LTS report for October 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 October was my 32nd month as a Debian LTS paid contributor. I had a total of 16 hours (14h assigned and 2h from last month). I've spent all of them for the following, * Front-desk duty from 05-10 to 11-10 * tinymce: Marked CVE-2019-1010091, CVE-2020-12648 as ignored. Cannot able to reproduce. Marked CVE-2020-17480 as no-dsa. * phpmyadmin: Uploaded package prepared by William Desportes. And released DLA[1] * junit4: Fixed CVE-2020-15250, tested and uploaded[2]. * jupyter-notebook: There were 6 CVEs. Marked CVE-2018-19352 as not- affected[3]. Marked CVE-2019-10255, CVE-2019-9644 as no-dsa[4]. Fixed CVE-2018-19351 CVE-2018-21030 CVE-2018-8768. Upload stuck due to #823820[5] Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html [2] - https://lists.debian.org/debian-lts-announce/2020/11/msg3.html [3] - https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1166b5e0 [4] - https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1166b5e0 [5] - https://bugs.debian.org/823820 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+idnkACgkQhj1N8u2c KO+AJg/9F3BtXm6dfqRpjI8Q8n5KRZ3ku3j5J1a/Se3Ipi2eziavm0LJ+TeLl+SU AbLaLnIHsDT+jL8UOI+VXacp06wn5SJhjpcPElZRSyP04FLbm9euGyYRRSisrhnw US2IECVzMhYP90Y8JlbI0RW7aByGxwaEP9aUqwUNGr1E2oxKNwGosyLavpbtUq2u 5A33BVIIfYfg4oVz3VZ92F39/klN3VkleVkimhx2YeWfKy9GsCaBphEOxc7hqk9X yqmD3HGuI/LoFN8TP9ZKhFBUL4dB/Q0UPIigTIk2bpzjlJ8G+mYBZ/bQhB6Kwfeq DlANWEHzX5qf+9J1rTwBabFqDeBIYZBIjZSxY/2Lnu6/dlwYDbVDGpc52ihxTyMw EApja4/nz9iV6SO9h/P60v9wHG3SqZ+Ei9lhps5c3NZVHhJN5SInSYL3iePjcFuQ JVPLi56MEJfOhXpyeQeornw9sEcmEPTW438CN7gZa7VAXiMrMnrLU/VyW2670kgB 24aV86BEVIT1JDLj81SMU5K2NY+geI10xosnH4kzF9YOtt+tn6pgxQScpy4TwiJC shG1noJvWGtfrmX/HcI598tSObxXd7BtBH39/aK/ZNq+0whSdCDhu2HrCz4bX8Vo 573Km83pltcEArilM+TsluruqeGELEp6BJgGQvQx5H00IuHG9Is= =vThI -END PGP SIGNATURE-
Re: golang-go.crypto / CVE-2019-11841
Brian May writes: > Package: acmetool > Package: chasquid > Package: coyim > Package: go-wire > Package: gocryptfs > Package: golang-github-azure-azure-sdk-for-go > Package: golang-github-azure-go-autorest > Package: golang-github-azure-go-ntlmssp > Package: golang-github-bowery-prompt > Package: golang-github-coreos-ioprogress > Package: golang-github-coreos-pkg > Package: golang-github-elithrar-simple-scrypt > Package: golang-github-endophage-gotuf > Package: golang-github-howeyc-gopass > Package: golang-github-kisom-goutils > Package: golang-github-pkg-sftp > Package: golang-github-rackspace-gophercloud > Package: golang-github-weaveworks-mesh > Package: golang-github-xenolf-lego > Package: golang-github-xordataexchange-crypt > Package: golang-golang-x-net-dev > Package: golang-gopkg-dancannon-gorethink.v2 > Package: golang-gopkg-macaroon.v1 > Package: govendor > Package: influxdb > Package: mongo-tools > Package: packer > Package: rclone > Package: restic > Package: snapd > Package: syncthing > Package: tendermint-ed25519 > Package: tendermint-go-merkle > Package: golang-ed25519-dev > Package: golang-github-bradfitz-http2 > Package: golang-github-endophage-gotuf > Package: golang-pault-go-debian > Package: influxdb > Package: obfs4proxy > Package: pluginhook I downloaded all binary packages associated with these source packages and ran the following script: (for simplicity I commented out the line that calls my script from https://github.com/brianmay/bampkgbuild/ that uses docker to Download the required files) === cut === #!/bin/sh set -e set -x # PATH="$HOME/tree/personal/bampkgbuild:$PATH" # download --architecture amd64 --distribution stretch --download binaries -- "$@" >&2 # Create a temporary directory and store its name in a variable ... TMPDIR=$(mktemp -d) # Bail out if the temp directory wasn't created successfully. if [ ! -e $TMPDIR ]; then echo "Failed to create temp directory" >&2 exit 1 fi # Make sure it gets removed even if the script exits abnormally. trap "exit 1" HUP INT PIPE QUIT TERM trap 'rm -rf "$TMPDIR"' EXIT for i in *.deb; do rm -rf "$TMPDIR" dpkg-deb --raw-extract "$i" "$TMPDIR" >&2 HIT="" if grep -qr 'src/golang.org/x/crypto/salsa20' -- $TMPDIR >&2; then HIT="salsa20 $HIT" fi if grep -qr 'src/golang.org/x/crypto/openpgp/clearsign' -- $TMPDIR >&2; then HIT="openpgp/clearsign $HIT" fi if grep -qr 'src/golang.org/x/crypto/ssh/keys' -- $TMPDIR >&2; then HIT="ssh/keys $HIT" fi if test -n "$HIT"; then echo "Package $i needs rebuilding" >&2 source="$(dpkg-deb -f "$i" Package)" if test -z "$source"; then source="$(dpkg-deb -f "$i" Package)" fi echo "$source $HIT" fi done === cut === This produced the following output to STDOUT: === cut === obfs4proxy salsa20 packer ssh/keys rclone salsa20 restic ssh/keys snapd salsa20 === cut === So I believe this is the list of packages that need to be rebuilt. -- Brian May
