>Reclassify in-progress/needed updates from stretch/oldstable to stretch-LTS</li>
<li>rails: upstream security: follow-up on CVE-2020-8163 (RCE) on <a href="https://github.com/rails/rails/issues/39301#issuecomment-653746696">upstream bug tracker</a> and create <a href="https://github.com/rails/rails/pull/39806">pull request</a> for 4.x (merged), hence getting some upstream review</li>
<li>rails: global security: continue <a href="https://lists.debian.org/debian-lts/2020/07/threads.html#00033">coordinating</a> upload in multiple Debian versions, prepare <a href="https://lists.debian.org/debian-lts/2020/07/msg00065.html">fixes</a> for common stretch/buster vulnerabilities in buster</li>
<li>rails: security upload <a href="https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html">DLA-2282</a> fixing 3 CVEs</li>
<li>python3.5: security upload <a href="https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html">DLA-2280-1</a> fixing 13 pending non-critical vulnerabilities, and its test suite</li>
<li>nginx: security upload <a href="https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html">DLA-2283</a> (cf. common ELTS work)</li>
<li>net-snmp: global triage (cf. common ELTS work)</li>
<li>public IRC <a href="http://meetbot.debian.net/debian-lts/2020/debian-lts.2020-07-30-14.59.html">monthly team meeting</a></li>
<li>reach out to clarify the intro from last month's report, following unsettled feedback during meeting</li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li>ELTS/README.how-to-release-an-update: fix typo</li>
<li>ELTS buildd: attempt to diagnose slow perfs, provide comparison with Debian and local builds</li>
<li><a href="https://wiki.debian.org/LTS/Meetings">LTS/Meetings</a>: improve presentation</li>
<li><a href="https://wiki.debian.org/SourceOnlyUpload">SourceOnlyUpload</a>: clarify/de-dup pbuilder doc</li>
<li><a href="https://wiki.debian.org/LTS/Development">LTS/Development</a>: reference build logs URL, reference proposed-updates issue during dists switch, reference new-upstream-versioning discussion, multiple jessie->stretch fixes and clean-ups</li>
<li><a href="https://wiki.debian.org/LTS/Development/Asan">LTS/Development/Asan</a>: drop wheezy documentation</li>
<li>Warn about jruby <a href="https://lists.debian.org/debian-lts/2020/07/msg00084.html">mis-triage</a></li>
<li>Provide feedback for <a href="https://lists.debian.org/debian-lts/2020/07/msg00087.html">ksh/CVE-2019-14868</a></li>
<li>Provide feedback for <a href="https://lists.debian.org/debian-lts/2020/07/msg00086.html">condor update</a></li>
<li><a href="https://wiki.debian.org/LTS/TestSuites/nginx">LTS/TestsSuites/nginx</a>: test with new request smuggling test cases</li>
</ul>
Debian LTS and ELTS - June 2020https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_June_2020/2020-07-01T14:19:14Z2020-07-01T14:19:14Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In June, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 30h for LTS (out of 30 max; all done) and 5.25h for ELTS (out of 20 max; all done).</p>
<p>While LTS is part of the Debian project, fellow contributors sometimes surprise me: suggestion to vote for sponsors-funded projects with concorcet was only met with overhead concerns, and there were requests for executive / business owner decisions (we're currently heading towards consultative vote); I heard concerns about discussing non-technical issues publicly (IRC team meetings are <a href="https://wiki.debian.org/LTS/Meetings">public</a> though); the private mail infrastructure was moved from self-hosting straight to Google; when some got an issue with Debian Social for our first video conference, there were immediate suggestions to move to Zoom...<br />
Well, we do need some people to make those LTS firmware updates in non-free <img src="https://blog.beuc.net/smileys/smile.png" alt=":)" /></p>
<p>Also this was the last month before shifting suites: goodbye to Jessie LTS and Wheezy ELTS, welcome Stretch LTS and Jessie ELTS.</p>
<p><em>ELTS - Wheezy</em></p>
<ul>
<li>mysql-connector-java: improve testsuite setup; prepare wheezy/jessie/stretch triple builds; <a href="https://lists.debian.org/debian-lts/2020/06/msg00008.html">coordinate</a> versioning scheme with security-team; security upload <a href="https://deb.freexian.com/extended-lts/updates/ela-234-1-mysql-connector-java/">ELA 234-1</a></li>
<li>ntp: wheezy+jessie triage: 1 ignored (too intrusive to backport); 1 postponed (hard to exploit, no patch)</li>
<li>Clean-up (ditch) wheezy VMs <img src="https://blog.beuc.net/smileys/smile.png" alt=":)" /></li>
</ul>
<p><em>LTS - Jessie</em></p>
<ul>
<li>mysql-connector-java: see common work in ELTS</li>
<li>mysql-connector-java: security uploads <a href="https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html">DLA 2245-1</a> (LTS) and <a href="https://www.debian.org/security/2020/dsa-4703">DSA 4703</a> (oldstable)</li>
<li>ntp: wheezy+jessie triage (see ELTS)</li>
<li>rails: global triage, backport 2 patches, security upload <a href="https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html">DLA 2251-1</a></li>
<li>rails: global security: <a href="https://lists.debian.org/debian-lts/2020/06/msg00055.html">prepare</a> stretch/oldstable update</li>
<li>rails: new important CVE on unmaintained 4.x, fixes introduce several regressions, propose <a href="https://github.com/rails/rails/issues/39301#issuecomment-648885623">new fix</a> to upstream, update stretch proposed update [and jessie, but rails will turn out unsupported in ELTS]</li>
<li>python3.4: prepare update to fix all pending non-criticial issues, 5/6 ready</li>
<li>private video<code>^W^W</code>public IRC <a href="http://meetbot.debian.net/debian-lts/2020/debian-lts.2020-06-25-15.22.html">team meeting</a></li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li><a href="https://wiki.debian.org/LTS/TestSuites/mysql-connector-java">LTS/TestsSuites/mysql-connector-java</a>: improve testsuite setup for better coverage</li>
<li><a href="https://wiki.debian.org/LTS/TestSuites/tiff">LTS/TestSuites/tiff</a>: document package maintainer's (extensive) tests</li>
<li><a href="https://wiki.debian.org/LTS/TestSuites/rails">LTS/TestSuites/rails</a>: first version</li>
<li><a href="https://wiki.debian.org/LTS/TestSuites/python">LTS/TestSuites/python</a>: how to run individual test</li>
<li><a href="https://wiki.debian.org/LTS/Development#CVE_triaging_in_the_LTS_release">LTS/Development</a>: clarifications on grouping fixes and validating patches</li>
<li>internal discussion on (not) capping LTS-funded hours</li>
<li>discussion on <a href="https://lists.debian.org/debian-lts/2020/06/msg00027.html">unbound</a> and <a href="https://lists.debian.org/debian-lts/2020/06/msg00004.html">freerdp</a> EOL</li>
<li>tzdata, libdatetime-timezone-perl: check and <a href="https://lists.debian.org/debian-lts/2020/06/msg00066.html">explain</a> delayed update workflow</li>
<li>ELTS: update <a href="https://deb.freexian.com/extended-lts/tracker/status/release/elts">new tracker URL</a> in documentation</li>
</ul>
Debian LTS and ELTS - May 2020https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_May_2020/2020-06-02T11:29:02Z2020-06-02T11:29:02Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In May, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 17.25h for LTS (out of 30 max; all done) and 9.25h for ELTS (out of 20 max; all done).</p>
<p>A survey will be published very shortly to gather feedback from all parties involved in LTS (users, other Debian teams...) -- let us know what you think, so we start the forthcoming new (Stretch) LTS cycle in the best conditions <img src="https://blog.beuc.net/smileys/smile.png" alt=":)" /></p>
<p>Discussion is progressing on funding & governance of larger LTS-related projects. Who should decide: contributors, Freexian, sponsors? Do we fund with a percentage or by capping resources allocated on security updates? I voiced concerns over funding these at the expense of smaller, more organic, more recurrent tasks that are less easy to specify but greatly contribute to the overall quality nevertheless.</p>
<p><em>ELTS - Wheezy</em></p>
<ul>
<li>mysql-connector-java: upgrade to 5.1.49, refresh patches, document/run test suite, prepare upload, prepare upgrade path (+ see LTS)</li>
<li>CVE-2020-3810/apt: triage (affected), <a href="https://lists.debian.org/debian-lts/2020/05/msg00056.html">enquire</a> about failing test, run testsuite, security upload <a href="https://deb.freexian.com/extended-lts/updates/ela-228-1-apt/">ELA 228-1</a></li>
</ul>
<p><em>LTS - Jessie</em></p>
<ul>
<li>ansible: global triage: finish last month's triage, fix affected versions, provide reproducer</li>
<li>ansible: backport patches to early version, security upload <a href="https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html">DLA 2202-1</a></li>
<li>mysql-connector-java: <a href="https://lists.debian.org/debian-lts/2020/05/msg00010.html">propose 5.1.49 update</a> to all dists (+ see ELTS)</li>
<li>CVE-2019-20637/varnish: global triage: <a href="https://varnish-cache.org/lists/pipermail/varnish-misc/2020-May/026859.html">ping</a> upstream, get PoC, determine <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956305">status</a> for all Debian dists, jessie not-affected</li>
<li>public IRC <a href="https://wiki.debian.org/LTS/Meetings">team meeting</a></li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li><a href="https://wiki.debian.org/LTS/TestSuites/mysql-connector-java">LTS/TestsSuites/mysql-connector-java</a>: first version</li>
<li><a href="https://wiki.debian.org/LTS/Development#Claim_a_DLA_ID_in_DLA.2Flist">LTS/Development</a>: what to tidy/not-tidy in data/CVE/list after an upload</li>
<li><a href="https://wiki.debian.org/LTS/Development#Triage_new_security_issues">LTS/Development</a>: clarify CVE triaging following internal discussion</li>
<li><a href="https://lists.debian.org/debian-lts/2020/05/msg00053.html">Answer</a> request wrt. openstack/keystone support</li>
<li>dsa-needed.txt: fix stale entry, check on affected LTS developer's well being <img src="https://blog.beuc.net/smileys/smile4.png" alt=";)" /></li>
</ul>
Debian LTS and ELTS - April 2020https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_April_2020/2020-05-02T11:25:57Z2020-05-02T11:25:57Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In April, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 28.75h for LTS (out of 30 max; all done) and 7.75h for ELTS (out of 20 max; I did 2.75).</p>
<p>Escalation procedures were (internally) documented with a focus on discussing issues with team coordinator(s) first.</p>
<p>Debian LTS had its first <a href="http://meetbot.debian.net/debian-lts/2020/debian-lts.2020-04-29-13.59.html">team meeting</a> through IRC and lots of workflow question were discussed. This should help discuss questions that are a bit hard to bring up, and ensure everybody participates. There were lots of topics and it was a bit rushed, but this is something we want to repeat monthly now, possibly with audio/video in a couple months.</p>
<p>Remarks from last month's report were discussed, strengthening the Front-Desk role.</p>
<p>10% of the global funding is now reserved for infrastructure work. What kind of work, and who (LTS or external) will do the work, will be discussed further.</p>
<p>A fellow DD suggested (in a private conversation) that LTS may be taking time from the Debian Security team, due to additional commits to review. Conversely, this is another opportunity to mention all the global, non-LTS-specific work that LTS provides, which I usually highlight in my reports, and maybe I should be even more <img src="https://blog.beuc.net/smileys/smile4.png" alt=";)" /></p>
<p><em>ELTS - Wheezy</em></p>
<ul>
<li>CVE-2020-11612/netty: triage: ignored (deceptively hard to backport, OOM mitigation only)</li>
<li>mysql-connector-java: triage: in-progress (subscription-only update from Oracle, attempt to find more detail, waiting for public version)</li>
<li>CVE-2020-11868/ntp: global triage: identify and reference missing patch, coordinate with uploader</li>
</ul>
<p><em>LTS - Jessie</em></p>
<ul>
<li>netty, mysql-connector-java, ntp: common triage (see above)</li>
<li>CVE-2019-20637/varnish: global triage: attempt to reproduce, <a href="https://varnish-cache.org/lists/pipermail/varnish-misc/2020-April/026854.html">attempt</a> to get PoC/vulnerable versions from upstream, update <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956305">BTS</a></li>
<li>ansible: jessie triage: reset ignore->no-dsa old vulnerabilites after discussing with initial triager</li>
<li>ansible: global triage: identify more affected version ranges, locate more patches</li>
<li>ansible: prepare jessie upload (work-in-progress)</li>
<li>tiff: suites harmonization: offer to work on a tiff/stretch update, follow-up on maintainer's questions, who eventually did the <a href="https://www.debian.org/security/2020/dsa-4670">update</a></li>
<li>dsa-needed.txt: identify stale entries from inactive LTS contributor, check for status</li>
<li>team meeting: see <a href="http://meetbot.debian.net/debian-lts/2020/debian-lts.2020-04-29-13.59.html">minutes</a></li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li><a href="https://wiki.debian.org/LTS/Development">LTS/Development</a>: reference relevant sections of the <a href="https://www.debian.org/doc/manuals/developers-reference/pkgs.html#preparing-packages-to-address-security-issues">Developer Reference</a></li>
<li><a href="https://wiki.debian.org/LTS/Development">LTS/Development</a>: element on whether BTS numbers can be referenced in a LTS changelog</li>
</ul>
Debian LTS and ELTS - March 2020https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_March_2020/2020-04-01T14:26:39Z2020-04-01T14:26:39Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In March, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 30h for LTS (out of 30 max; all done) and 20h for ELTS (out of 20 max; I did 0).</p>
<p>Most contributors claimed vulnerabilities by performing early CVE monitoring/triaging on their own, making me question the relevance of the <a href="https://wiki.debian.org/LTS/Development#Frontdesk_duties">Front-Desk</a> role. It could be due to a transient combination of higher hours volume and lower open vulnerabilities.</p>
<p>Working as a collective of hourly paid freelancers makes it more likely to work in silos, resulting in little interaction when raising workflow topics on the mailing list. Maybe we're reaching a point where regular team meetings will be benefical.</p>
<p>As previously mentioned, I structure my work keeping the global Debian security in mind. It can be stressful though, and I believe current communication practices may deter such initiatives.</p>
<p><em>ELTS - Wheezy</em></p>
<ul>
<li>No work. ELTS has few sponsors right now and few vulnerabilities to fix, hence why I could not work on it this month. I gave back my hours at the end of the month.</li>
</ul>
<p><em>LTS - Jessie</em></p>
<ul>
<li>lua-cgi: global triage: CVE-2014-10399,CVE-2014-10400/lua-cgi not-affected, CVE-2014-2875/lua-cgi referenced in <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953037">BTS</a></li>
<li>libpcap: global triage: request CVE-2018-16301 rejection as upstream failed to; got MITRE to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16301">reject</a> (not "dispute") a CVE for the first time!</li>
<li>nfs-utils: suites harmonization: CVE-2019-3689: <a href="https://bugzilla.linux-nfs.org/show_bug.cgi?id=338">ping</a> upstream again, <a href="https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e">locate</a> upstream'd commit, reference it at <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940848">BTS</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3689">MITRE</a>; close <a href="https://salsa.debian.org/debian/nfs-utils/-/merge_requests/3">MR</a> which had been ignored and now redone following said referencing</li>
<li>slurm-llnl: re-add; create CVE-2019-12838 reproducer, test abhijith's pending upload; reference patches; witness regression in CVE-2019-19728, get denied access to upstream bug, triage as ignored (minor issue + regression); security upload <a href="https://lists.debian.org/debian-lts-announce/2020/03/msg00016.html">DLA 2143-1</a></li>
<li>xerces-c: global triage progress: investigate ABI-(in)compatibility of hle's patch direction; initiate discussion at <a href="https://issues.apache.org/jira/browse/XERCESC-2188">upstream</a> and <a href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1311">RedHat</a>; mark <a href="https://lists.debian.org/debian-lts/2020/03/msg00039.html">postponed</a></li>
<li>nethack: jessie triage fix: mark end-of-life</li>
<li>tor: global triage fix: CVE-2020-10592,CVE-2020-10593: fix upstream BTS links, fix DSA reference</li>
<li>php7.3: embedded copies: removed from unstable (replaced with php7.4); checked whether libonig is still bundled (no, now properly unbundled at upstream level); jessie still not-affected</li>
<li>okular: CVE-2020-9359: reference PoC, security upload <a href="https://lists.debian.org/debian-lts-announce/2020/03/msg00033.html">DLA 2159-1</a></li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li>data/dla-needed.txt: tidy/refresh pending packages status</li>
<li><a href="https://wiki.debian.org/LTS/Development">LTS/Development</a>: DLA regression numbering when a past DLA affects a different package</li>
<li><a href="https://wiki.debian.org/LTS/FAQ#Where_are_past_LTS_releases_archived.3F">LTS/FAQ</a>: document past LTS releases archive location following a <a href="https://lists.debian.org/debian-lts/2020/03/msg00033.html">user request</a>; trickier than expected, 3 contributors required to find the answer <img src="https://blog.beuc.net/smileys/smile4.png" alt=";)" /></li>
<li><a href="https://lists.debian.org/debian-lts/2020/03/msg00043.html">Question</a> aggressive package claims; little feedback</li>
<li><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/embedded-code-copies">embedded-copies</a>: libvncserver: reference various state of embedded copies in italc/ssvnc/tightvnc/veyon/vncsnapshot; builds on initial <a href="https://lists.debian.org/debian-lts/2019/10/msg00094.html">research</a> from sunweaver</li>
<li><a href="https://lists.debian.org/debian-lts/2020/03/msg00072.html">Attempt</a> to progress on libvncserver embedded copies triaging; technical topic not anwered, organizational topic ignored</li>
<li>phppgadmin: provide <a href="https://lists.debian.org/debian-lts/2020/03/msg00060.html">feedback</a> on CVE-2019-10784</li>
<li>Answer general workflow question about <a href="https://lists.debian.org/debian-lts/2020/03/msg00088.html">vulnerability severity</a></li>
<li>Answer GPAC CVE information request from a PhD student at CEA, following my large <a href="https://lists.debian.org/debian-lts-announce/2020/01/msg00017.html">security update</a></li>
</ul>
Debian LTS and ELTS - February 2020https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_February_2020/2020-03-02T19:27:40Z2020-03-02T10:30:55Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In February, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 20h for LTS (out of 30 max; all done) and 8h for ELTS (out of 20 max; I did 7).</p>
<p>Security work is never completely isolated, typically my work on nodejs impacted jessie/stretch/buster, and my work on netty affected wheezy/jessie/stretch <img src="https://blog.beuc.net/smileys/smile.png" alt=":)" /></p>
<p><em>ELTS - Wheezy</em></p>
<ul>
<li>netty: refine prior triages, write minimal test server, adapt 3 fixes, security upload: <a href="https://deb.freexian.com/extended-lts/updates/ela-214-1-netty/">ELA-214</a></li>
<li>Suggest redispatching hours from past month not given back in time, as team members only got 3.5h each; follow-up on the issue</li>
<li>Contribute to exchanges about supporting libgd2 (unsupported dependency of a supported package, an inconsistency we'll try to detect earlier)</li>
</ul>
<p><em>LTS - Jessie</em></p>
<ul>
<li>netty: refine prior triages, security upload <a href="https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html">DLA 2109-1</a></li>
<li>netty-3.9: identify duplicate package, fix prior vulnerabilities, security upload <a href="https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html">DLA 2110-1</a></li>
<li>nodejs: jessie/stretch/buster triage (3 CVEs), <a href="https://github.com/nodejs/security-wg/issues/631">request access</a> to not-yet-public hackerone reports</li>
<li>nodejs: <a href="https://lists.debian.org/debian-lts/2020/02/msg00044.html">clarify</a> support status, reclassify open vulnerabilities on nodejs ecosystem as EOL (end-of-life) for jessie & stretch</li>
<li>http-parser: mark as affected by nodejs' CVE-2019-15605; jessie triage: ignored (invasive change with ABI breakage)</li>
<li>wordpress: precise my past triage (2 CVEs): postponed (serialization vulnerabilities related to PHP itself currently not addressed at application/wordpress level)</li>
<li>otrs2: security upload <a href="https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html">DLA 2118-1</a> (interestingly recent otrs2 is in non-free not due to licensing, but due to embedding specific versions of javascript dependencies)</li>
<li>CVE-2019-10784/phppgadmin: <a href="https://lists.debian.org/debian-lts/2020/02/msg00064.html">answer</a> request for comment</li>
<li>xen: <a href="https://lists.debian.org/debian-lts/2020/02/msg00081.html">point out</a> external support</li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li><a href="https://wiki.debian.org/LTS/TestSuites/netty">TestSuites/netty</a>: instruction on how to find, compile and adapt server examples</li>
<li><a href="https://www.debian.org/lts/security/2019/dla-1993">DLA-1993-1</a>: update Debian website (was only published via mailing-list)</li>
<li><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/embedded-code-copies">embedded-code-copies</a>: reference http-parser embedded in nodejs</li>
<li>README.external-support: clean-up external support contact points</li>
</ul>
Debian LTS and ELTS - January 2020https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_January_2020/2020-02-04T23:50:46Z2020-02-04T13:32:57Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In January, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 23.75h for LTS (out of 30 max) and 20h for ELTS (max) of which I did 1.5h.</p>
<p>I couldn't work much on ELTS because there are very few sponsors left for oldoldoldstable (sic!), hence not many packages to support, hence not much possible work.</p>
<p>In a direct communication, one team member expressed that team workflow is to be discussed on a private mailing list because according to them these problems don't need to be discussed in public and only results count. I have an opposite approach -- anything that isn't strictly confidential / security-sensitive is to be discussed publicly. The Debian Social Contract says "We don't hide problems" so if we want to address problems in a Debian workflow, this is to be public. What do you think?</p>
<p><em>ELTS - Wheezy</em></p>
<ul>
<li>request supported packages list update</li>
<li>sqlite3: re-triage: drop as it just reached end-of-life</li>
<li>nss: re-triage: suggest clarification since package just reached end-of-life, yet claimed; actually a static build dependency of openjdk</li>
<li>python-apt: re-triage: claimed, checked actual EOL status with triager, unclaimed</li>
<li>python2.7: re-triage: was marked end-of-life, checked !EOL status with triager, marked for update</li>
</ul>
<p><em>LTS - Jessie</em></p>
<ul>
<li>wordpress: jessie triage (7 CVEs), <a href="https://lists.debian.org/debian-lts-announce/2020/01/msg00010.html">security upload</a></li>
<li>tomcat7: start working then cancel work since it was unclaimed since 9 days yet 2 LTS members were already working on it</li>
<li>gpac: jessie triage (17 CVEs), reported <a href="https://github.com/gpac/gpac/issues/1393">new crash</a>, reported <a href="https://github.com/gpac/gpac/issues/1378#issuecomment-575664478">invalid fix</a>, <a href="https://lists.debian.org/debian-lts-announce/2020/01/msg00017.html">security upload</a></li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li>Answer about Tomcat 8 <a href="https://lists.debian.org/debian-lts/2020/01/msg00005.html">certificates renewal</a></li>
</ul>
Debian LTS and ELTS - December 2019https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_December_2019/2020-01-04T23:50:31Z2020-01-02T10:18:46Z
<p><a href="https://wiki.debian.org/LTS"><img src="https://blog.beuc.net/posts/Debian-LTS-2-256.png" width="256" height="256" alt="Debian LTS Logo" class="img" align="right" /></a></p>
<p>Here is my transparent report for my work on the <a href="https://wiki.debian.org/LTS">Debian Long Term Support (LTS)</a> and <a href="https://wiki.debian.org/LTS/Extended%20project">Debian Extended Long Term Support (ELTS)</a>, which extend the security support for past Debian releases, as a paid contributor.</p>
<p>In December, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 16.5h for LTS (out of 30 max) and 16.5h for ELTS (max).</p>
<p>This is less than usual, AFAICS due to having more team members requesting more hours (while I'm above average), and less unused hours given back (or given back too late).</p>
<p><em>ELTS - Wheezy</em></p>
<ul>
<li>libonig: finish work started in November:</li>
<li>CVE-2019-19203/libonig: can't reproduce, backport non-trivial likely to introduce bugs, </li>
<li>CVE-2019-19012,CVE-2019-19204,CVE-2019-19246/libonig: <a href="https://deb.freexian.com/extended-lts/updates/ela-198-1-libonig/">security upload</a></li>
<li>libpcap: attempt to <a href="https://github.com/the-tcpdump-group/libpcap/issues/855">recap</a> vulnerabilities mismatch (possibly affecting ELA-173-1/DLA-1967-1); no follow-up from upstream</li>
<li>CVE-2019-19317,CVE-2019-19603,CVE-2019-19645/sqlite3: triage: not-affected (development version only)</li>
<li>CVE-2019-1551/openssl: triage: not-affected; <a href="https://lists.debian.org/debian-lts/2019/12/msg00028.html">discuss</a> LTS triage rationale</li>
<li>CVE-2019-14861,CVE-2019-14870/samba: triage: not-affected</li>
<li>CVE-2019-19725/sysstat: triage: not-affected (vulnerable code introduced in v11.7.1)</li>
<li>CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255/ruby1.9.1: <a href="https://deb.freexian.com/extended-lts/updates/ela-201-1-ruby1.9.1/">security upload</a></li>
</ul>
<p><em>LTS - Jessie</em></p>
<ul>
<li>CVE-2019-19012,CVE-2019-19204,CVE-2019-19246/libonig: shared work with ELTS, <a href="https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html">security upload</a></li>
<li>libpcap: shared work with ELTS</li>
<li>libav: finish work started in November:</li>
<li>CVE-2018-18829/libav: triage: postponed (libav-specific issue, no patch)</li>
<li>CVE-2018-11224/libav: triage: postponed (libav-specific issue, no patch)</li>
<li>CVE-2017-18247/libav: triage: ignored (not reproducible, no targeted patch)</li>
<li>CVE-2017-18246/libav: triage: ignored (not reproducible)</li>
<li>CVE-2017-18245/libav: reproduce, track down fix in ffmpeg</li>
<li>CVE-2017-18244/libav: triage: ignored (not reproducible)</li>
<li>CVE-2017-18243/libav: triage: ignored (not reproducible)</li>
<li>CVE-2017-18242/libav: triage: ignored (not reproducible)</li>
<li>CVE-2017-17127/libav: reproduce, track down fix in ffmpeg</li>
<li>CVE-2016-9824/libav: triage: ignored: usan (undefined sanitized) warning only, no patch</li>
<li>CVE-2016-9823/libav: triage: ignored: usan (undefined sanitized) warning only, no patch</li>
<li>CVE-2016-5115/libav: triage: postpone due different (indirect mplayer) vulnerability and lack of time</li>
<li>CVE-2017-17127,CVE-2017-18245,CVE-2018-19128,CVE-2018-19130,CVE-2019-14443,CVE-2019-17542/libav: <a href="https://lists.debian.org/debian-lts-announce/2019/12/msg00003.html">security upload</a></li>
</ul>
<p><em>Documentation/Scripts</em></p>
<ul>
<li><a href="https://wiki.debian.org/LTS/TestSuites/sqlite">TestSuites/aspell</a>: sqlite3 bundled tests primer</li>
<li><a href="https://wiki.debian.org/LTS/TestSuites/libav">TestSuites/libav</a>: minor fixes</li>
<li>Minor fixes to ELTS/README.how-to-release-an-update</li>
</ul>