Debian LTS and ELTS - August 2021

[Sylvain Beucler]

Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/services/debian-lts.html#sponsors


LTS

- gnutls28
  - non-security upload to better handle expiring root certificates
    https://lists.debian.org/debian-lts/2021/09/msg00008.html
  - prepare packages for testing
    https://lists.debian.org/debian-lts/2021/09/msg00016.html
  - DLA 2759-1
    https://lists.debian.org/debian-lts-announce/2021/09/msg00007.html

- openssl
  - non-security upload to better handle expiring root certificates
    https://lists.debian.org/debian-lts/2021/09/msg00008.html
  - coordinate with LTS team member working on separate security upload
    https://lists.debian.org/debian-lts/2021/09/msg00013.html
  - prepare packages for testing
    https://lists.debian.org/debian-lts/2021/09/msg00023.html
  - DLA 2761-1
    https://lists.debian.org/debian-lts-announce/2021/09/msg00009.html

- apache2
  - Triage new CVEs from 2.4.49 along with Debian security team
  - Prepare upload, currently analyzing CVE-2021-40438-related regressions

- uwsgi
  - Track CVE-2021-36160 from present apache2 to older uwsgi package
  - DLA 2768-1
    https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html


ELTS

- postgresql-9.4
  - tidy jessie-specific CVE tracking
  - ELA-482-1
    https://deb.freexian.com/extended-lts/updates/ela-482-1-postgresql-9.4/

- gnutls28
  - common work with LTS
  - ELA-483-1
    https://deb.freexian.com/extended-lts/updates/ela-483-1-gnutls28/

- openssl
  - common work with LTS
  - cooperate with ubuntu (trusty)
    https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 + private 
e-mails
  - ELA-484-1
    https://deb.freexian.com/extended-lts/updates/ela-484-1-openssl/

- apache2
  - common (pending) work with LTS

- uwsgi
  - common work with LTS
  - ELA-487-1
    https://deb.freexian.com/extended-lts/updates/ela-487-1-uwsgi/

- CVEs triage
  - track unfixed CVEs in related packages (cf. new tooling below)
  - fix-up some duplicate entries and clarify cacti status
  - internal discussion on tracking pending updates (tomcat7)


Documentation and tooling

- Tracking related source packages
  
https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/88
  - implement change requested by security team
  - identify more renamed packages and fix-up corner cases
  - continue pushing for inclusion in common repository

- Discuss and vote on funded project proposal
  https://salsa.debian.org/freexian-team/project-funding/-/issues/10

- debian-security-support: match ecosystems with limited support
  - follow-up on task rationale
    https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/20
  - rework proposal following inclusion of our pre-requisite bug fix
    https://salsa.debian.org/debian/debian-security-support/-/merge_requests/10

- libxstream-java: test proposed patch for regression
  https://lists.debian.org/debian-lts/2021/09/msg00031.html

- LTS doc:
  - new 'Switching to the next Stable release' section
    https://wiki.debian.org/LTS/Development#Switching_to_the_next_Stable_release
  - clarify duplicate section
    
https://wiki.debian.org/LTS/Development#Prepare_other_.28non-security-related.29_updates_for_LTS
  - new uwsgi testing procedure
    https://wiki.debian.org/LTS/TestSuites/uwsgi
  - regroup and enhance autopkgtest info from TestSuites/rails and 
TestSuites/sane-backends
    https://wiki.debian.org/LTS/TestSuites/autopkgtest

-- 
Sylvain Beucler
Debian LTS Team