Like each month, have a look at the work funded by Freexian’s Debian LTS offering.
Debian LTS contributors
In May, 17 contributors have been paid to work on Debian LTS, their reports are available:
- Adrian Bunk did 34.25h (out of 24.0h assigned and 22.0h from previous period), thus carrying over 11.75h to the next month.
- Bastien Roucariès did 20.0h (out of 20.0h assigned).
- Ben Hutchings did 16.0h (out of 24.0h assigned), thus carrying over 8.0h to the next month.
- Chris Lamb did 18.0h (out of 18.0h assigned).
- Daniel Leidert did 8.0h (out of 10.0h assigned), thus carrying over 2.0h to the next month.
- Emilio Pozuelo Monfort did 35.5h (out of 46.0h assigned), thus carrying over 10.5h to the next month.
- Guilhem Moulin did 13.0h (out of 14.75h assigned and 5.25h from previous period), thus carrying over 7.0h to the next month.
- Lee Garrett did 11.0h (out of 37.25h assigned and 8.75h from previous period), thus carrying over 35.0h to the next month.
- Lucas Kanashiro did 10.0h (out of 20.0h assigned), thus carrying over 10.0h to the next month.
- Markus Koschany did 40.0h (out of 40.0h assigned).
- Ola Lundqvist did 6.5h (out of 22.5h assigned and 1.5h from previous period), thus carrying over 17.5h to the next month.
- Roberto C. Sánchez did 7.75h (out of 11.0h assigned and 1.0h from previous period), thus carrying over 4.25h to the next month.
- Santiago Ruano Rincón did 8.0h (out of 16.0h assigned), thus carrying over 8.0h to the next month.
- Sean Whitton did 5.5h (out of 5.5h assigned and 0.5h from previous period), thus carrying over 0.5h to the next month.
- Sylvain Beucler did 10.5h (out of 0.75h assigned and 45.25h from previous period), thus carrying over 35.5h to the next month.
- Thorsten Alteholz did 14.0h (out of 14.0h assigned).
- Tobias Frost did 7.75h (out of 10.0h assigned and 2.0h from previous period), thus carrying over 4.25h to the next month.
Evolution of the situation
In May, we have released 20 DLAs.
Notable security updates in May included:
- apache2: multiple vulnerabilities which may result in HTTP response splitting, denial of service, or authorization bypass (by Bastien Roucariès, in collaboration with apache2 maintainer Yadd)
- bind9: two vulnerabilities, called KeyTrap and NSEC3, which may result in denial of service (by Santiago Ruano Rincón)
- python-pymysql: potential SQL injection attack (by Chris Lamb)
The aforementioned apache2 was prepared by its Debian maintainer Yadd. This update also involved work on the package test suite in buster, which contributor Bastien Roucariès then forwarded to the apache2 package in unstable. More importantly, a regression in fossil was reported, and Bastien prepared a fix for it. Bastien coordinated the upload of both packages to minimize the introduction of regressions.
Contributor Daniel Leidert also prepared an upload of runc to Debian 11 in order fix a number of CVEs still affecting that package. Finally, contributor Thorsten Alteholz prepared uploads for qtbase-opensource-src, libjwt, and libmicrohttpd in Debian 11. Note that Debian 11 will pass into the LTS phase of support in August and these updates will improve the state and long-term supportability of Debian 11.
Debian 10 is presently in its final month of LTS support (as announced on the debian-lts-announce mailing list, support will end on June 30th), after which no new security updates will be made available on security.debian.org.
However, Freexian and its team of paid Debian contributors will continue to maintain Debian 10 going forward for the customers of the Extended LTS offer. Subscribe right away if you still have Debian 10 which must be kept secure (and which cannot yet be upgraded).
Thanks to our sponsors
Sponsors that joined recently are in bold.
- Platinum sponsors:
- TOSHIBA (for 105 months)
- Civil Infrastructure Platform (CIP) (for 73 months)
- VyOS Inc (for 37 months)
- Gold sponsors:
- Roche Diagnostics International AG (for 116 months)
- Linode (for 110 months)
- Babiel GmbH (for 99 months)
- Plat’Home (for 99 months)
- CINECA (for 73 months)
- University of Oxford (for 55 months)
- Deveryware (for 42 months)
- EDF SA (for 26 months)
- CERN
- Silver sponsors:
- Domeneshop AS (for 120 months)
- Nantes Métropole (for 115 months)
- Univention GmbH (for 106 months)
- Université Jean Monnet de St Etienne (for 106 months)
- Ribbon Communications, Inc. (for 100 months)
- Exonet B.V. (for 90 months)
- Leibniz Rechenzentrum (for 84 months)
- Ministère de l’Europe et des Affaires Étrangères (for 67 months)
- Cloudways by DigitalOcean (for 57 months)
- Dinahosting SL (for 55 months)
- Bauer Xcel Media Deutschland KG (for 49 months)
- Platform.sh SAS (for 49 months)
- Moxa Inc. (for 43 months)
- sipgate GmbH (for 40 months)
- OVH US LLC (for 38 months)
- Tilburg University (for 38 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 30 months)
- Soliton Systems K.K. (for 27 months)
- THINline s.r.o.
- Bronze sponsors:
- Evolix (for 121 months)
- Seznam.cz, a.s. (for 121 months)
- Intevation GmbH (for 118 months)
- Linuxhotel GmbH (for 118 months)
- Daevel SARL (for 116 months)
- Bitfolk LTD (for 115 months)
- Megaspace Internet Services GmbH (for 115 months)
- NUMLOG (for 115 months)
- Greenbone AG (for 114 months)
- WinGo AG (for 114 months)
- Ecole Centrale de Nantes - LHEEA (for 110 months)
- Entr’ouvert (for 105 months)
- Adfinis AG (for 102 months)
- GNI MEDIA (for 97 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 97 months)
- Tesorion (for 97 months)
- Bearstech (for 88 months)
- LiHAS (for 88 months)
- Catalyst IT Ltd (for 83 months)
- Supagro (for 78 months)
- Demarcq SAS (for 77 months)
- Université Grenoble Alpes (for 63 months)
- TouchWeb SAS (for 55 months)
- SPiN AG (for 52 months)
- CoreFiling (for 47 months)
- Institut des sciences cognitives Marc Jeannerod (for 42 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 39 months)
- Tem Innovations GmbH (for 34 months)
- WordFinder.pro (for 33 months)
- CNRS DT INSU Résif (for 32 months)
- Alter Way (for 25 months)
- Institut Camille Jordan (for 14 months)