Here is my transparent report for my work on the Debian Long Term
Support (LTS) <https://wiki.debian.org/LTS> and Debian Extended Long
Term Support (ELTS) <https://wiki.debian.org/LTS/Extended%20project>,
which extend the security support for past Debian releases, as a paid
contributor.
In July, the monthly sponsored hours were split evenly among
contributors depending on their max availability - I was assigned 25.25h
for LTS (out of 30 max; all done) and 13.25h for ELTS (out of 20 max;
all done).
We shifted suites: welcome Stretch LTS and Jessie ELTS. The LTS->ELTS
switch happened at the start of the month, but the oldstable->LTS switch
happened later (after finalizing and flushing proposed-updates to a last
point release), causing some confusion but nothing major.
/ELTS - Jessie/
* New local build setup
* ELTS buildds: request timezone harmonization
* Reclassify in-progress updates from jessie-LTS to jessie-ELTS
* python3.4: finish preparing update, security upload ELA 239-1
<https://deb.freexian.com/extended-lts/updates/ela-239-1-python3.4/>
* net-snmp: global triage: bisect CVE-2019-20892 to identify affected
version, jessie/stretch not-affected
* nginx: global triage: clarify CVE-2013-0337 status; locate
CVE-2020-11724 original patch and regression tests, update MITRE
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11724>
* nginx: security upload ELA-247-1
<https://deb.freexian.com/extended-lts/updates/ela-247-1-nginx/>
with 2 CVEs
/LTS - Stretch/
* Reclassify in-progress/needed updates from stretch/oldstable to
stretch-LTS
* rails: upstream security: follow-up on CVE-2020-8163 (RCE) on
upstream bug tracker
<https://github.com/rails/rails/issues/39301#issuecomment-653746696>
and create pull request <https://github.com/rails/rails/pull/39806>
for 4.x (merged), hence getting some upstream review
* rails: global security: continue coordinating
<https://lists.debian.org/debian-lts/2020/07/threads.html#00033>
upload in multiple Debian versions, prepare fixes
<https://lists.debian.org/debian-lts/2020/07/msg00065.html> for
common stretch/buster vulnerabilities in buster
* rails: security upload DLA-2282
<https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html>
fixing 3 CVEs
* python3.5: security upload DLA-2280-1
<https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html>
fixing 13 pending non-critical vulnerabilities, and its test suite
* nginx: security upload DLA-2283
<https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html>
(cf. common ELTS work)
* net-snmp: global triage (cf. common ELTS work)
* public IRC monthly team meeting
<http://meetbot.debian.net/debian-lts/2020/debian-lts.2020-07-30-14.59.html>
* reach out to clarify the intro from last month's report, following
unsettled feedback during meeting
/Documentation/Scripts/
* ELTS/README.how-to-release-an-update: fix typo
* ELTS buildd: attempt to diagnose slow perfs, provide comparison with
Debian and local builds
* LTS/Meetings <https://wiki.debian.org/LTS/Meetings>: improve
presentation
* SourceOnlyUpload <https://wiki.debian.org/SourceOnlyUpload>:
clarify/de-dup pbuilder doc
* LTS/Development <https://wiki.debian.org/LTS/Development>: reference
build logs URL, reference proposed-updates issue during dists
switch, reference new-upstream-versioning discussion, multiple
jessie->stretch fixes and clean-ups
* LTS/Development/Asan <https://wiki.debian.org/LTS/Development/Asan>:
drop wheezy documentation
* Warn about jruby mis-triage
<https://lists.debian.org/debian-lts/2020/07/msg00084.html>
* Provide feedback for ksh/CVE-2019-14868
<https://lists.debian.org/debian-lts/2020/07/msg00087.html>
* Provide feedback for condor update
<https://lists.debian.org/debian-lts/2020/07/msg00086.html>
* LTS/TestsSuites/nginx
<https://wiki.debian.org/LTS/TestSuites/nginx>: test with new
request smuggling test cases
https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_July_2020/
