This is my 13th month of working for LTS and the 1st one for ELTS.
Released DLAs, ELAs
- CVE-2021-45909: heap-based buffer overflow vulnerability in the DecodeLZW function. It allows an
attacker to write a large amount of arbitrary data outside the boundaries of a buffer.
- CVE-2021-45910: heap-based buffer overflow within the main function. It allows an attacker to write data outside of the allocated buffer.
- CVE-2021-45911: heap based buffer overflow in processing of delays in the main function.ssh
This upload did not close any CVEs. It adds bullseye signing GPG-keys: automatic Signing Key, stable Release Key, Security Archive Automatic Signing Key for the Stretch.
CVE-2021-40401: use-after-free vulnerability exists in the RS-274X aperture definition tokenization functionality. A specially-crafted gerber file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
- This upload did not close any CVEs. It adds buster and bullseye signing GPG-keys: automatic Signing Key, stable Release Key, Security Archive Automatic Signing Key for the Jessie release.
- CVE-2022-23308: the application that validates XML using xmlTextReaderRead() with XML_PARSE_DTDATTR and XML_PARSE_DTDVALID enabled becomes vulnerable to this use-after-free bug. This issue can result in denial of service.
Several packages are in a pipeline and fixes will be released soon.
- Uploaded gif2apng_1.9+srconly-2+deb9u1 with one missing patch. Fixed in gif2apng_1.9+srconly-2+deb9u2 and released DLA
- Analyzed CVE-2022-24986 for stretch. Decided to mark it as ignored. Minor issue, patch is too intrusive to backport.
- Updated documentation for ELTS to make an upload. Initiated the discussion about one source for documentation.
- Analyzed CVE-2021-25636 (libreoffice) and decided not to fix it for stretch.
- Participated in the Debian LTS team IRC-meeting
- Update 42 projects in salsa repo “Packages for (E)LTS” according to DEP-14 schema.
- Fixed CVE-2021-40401 in the gerbv package in the git. Postponed upload due to some more CVEs, not fixed yet by upstream.
- Fixed CVE-2019-13590 in the sox package in the git. Postponed upload due to CVE-2021-40426, not fixed yet by upstream.
- Fixed CVE-2021-4189 and CVE-2021-23336 by the upload of python2.7_2.7.18-13.1 (both were previously fixed for stretch).
- Fixed CVE-2021-40401 in git. Other CVEs do not have a proper patch. Review later.
Debian Science Team / Debian electronics team
Other Debian activities
- Voted on the “GR: Voting secrecy”
- Uploaded dokuwiki_0.0.20200729-0.1~bpo11+1 into bullseye-backports
- Uploaded dokuwiki_0.0.20220317_gitaeff85c-0.1_exp1 into experimental
- new lammps will be available in the upcoming Ubuntu LTS 22.04.
Other FLOSS activities
- Participated in YADE bimonthly meeting.