2021/10, FLOSS activity

LTS

This is my eighth month of working for LTS.

Released DLAs

  1. DLA-2775-1 plib_1.8.5-7+deb9u1

    • CVE-2021-38714: integer overflow vulnerability that could result in arbitrary code execution. The vulnerability is found in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx file.
  2. DLA-2786-1 nghttp2_1.18.1-1+deb9u2

    • CVE-2020-11080: The overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.
    • CVE-2018-1000168: An Improper Input Validation CWE-20 vulnerability found in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client.
  3. DLA-2793-1 mosquitto_1.4.10-3+deb9u5

    • CVE-2017-7655: a Null Dereference vulnerability was which could lead to crashes for those applications using the library.
  • Mark CVE-2021-40529 as ignored for stretch, because affected function has been changed drastically, so backport is too intrusive.
  • I started to work on botan1.10, ffmpeg and ntfs-3g. But no DLAs are released yet.

LTS-Meeting

  • I attended the Debian LTS team Jitsi-meeting.

Other FLOSS activities

  • I continue to do a soft transition of all packages depending on older vtk libraries onto vtk9. This month the following packages were uploaded:

    • esys-particle_2.3.5+dfsg2-2
    • odin_2.0.4-4
  • Advocated Douglas Andrew Torrance as a new DD.

  • Take plib package as a maintainer and Uploaded plib_1.8.5-10, fixing #992973 and CVE-2021-38714

  • Prepared updates for bullseye #996694 and buster #996695 to fix CVE-2021-38714

  • The package plib_1.8.5-11 was uploaded to fix autopkgtest-failures on arm64 and ppc64el

  • Uploaded benchmark_1.6.0-1, fixing #985726 and #983988

  • Uploaded benchmark_1.6.0-2, fixing #996956

  • Uploaded liggghts_3.8.0+repack1-9, fixing #984217

  • Reviewed and uploaded into NEW ignition-utils_1.1.0+ds-1

  • Filed #996976 to remove vtk6 from the archive

  • Uploaded esys-particle_2.3.5+dfsg2-3, fixing #984051

  • Uploaded sundials_5.8.0+dfsg-1~exp1

  • Uploaded boost1.74_1.74.0-12, fixing #995571

  • Uploaded openblas_0.3.18+ds-2, fixing the crush in the yade-package. See here for more information

  • Uploaded sundials_5.8.0+dfsg-1