Debian LTS and ELTS - April 2025
Here is my public monthly report.
Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors
LTS
- Front-Desk (week 14 and 15)
- Replaced Santiago week 14, so 2 weeks in a row
- Mark 22 packages for update, drop 1 EOL'd package
- Request stable updates for libsub-handlesvia-perl and
dns-root-data; report issue with automated creation of the latter
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/201
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/202
- Triage or precise bullseye triage for >30 CVEs;
help Security Team analyze some untriaged CVEs
- Tidy work queue and update packages status
- Answer pending e-mails from LTS users:
https://lists.debian.org/debian-lts/2025/04/msg00021.html
https://lists.debian.org/debian-lts/2025/04/msg00022.html
https://lists.debian.org/debian-lts/2025/04/msg00023.html
https://lists.debian.org/debian-lts/2025/04/msg00024.html
https://lists.debian.org/debian-lts/2025/04/msg00025.html
- Horde
- Follow-up of last month's work:
php-horde* from bookworm is incompatible with PHP8
ckeditor3 is EOL, but the Horde suite still depends on it
- Forsake removing php-horde* from bookworm
Officially add php-horde ecosystem to bookworm EOL
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101047
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/37
https://lists.debian.org/debian-lts/2025/04/msg00008.html
- Remove ckeditor from Debian unstable (and trixie)
Officially add ckeditor3 to bullseye and bookworm EOL
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101984
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/38
https://lists.debian.org/debian-lts/2025/04/msg00009.html
- Ask maintainer to EOL of ckeditor[v4] (long-term)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102677
- Clean-up and merge Horde Git repositories at Salsa
Tidy Salsa CI configuration
https://salsa.debian.org/horde-team/
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/200
- Handle new CVE-2025-30349 for php-horde-imp along with ckeditor3 fixes
- DLA-4112-1 for php-horde-editor, DLA-4113-1 for php-horde-imp
https://lists.debian.org/debian-lts-announce/2025/04/msg00007.html
https://lists.debian.org/debian-lts-announce/2025/04/msg00008.html
- grub2
- Many pending CVEs, status update
- Contact Debian maintainers, they'll handle the LTS upload
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098319#30
- shadow
- Merge Git repository with the maintainer's at Salsa
https://salsa.debian.org/debian/shadow/
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/204
- DLA-4130-1
https://lists.debian.org/debian-lts-announce/2025/04/msg00026.html
- libapache2-mod-auth-openidc
- Guide maintainer for preparing DLA-4129-1
https://lists.debian.org/debian-lts/2025/04/msg00038.html
https://lists.debian.org/debian-lts-announce/2025/04/msg00025.html
- mosquitto
- Guide maintainer for preparing a bookworm update
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103927
ELTS
- Front-Desk (week 14 and 15)
- Replaced Santiago week 14, so 2 weeks in a row
- Associate CVEs from newer, branched Debian packages with different
names to older ELTS packages (fig2dev*, gnupg*, golang*, libbson*,
opensaml*, sqlite*, twitter-bootstrap*); track more renamed
packages
- Review history of newly supported packages
- Mark 21 supported packages for update, drop 1 unsupported, drop 2
with no pending work; request dns-root-data (non-security) updates
- Triage or precise triage for >10 CVEs and packages,
- Tidy work queue and update packages status
- Drop some obsolete (temporary, rejected) CVEs from ELTS
- Horde & CKEditor
- Apply LTS work (see LTS section)
Upgrade from CKEditor v3 to v4
Clean-up and merge Horde Git repositories at Salsa
- Exceptionally update non-supported php-horde-turba, to fix issues
with installing and testing other supported Horde packages, by
fixing a regression introduced in the last LTS upload
- ELA-1371-1, ELA-1372-1, ELA-1373-1 for
php-horde-editor, php-horde-imp, php-horde-turba
https://www.freexian.com/lts/extended/updates/ela-1371-1-php-horde-editor/
https://www.freexian.com/lts/extended/updates/ela-1372-1-php-horde-imp/
https://www.freexian.com/lts/extended/updates/ela-1373-1-php-horde-turba/
- proftpd
- Help Bastien find the cause of a regression in the previous update
https://www.freexian.com/lts/extended/updates/ela-1343-2-proftpd-dfsg/
- shadow
- Merge Git repository with the maintainer's at Salsa (see LTS section)
- ELA-1395-1
https://www.freexian.com/lts/extended/updates/ela-1395-1-shadow/
- python2
- Follow-up from last month, as test suite failures were found in
python-django and mercurial, uploaded later
- Identify root cause and upstream fixes for failures, both involve
test suite limitations: too strict adhesion to Python validation
for e-mails and hostnames, and insufficient error handling when
checking faulty edge cases
https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c
https://repo.mercurial-scm.org/hg-stable/rev/d906406658a9
- Validate new test suite triggers, so the python-django test suite
is always run when uploading the next python2 update, even with
indirect python2 dependency
Note: mercurial test suite was already run but always failed
- erlang
- Urgent CVE-2025-32433 with RCE (Remote Code Execution)
- Fix issues in buster test suite
- ELA-1405-1
https://www.freexian.com/lts/extended/updates/ela-1405-1-erlang/
Documentation and tooling
- LTS Documentation docs
- TestSuites
- erlang: new page, running the suite and manually testing SSH
https://lts-team.pages.debian.net/wiki/TestSuites/erlang.html
- grub2: new page, document package signing process
https://lts-team.pages.debian.net/wiki/TestSuites/grub2.html
- hdf5: new page, reference repository of CVE reproducers
https://lts-team.pages.debian.net/wiki/TestSuites/hdf5.html
- mercurial: new page, how to run a specific test
https://lts-team.pages.debian.net/wiki/TestSuites/mercurial.html
- horde: how to enable inline HTML display to test XSS; status update
https://lts-team.pages.debian.net/wiki/TestSuites/horde.html
- autopkgtest: link Debian wiki
https://lts-team.pages.debian.net/wiki/TestSuites/autopkgtest.html
- Development
- Clarify and expand package claim procedure (March meeting action)
https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/18
- Test the update: reference another tool, rephrase review section
https://lts-team.pages.debian.net/wiki/Development.html#test-the-update
- Debian Wiki
- ContinuousIntegration/autopkgtest: link LTS documentation
https://wiki.debian.org/ContinuousIntegration/autopkgtest
- How to use the Bug Tracking System: clarify subscribe section
https://wiki.debian.org/HowtoUseBTS
- Static Linking: JavaScript: add more situations and examples,
in light of the recent twitter-bootstrap update
https://wiki.debian.org/StaticLinking
https://lists.debian.org/debian-lts-announce/2025/04/msg00020.html
https://lists.debian.org/debian-lts/2025/04/msg00051.html
- Internal documentation:
- Claim/unclaim procedures: link public documentation
- Front-Desk: merge multiple sections, link public documentation
- renamed-packages: reference data/packages/removed-packages
- Package publication: migration troubleshooting; document staging URLs
- Tooling
- security-tracker: report issue with recent file merge in
debian-security-support; review MR
https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/212
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e29b98a728e45514ea5c38c198370be2c8064699
- lts-updates-tasks
Add issue template for Stable Point Update (SPU) request
https://salsa.debian.org/lts-team/lts-updates-tasks/-/commit/3597971769bacd9d51e556161222e1d155b68a16
- Package claim: open ticket with discussion summary (meeting action)
Implement/improve automated package claim checks and notifications
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/85
- package-operations: parse configuration without the (private) pyxian dependency
This would help making this script public; waiting for review
https://gitlab.com/freexian/services/deblts-team/debian-lts/-/merge_requests/62
- Salsa CI: report and propose fix for issue with 'piuparts --hard-link'
https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/275
https://salsa.debian.org/salsa-ci-team/pipeline/-/merge_requests/604
- cvehist: fast CVE triage history
- Rationale: the CVE list in the tracker is a 40MB+ file that Git
has troubles handling efficiently. This is a partial Git rewrite
that split it in 1 file per CVE, with specific optimizations, so
their history can be browsed fast. This is valuable for Front
Desk triage work.
https://lists.debian.org/debian-lts/2025/04/msg00018.html
- This is not meant as a replacement, but as a complement.
- Evaluate newer git-filter-repo instead of git-filter-branch, but
the lack of resume operation (--filter-branch) makes it unsuitable.
- This builds on a previous experiment. Update the optimized C
filter, and re-rewrite the full Git history (needs ~40h for the
initial run). In particular: name unique TEMP-XXX entries as in
the security tracker; exclude some confusing erroneous commit.
- Publish the repository and call for testing:
https://salsa.debian.org/beuc/cvehist
- Discussion
- thread: What pain points exist in the current security-tracker structure?
Reference recurring issues with confusing terminology
https://lists.debian.org/debian-lts/2025/04/msg00058.html
- Team Meeting (via Jitsi)
Help take meeting notes, present the cvehist tool
https://lists.debian.org/debian-lts/2025/04/msg00059.html
--
Sylvain Beucler
Debian LTS Team
Reply to: