[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS & ELTS -- March 2025



Hello,

March was my twenty-first month working on LTS and ELTS.  Thank you to
Freexian and Freexian's sponsors for making these projects possible:
    <https://www.freexian.com/lts/debian/#sponsors>

LTS

- python3.9

  - Released DLA 4087-1 fixing CVE-2022-0391, CVE-2025-0938 and
    CVE-2025-1795.  The upstream bug reports were reporting regressions,
    but I determined that these were pure test suite regressions, so
    went ahead with the fixes.

- vim

  - Released DLA 4097-1 fixing CVE-2021-4173, CVE-2021-4187,
    CVE-2022-0261, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361,
    CVE-2022-0392, CVE-2022-0417, CVE-2022-0572, CVE-2022-1616,
    CVE-2022-1785, CVE-2022-1897, CVE-2022-1942, CVE-2022-2000,
    CVE-2022-2129, CVE-2022-2304, CVE-2022-3099, CVE-2022-3134,
    CVE-2022-3324, CVE-2022-4141, CVE-2023-0054, CVE-2023-1175,
    CVE-2023-2610, CVE-2023-4738, CVE-2023-4752, CVE-2023-4781,
    CVE-2023-5344, CVE-2024-22667, CVE-2024-43802 and CVE-2024-47814.

  - Marked CVE-2025-29768 as not affecting bullseye.

- rubygems

  - Started work on an update for four CVEs; looking into a stable-pu
    for bookworm, first.

- Correspondence.

ELTS

- emacs24

  - Figured out how to do an upstream-style in-tree build so that I
    could run the tests for CVE-2022-45939, which are manual, not run as
    part of the ordinary build.

    This is tricky because Debian's package build is done out-of-tree,
    and there are some adjustments to handle how Debian has long split
    Emacs into two source packages, due to licensing disagreements.

    I documented the steps I figured out on our wiki, and also how I got
    to them.

  - Released ELA-1340-1 fixing CVE-2022-45939, CVE-2024-53920 and
    CVE-2025-1244.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature


Reply to: