Allgemein

Utkarsh Gupta: FOSS Activites in December 2025

Von [email protected] Loading...
Utkarsh Gupta: FOSS Activites in December 2025

Here’s my monthly but brief update about the activities I’ve done in the FOSS world.

Debian


Whilst I didn’t get a chance to do much, here are still a few things that I worked on:

  • Prepared security update for wordpress for trixie and bookworm.
  • A few discussions with the new DFSG team, et al.
  • Assited a few folks in getting their patches submitted via Salsa.
  • Mentoring for newcomers.
  • Moderation of -project mailing list.

Ubuntu


I joined Canonical to work on Ubuntu full-time back in February 2021.

Whilst I can’t give a full, detailed list of things I did, here’s a quick TL;DR of what I did:

  • Successfully released Resolute Snapshot 2!
    • This one was also done without the ISO tracker and cdimage access.
    • I think this one went rather smooth. Let’s see what we’re able to do for snapshot 3.
  • Worked on removing GPG keys from the cdimage instance. That took a while, whew!
  • Assisted a bunch of folks with my Archive Admin and Release team hats to:
    • review NEW packages for Ubuntu Studio.
    • remove old binaries that are stalling transition and/or migration.
    • LTS requalification of Ubuntu flavours.
    • bootstrapping dotnet-10 packages for Stable Release Updates.
  • With that, we’ve entered the EOY break. 🙂

Debian (E)LTS


This month I have worked 72 hours
on Debian Long Term Support (LTS)
and on its sister Extended LTS
project and did the following things:

Released Security Updates

  • ruby-git: Multiple vulnerabilities leading to command line injection and improper path escaping.

  • ruby-sidekiq: Multiple vulnerabilities leading to Cross-site Scripting (XSS) and Denial of Service in Web UI.

  • python-apt: Vulnerability leading to crash via invalid nullptr dereference in TagSection.keys().

    • [LTS]: Fixed CVE-2025-6966 via 2.2.1.1 for bullseye. This has been released as DLA 4408-1.
    • [ELTS]: Fixed CVE-2025-6966 via 1.8.4.4 for buster and 1.4.4 for stretch. This has been released as ELA 1596-1.
    • All of this was coordinated b/w the Security team and Julian Andres Klode. Julian will take care of the stable uploads.

  • node-url-parse: Vulnerability allowing authorization bypass through specially crafted URL with empty userinfo and no host.

  • wordpress: Multiple vulnerabilities in WordPress core, leading to Sent Data & Cross-site Scripting.

  • usbmuxd: Privilege escalation vulnerability via path traversal in SavePairRecord command.

    • [LTS]: Fixed CVE-2025-66004 via 1.1.1-2+deb11u1 for bullseye. This has been released as DLA 4417-1.
    • [ELTS]: Fixed CVE-2025-66004 via 1.1.1~git20181007.f838cf6-1+deb10u1 for buster and 1.1.0-2+deb9u1 for stretch. This has been released as ELA 1599-1.
    • All of this was coordinated b/w the Security team and Yves-Alexis Perez. Yves will take care of the stable uploads.

  • gst-plugins-good1.0: Multiple vulnerabilities in isomp4 plugin leading to potential out-of-bounds reads and information disclosure.

  • postgresql-13: Multiple vulnerabilities including unauthorized schema statistics creation and integer overflow in libpq allocation calculations.

  • gst-plugins-base1.0: Multiple vulnerabilities in SubRip subtitle parsing leading to potential crashes and buffer issues.

Work in Progress

  • ceph: Affected by CVE-2024-47866, using the argument x-amz-copy-source to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack.

    • [LTS]: Whilst the patch is straightforward, backports are a bit tricky. I’ve prepared the update but would like to reach out to zigo, the maintainer, to make sure nothing regresses.
    • [ELTS]: Same as LTS, I’d like to get a quick review and upload to LTS first before I start staging uploads for ELTS.

  • knot-resolver: …

  • adminer: …

  • u-boot: …

  • ruby-rack: There were multiple vulnerabilities reported in Rack, leading to DoS (memory exhaustion) and proxy bypass.

    • [ELTS]: Bastien picked up ruby-rack for ELTS and reached out about an upstream regression and we’ve been doing some exchanges.

Other Activities

  • Frontdesk from 01-12-2025 to 07-12-2025.

    • auto EOL’d.
    • other triages to be added..

  • I claimed php-horde-css-parser to work on CVE-2020-13756 for buster and did almost all the work only to realize that the patch already existed in buster and the changelog confirmed that it was intentionally fixed.

    • After speaking with Andreas Henriksson, we figured that the CVE ID was missed when the ELA was generated and so I fixed that via 87afaaf19ce56123bc9508d9c6cd5360b18114ef and 5621431e84818b4e650ffdce4c456daec0ee4d51 in the ELTS security tracker to reflect the situation.

  • Participated in a thread which I started last month around using Salsa CI for E/LTS packages and if we plan to sunset it in favor of using Debusine. The plan for now is to keep it around as it’s still beneficial and Debusine is still in its early phase.

  • Did a lot of back and forth with Helmut about debusine uploads on #debian-elts.

    • While debugging a failure in dcut uploads, I ran into an SSH compatibility issue on deb-master.freexian.com that could be fixed on the server-side. I shared all my findings to Freexian’s sysadmin team.
    • A minimal fix on the server side would be one of: 
      PubkeyAcceptedAlgorithms -ssh-dss

      or explicitly restricting to modern algorithms, e.g.:

      PubkeyAcceptedAlgorithms
ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256

  • Jelly on #debian-lts reported that all my DLA mails had broken GMail’s DKIM signature. So I set up sending replies from @debian.org and that seems to have fixed that! o/

  • [LTS] Attended a rather short monthly LTS meeting on Jitsi. Summary here.

  • [E/LTS] Monitored discussions on mailing lists, IRC, and all the documentation updates.

Until next time.
:wq for today.