Monthly report about Debian Long Term Support, September 2023

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In September, 21 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 10.0h (out of 0h assigned and 14.0h from previous period), thus carrying over 4.0h to the next month.
• Adrian Bunk did 7.0h (out of 17.0h assigned), thus carrying over 10.0h to the next month.
• Anton Gladky did 9.5h (out of 7.5h assigned and 7.5h from previous period), thus carrying over 5.5h to the next month.
• Bastien Roucariès did 16.0h (out of 15.5h assigned and 1.5h from previous period), thus carrying over 1.0h to the next month.
• Ben Hutchings did 17.0h (out of 17.0h assigned).
• Chris Lamb did 17.0h (out of 17.0h assigned).
• Emilio Pozuelo Monfort did 30.0h (out of 30.0h assigned).
• Guilhem Moulin did 18.25h (out of 18.25h assigned).
• Helmut Grohne did 10.0h (out of 10.0h assigned).
• Lee Garrett did 17.0h (out of 16.5h assigned and 0.5h from previous period).
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 4.5h (out of 0h assigned and 24.0h from previous period), thus carrying over 19.5h to the next month.
• Roberto C. Sánchez did 5.0h (out of 12.0h assigned), thus carrying over 7.0h to the next month.
• Santiago Ruano Rincón did 7.75h (out of 16.0h assigned), thus carrying over 8.25h to the next month.
• Sean Whitton did 7.0h (out of 7.0h assigned).
• Sylvain Beucler did 10.5h (out of 17.0h assigned), thus carrying over 6.5h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 13.25h (out of 16.0h assigned), thus carrying over 2.75h to the next month.

Evolution of the situation

In September, we have released 44 DLAs.

The month of September was a busy month for the LTS Team.

A notable security issue fixed in September was the high-severity CVE-2023-4863, a heap buffer overflow that allowed remote attackers to perform an out-of-bounds memory write via a crafted WebP file. This CVE was covered by the three DLAs of different packages: firefox-esr, libwebp and thunderbird. The libwebp backported patch was sent to upstream, who adapted and applied it to the 0.6.1 branch.

It is also worth noting that LTS contributor Markus Koschany included in his work updates to packages in Debian Bullseye and Bookworm, that are under the umbrella of the Security Team: xrdp, jetty9 and mosquitto.

As every month, there was important behind-the-scenes work by the Front Desk staff, who triaged, analyzed and reviewed dozens of vulnerabilities, to decide if they warrant a security update. This is very important work, since we need to trade-off between the frequency of updates and the stability of the LTS release.

Thanks to our sponsors

Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 97 months)
  • Civil Infrastructure Platform (CIP) (for 65 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 108 months)
  • Linode (for 102 months)
  • Babiel GmbH (for 91 months)
  • Plat’Home (for 91 months)
  • University of Oxford (for 47 months)
  • Deveryware (for 34 months)
  • VyOS Inc (for 29 months)
  • EDF SA (for 18 months)
• Silver sponsors:
  • Domeneshop AS (for 112 months)
  • Nantes Métropole (for 106 months)
  • Univention GmbH (for 98 months)
  • Université Jean Monnet de St Etienne (for 98 months)
  • Ribbon Communications, Inc. (for 92 months)
  • Exonet B.V. (for 82 months)
  • Leibniz Rechenzentrum (for 76 months)
  • CINECA (for 65 months)
  • Ministère de l’Europe et des Affaires Étrangères (for 59 months)
  • Cloudways Ltd (for 49 months)
  • Dinahosting SL (for 47 months)
  • Bauer Xcel Media Deutschland KG (for 41 months)
  • Platform.sh (for 41 months)
  • Moxa Inc. (for 35 months)
  • sipgate GmbH (for 32 months)
  • OVH US LLC (for 30 months)
  • Tilburg University (for 30 months)
  • GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 21 months)
  • Soliton Systems K.K. (for 19 months)
• Bronze sponsors:
  • Evolix (for 113 months)
  • Seznam.cz, a.s. (for 113 months)
  • Linuxhotel GmbH (for 110 months)
  • Intevation GmbH (for 109 months)
  • Daevel SARL (for 108 months)
  • Bitfolk LTD (for 107 months)
  • Megaspace Internet Services GmbH (for 107 months)
  • Greenbone AG (for 106 months)
  • NUMLOG (for 106 months)
  • WinGo AG (for 106 months)
  • Ecole Centrale de Nantes - LHEEA (for 102 months)
  • Entr’ouvert (for 97 months)
  • Adfinis AG (for 94 months)
  • GNI MEDIA (for 89 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 89 months)
  • Tesorion (for 89 months)
  • Bearstech (for 80 months)
  • LiHAS (for 80 months)
  • Catalyst IT Ltd (for 75 months)
  • Supagro (for 70 months)
  • Demarcq SAS (for 69 months)
  • Université Grenoble Alpes (for 55 months)
  • TouchWeb SAS (for 47 months)
  • SPiN AG (for 44 months)
  • CoreFiling (for 39 months)
  • Institut des sciences cognitives Marc Jeannerod (for 34 months)
  • Observatoire des Sciences de l’Univers de Grenoble (for 31 months)
  • Tem Innovations GmbH (for 25 months)
  • WordFinder.pro (for 25 months)
  • CNRS DT INSU Résif (for 24 months)
  • Alter Way (for 17 months)
  • Institut Camille Jordan (for 6 months)

by Santiago Ruano Rincón 12 Oct, 2023 . Tags : debian-lts, planet-debian, report , 807 Words.