Hello, May was my twenty-third month working on LTS and ELTS. Thank you to Freexian and Freexian's sponsors for making these projects possible: <https://www.freexian.com/lts/debian/#sponsors> LTS - libsoup2.4 - Uploaded an NMU to sid fixing CVE-2025-32906, CVE-2025-32909, CVE-2025-32910, CVE-2025-32911, CVE-2025-32912, CVE-2025-32913, CVE-2025-32914 and CVE-2025-46420. - I worked on backporting the fix for CVE-2025-46421 from libsoup3 to libsoup2.4 but got stuck. Neither upstream's tests for the fix backport, nor the proof-of-concept exploit. I unclaimed the package seeking feedback from others on what to do: I could dive deep into getting those tests or the PoC to work but I am not sure whether that would be a sensible time investment. - Reviewed and merged a backport to bookworm of my fixes to sid, submitted by someone else, on salsa. - libmojolicious-perl - Opened a discussion with the sid maintainers about resolving CVE-2024-58134. The problem is one of insecure defaults. Upstream consider it to be application author's responsibility not to use the default session secrets. I have proposed writing a Debian-specific patch to regenerate the secrets. - I had initially marked CVE-2024-58135 as ignored for bullseye because upstream's fix requires backporting libcryptx-perl. However, Sylvain Beucler took a look and noticed that it was not at all obvious that a newer version of libcryptx-perl is actually required. I wrote to upstream about it and indeed, it would seem that older CryptX will likely work, but I'll need to do some testing, which I haven't got to yet. - busybox - Wrote to the maintainers about co-ordinating for various CVEs. - glibc - Released DLA-4181-1 addressing CVE-2025-4802. - Wrote to the Release Team to ask them about tooling for triggering rebuilds of statically built C binaries. Thanks to Sylvain Beucler for pointing out that we might need to do this. - Participated in the monthly meeting. - Correspondence. ELTS - glibc - Prepared backports of the fix for CVE-2025-0395 to jessie, stretch and buster, and the fix for CVE-2025-4802 to buster. At the time of writing I am waiting for autopkgtests to complete before I can release DLAs. glibc upstream have added a lot of test suite infrastructure in recent years in pure C. So they have custom file copying utilities, custom temporary file creation utilities, etc., that required backporting in order for the new tests to work. This took some time to complete, because each utility requires .c and .h entries, Makefile entries, etc. (it was an interesting experience that made me feel like the glibc maintainers really love and admire the language whose standard library they maintain; they could have used shell scripts for this work, I think, but chose not to). - libmojolicious-perl - Marked CVE-2024-58134 and CVE-2024-58135 as postponed for buster. - Provided some feedback on one aspect of the upcoming transition to use debusine to run ELTS builds. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature