2021/05, FLOSS activity

LTS

This is my third month of working for LTS.

Released DLAs

  1. DLA-2646-1 subversion_1.9.5-1+deb9u6

    • CVE-2020-17525:

      Remote unauthenticated denial-of-service in Subversion mod_authz_svn

  2. DLA-2649-1 cgal_4.9-1+deb9u1

    • CVE-2020-28601:

      An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability.

    • CVE-2020-28636:

      An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() An attacker can provide malicious input to trigger this vulnerability.

    • CVE-2020-35628:

      An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface. An attacker can provide malicious input to trigger this vulnerability.

    • CVE-2020-35636:

      An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume(). An attacker can provide malicious input to trigger this vulnerability.

  3. DLA-2660-1 libgetdata_0.9.4-1+deb9u1

    • CVE-2021-20204:

      A heap memory corruption problem (use after free) can be triggered when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library.

bind9 LTS-repo on salsa for testing

Created a repo for bind9 to test the package in he salsa-pipeline. Package testing was asked in the mailing list. After that I have added autopkgtests, which were copied from the main salsa-repo and updated to stretch release.

libwebp and imagemagick

Two packages with a high number of CVEs were in my focus this month. The work is not yet finished and DLAs will be released soon.

Debian Science Team

I have prepared and uploaded following packages, which are maintained under the umbrella of Debian Science Team:

  • gfsview_20121130+dfsg-7, fixed RC-Bug #987935 and created ci-pipeline for the package (team upload). And requested the package unblock #988112.

  • Reviewed and sponsored linbox_1.6.3-3 (RC-Bug #987921)

  • Prepared and uploaded libgetdata_0.10.0-5+deb10u1, fixing CVE-2021-20204 in buster (through proposed-updates)

  • Reviewed and sponsored freefem++_3.61.1+dfsg1-6 (RC-Bug #957233)

  • Prepared and uploaded sundials_4.1.0+dfsg-4 (RC-Bug #988551)