Hello,
May was my twenty-third month working on LTS and ELTS. Thank you to
Freexian and Freexian's sponsors for making these projects possible:
<https://www.freexian.com/lts/debian/#sponsors>
LTS
- libsoup2.4
- Uploaded an NMU to sid fixing CVE-2025-32906, CVE-2025-32909,
CVE-2025-32910, CVE-2025-32911, CVE-2025-32912, CVE-2025-32913,
CVE-2025-32914 and CVE-2025-46420.
- I worked on backporting the fix for CVE-2025-46421 from libsoup3 to
libsoup2.4 but got stuck. Neither upstream's tests for the fix
backport, nor the proof-of-concept exploit. I unclaimed the package
seeking feedback from others on what to do: I could dive deep into
getting those tests or the PoC to work but I am not sure whether
that would be a sensible time investment.
- Reviewed and merged a backport to bookworm of my fixes to sid,
submitted by someone else, on salsa.
- libmojolicious-perl
- Opened a discussion with the sid maintainers about resolving
CVE-2024-58134. The problem is one of insecure defaults. Upstream
consider it to be application author's responsibility not to use the
default session secrets. I have proposed writing a Debian-specific
patch to regenerate the secrets.
- I had initially marked CVE-2024-58135 as ignored for bullseye
because upstream's fix requires backporting libcryptx-perl.
However, Sylvain Beucler took a look and noticed that it was not at
all obvious that a newer version of libcryptx-perl is actually
required. I wrote to upstream about it and indeed, it would seem
that older CryptX will likely work, but I'll need to do some
testing, which I haven't got to yet.
- busybox
- Wrote to the maintainers about co-ordinating for various CVEs.
- glibc
- Released DLA-4181-1 addressing CVE-2025-4802.
- Wrote to the Release Team to ask them about tooling for triggering
rebuilds of statically built C binaries. Thanks to Sylvain Beucler
for pointing out that we might need to do this.
- Participated in the monthly meeting.
- Correspondence.
ELTS
- glibc
- Prepared backports of the fix for CVE-2025-0395 to jessie, stretch
and buster, and the fix for CVE-2025-4802 to buster. At the time of
writing I am waiting for autopkgtests to complete before I can
release DLAs.
glibc upstream have added a lot of test suite infrastructure in
recent years in pure C. So they have custom file copying utilities,
custom temporary file creation utilities, etc., that required
backporting in order for the new tests to work. This took some time
to complete, because each utility requires .c and .h entries,
Makefile entries, etc. (it was an interesting experience that made
me feel like the glibc maintainers really love and admire the
language whose standard library they maintain; they could have used
shell scripts for this work, I think, but chose not to).
- libmojolicious-perl
- Marked CVE-2024-58134 and CVE-2024-58135 as postponed for buster.
- Provided some feedback on one aspect of the upcoming transition to use
debusine to run ELTS builds.
--
Sean Whitton
Attachment:
signature.asc
Description: PGP signature