Like each month, have a look at the work funded by Freexian’s Debian LTS offering.
Debian LTS contributors
In December, 18 contributors have been paid to work on Debian LTS, their reports are available:
- Abhijith PA did 7.0h (out of 7.0h assigned and 7.0h from previous period), thus carrying over 7.0h to the next month.
- Adrian Bunk did 16.0h (out of 26.25h assigned and 8.75h from previous period), thus carrying over 19.0h to the next month.
- Bastien Roucariès did 16.0h (out of 16.0h assigned and 4.0h from previous period), thus carrying over 4.0h to the next month.
- Ben Hutchings did 8.0h (out of 7.25h assigned and 16.75h from previous period), thus carrying over 16.0h to the next month.
- Chris Lamb did 18.0h (out of 18.0h assigned).
- Emilio Pozuelo Monfort did 8.0h (out of 26.75h assigned and 8.25h from previous period), thus carrying over 27.0h to the next month.
- Guilhem Moulin did 25.0h (out of 18.0h assigned and 7.0h from previous period).
- Holger Levsen did 5.5h (out of 5.5h assigned).
- Jochen Sprickerhof did 0.0h (out of 0h assigned and 10.0h from previous period), thus carrying over 10.0h to the next month.
- Lee Garrett did 0.0h (out of 25.75h assigned and 9.25h from previous period), thus carrying over 35.0h to the next month.
- Markus Koschany did 35.0h (out of 35.0h assigned).
- Roberto C. Sánchez did 9.5h (out of 5.5h assigned and 6.5h from previous period), thus carrying over 2.5h to the next month.
- Santiago Ruano Rincón did 8.255h (out of 3.26h assigned and 12.745h from previous period), thus carrying over 7.75h to the next month.
- Sean Whitton did 4.25h (out of 3.25h assigned and 6.75h from previous period), thus carrying over 5.75h to the next month.
- Sylvain Beucler did 16.5h (out of 21.25h assigned and 13.75h from previous period), thus carrying over 18.5h to the next month.
- Thorsten Alteholz did 14.0h (out of 14.0h assigned).
- Tobias Frost did 10.25h (out of 12.0h assigned), thus carrying over 1.75h to the next month.
- Utkarsh Gupta did 18.75h (out of 11.25h assigned and 13.5h from previous period), thus carrying over 6.0h to the next month.
Evolution of the situation
In December, we have released 29 DLAs.
A particularly notable update in December was prepared by LTS contributor Santiago Ruano Rincón for the openssh package. The updated produced DLA-3694-1 and included a fix for the Terrapin Attack (CVE-2023-48795), which was a rather serious flaw in the SSH protocol itself. The package bluez was the subject of another notable update by LTS contributor Chris Lamb, which resulted in DLA-3689-1 to address an insecure default configuration which allowed attackers to inject keyboard commands over Bluetooth without first authenticating.
The LTS team continues its efforts to have a positive impact beyond the boundaries of LTS. Several contributors worked on packages, preparing LTS updates, but also preparing patches or full updates which were uploaded to the unstable, stable, and oldstable distributions, including: Guilhem Moulin’s update of tinyxml (uploads to LTS and unstable and patches submitted to the security team for stable and oldstable); Guilhem Moulin’s update of xerces-c (uploads to LTS and unstable and patches submitted to the security team for oldstable); Thorsten Alteholz’s update of libde265 (uploads to LTS and stable and additional patches submitted to the maintainer for stable and oldstable); Thorsten Alteholz’s update of cjson (upload to LTS and patches submitted to the maintainer for stable and oldstable); and Tobias Frost’s update of opendkim (sponsor maintainer-prepared upload to LTS and additionally prepared updates for stable and oldstable).
Going beyond Debian and looking to the broader community, LTS contributor Bastien Roucariès was contacted by SUSE concerning an update he had prepared for zbar. He was able to assist by coordinating with the former organization of the original zbar author to secure for SUSE access to information concerning the exploits. This has enabled another distribution to benefit from the work done in support of LTS and from the assistance of Bastien in coordinating the access to information.
Finally, LTS contributor Santiago Ruano Rincón continued work relating to how updates for packages in statically-linked language ecosystems (e.g., Go, Rust, and others) are handled. The work is presently focused on more accurately and reliably identifying which packages are impacted in a given update scenario to enable notifications to be published so that users will be made aware of these situations as they occur. As the work continues, it will eventually result in improvements to Debian infrustructure so that the LTS team and Security team are able to manage updates of this nature in a more consistent way.
Thanks to our sponsors
Sponsors that joined recently are in bold.
- Platinum sponsors:
- TOSHIBA (for 100 months)
- Civil Infrastructure Platform (CIP) (for 68 months)
- Gold sponsors:
- Roche Diagnostics International AG (for 111 months)
- Linode (for 105 months)
- Babiel GmbH (for 94 months)
- Plat’Home (for 94 months)
- University of Oxford (for 50 months)
- Deveryware (for 37 months)
- VyOS Inc (for 32 months)
- EDF SA (for 21 months)
- Silver sponsors:
- Domeneshop AS (for 115 months)
- Nantes Métropole (for 109 months)
- Univention GmbH (for 101 months)
- Université Jean Monnet de St Etienne (for 101 months)
- Ribbon Communications, Inc. (for 95 months)
- Exonet B.V. (for 85 months)
- Leibniz Rechenzentrum (for 79 months)
- CINECA (for 68 months)
- Ministère de l’Europe et des Affaires Étrangères (for 62 months)
- Cloudways by DigitalOcean (for 52 months)
- Dinahosting SL (for 50 months)
- Bauer Xcel Media Deutschland KG (for 44 months)
- Platform.sh SAS (for 44 months)
- Moxa Inc. (for 38 months)
- sipgate GmbH (for 35 months)
- OVH US LLC (for 33 months)
- Tilburg University (for 33 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 25 months)
- Soliton Systems K.K. (for 22 months)
- Bronze sponsors:
- Evolix (for 116 months)
- Seznam.cz, a.s. (for 116 months)
- Intevation GmbH (for 113 months)
- Linuxhotel GmbH (for 113 months)
- Daevel SARL (for 111 months)
- Bitfolk LTD (for 110 months)
- Megaspace Internet Services GmbH (for 110 months)
- Greenbone AG (for 109 months)
- NUMLOG (for 109 months)
- WinGo AG (for 109 months)
- Ecole Centrale de Nantes - LHEEA (for 105 months)
- Entr’ouvert (for 100 months)
- Adfinis AG (for 97 months)
- GNI MEDIA (for 92 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 92 months)
- Tesorion (for 92 months)
- Bearstech (for 83 months)
- LiHAS (for 83 months)
- Catalyst IT Ltd (for 78 months)
- Supagro (for 73 months)
- Demarcq SAS (for 72 months)
- Université Grenoble Alpes (for 58 months)
- TouchWeb SAS (for 50 months)
- SPiN AG (for 47 months)
- CoreFiling (for 42 months)
- Institut des sciences cognitives Marc Jeannerod (for 37 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 34 months)
- Tem Innovations GmbH (for 29 months)
- WordFinder.pro (for 28 months)
- CNRS DT INSU Résif (for 27 months)
- Alter Way (for 20 months)
- Institut Camille Jordan (for 9 months)