Hello, Here's my report for January.
## sbuild regression My first stop this month was to notice a problem with sbuild from buster running on jessie chroots ([bug #920227]). After discussions on IRC, where fellow Debian Developers basically fabricated me a patch on the fly, I sent [merge request #5] which was promptly accepted and should be part of the next upload. [merge request #5]: https://salsa.debian.org/debian/sbuild/merge_requests/5 [bug #920227]: https://bugs.debian.org/920227 ## systemd I again worked a bit on systemd. I marked [CVE-2018-16866] as not affecting jessie, because the vulnerable code was introduced in later versions. I backported fixes for [CVE-2018-16864] and [CVE-2018-16865] and published the resulting package as [DLA-1639-1], after doing some smoke-testing. I still haven't gotten the courage to dig back in the large backport of `tmpfiles.c` required to fix [CVE-2018-6954]. [CVE-2018-16864]: https://security-tracker.debian.org/tracker/CVE-2018-16864 [CVE-2018-16865]: https://security-tracker.debian.org/tracker/CVE-2018-16865 [CVE-2018-16866]: https://security-tracker.debian.org/tracker/CVE-2018-16866 [DLA-1639-1]: https://lists.debian.org/20190123042620.ga4...@curie.anarc.at [CVE-2018-6954]: https://security-tracker.debian.org/tracker/CVE-2018-6954 ## tiff review I did a quick review of the fix for [CVE-2018-19210] [proposed upstream] which seems to have brought upstream's attention back to the issue and finally merge the fix. [CVE-2018-19210]: https://security-tracker.debian.org/tracker/CVE-2018-19210 [proposed upstream]: https://gitlab.com/libtiff/libtiff/merge_requests/47 ## Enigmail EOL After [reflecting on the issue] one last time, I decided to mark Enigmail as EOL in jessie, which involved an upload of debian-security-support to jessie ([DLA-1657-1]), unstable and a [stable-pu]. [stable-pu]: https://bugs.debian.org/921117 [DLA-1657-1]: https://lists.debian.org/87sgx72z6a....@curie.anarc.at [reflecting on the issue]: https://lists.debian.org/87tvi0cw99....@curie.anarc.at ## DLA / website work I worked again on fixing the LTS workflow with the DLAs on the main website. Reminder: hundreds of DLAs are missing from the website ([bug #859122]) and we need to figure out a way to automate the import of newer ones ([bug #859123]). The details of my work are in [this post] but basically, I readded a bunch more DLAs to the MR and got some good feedback from the www team (in [MR #47]). There's still some work to be done on the DLA parser, although I have merged my own improvements ([MR #46]) as I felt they had been sitting for review long enough. Next step is to deal with noise like PGP signatures correctly and thoroughly review the proposed changes. While I was in the webmaster's backyard, I tried to help with a few things by merging a [LTS errata] and a [paypal integration note] although the latter ended up being a mistake that was reverted. I also rejected some issues ([MR #13], [MR #15]) during a quick triage. [bug #859122]: https://bugs.debian.org/859122 [bug #859123]: https://bugs.debian.org/859123 [this post]: https://lists.debian.org/87o97v2vt1....@curie.anarc.at [MR #47]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/47 [MR #46]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/46> [LTS errata]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/40 [paypal integration note]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/39 [MR #15]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/15 [MR #13]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/13 ## phpMyAdmin review After reading this [email from Lucas Kanashiro], I [reviewed] [CVE-2018-19968] and reviewed and tested [CVE-2018-19970]. [reviewed]: https://lists.debian.org/87imy32tlu....@curie.anarc.at [email from Lucas Kanashiro]: https://lists.debian.org/c2fbedd3-436c-0497-c987-69fa5b213...@riseup.net [CVE-2018-19970]: https://security-tracker.debian.org/tracker/CVE-2018-19970 [CVE-2018-19968]: https://security-tracker.debian.org/tracker/CVE-2018-19968 -- Non qui parum habet, sed qui plus cupit, pauper est. It is not the man who has too little, but the man who craves more, that is poor. - Lucius Annaeus Seneca (65 AD)
Description: PGP signature