Debian LTS & ELTS -- April 2025
Hello,
April was my twenty-second month working on LTS and ELTS. Thank you to
Freexian and Freexian's sponsors for making these projects possible:
<https://www.freexian.com/lts/debian/#sponsors>
LTS
- glibc
- Released DLA-4143-1 addressing CVE-2025-0395.
- Marked CVE-2023-4813 as ignored.
Working with a package like this, at the root of everything else,
was a little intimidating. It has a large testsuite, and the fix
for CVE-2023-4813 did not make any old tests fail and came with six
new tests of its own, but one of them did not pass.
I had to decide whether to sink time into determining whether the
problem with the test indicated a problem with the fix. Matters
were complicated further by how the fix was committed by upstream
along with refactoring. After learning a bit more about the unusual
host configuration that would be required to render a system
vulnerable to the problem, I came to the conclusion that we should
not try to fix this.
- libsoup2.4
- Started preparing an update to unstable to address a number of open
CVEs, some of which have already been fixed in one stable suite by
another LTS contributor. I'm most of the way there.
- Correspondence.
ELTS
- glibc
- Started preparing an ELA to address CVE-2025-0395.
- Marked CVE-2023-4813 as ignored here too.
- Copied back Chris Lamb's assessment to ignore CVE-2023-4806 for
bullseye to the ELTS dists. This problem was even more theoretical,
and moreover, if we are not going to fix it for bullseye then we are
certainly not going to try to fix it in the older suites.
--
Sean Whitton
Reply to: