[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS & ELTS -- May 2025



Hello,

May was my twenty-third month working on LTS and ELTS.  Thank you to
Freexian and Freexian's sponsors for making these projects possible:
    <https://www.freexian.com/lts/debian/#sponsors>

LTS

- libsoup2.4

  - Uploaded an NMU to sid fixing CVE-2025-32906, CVE-2025-32909,
    CVE-2025-32910, CVE-2025-32911, CVE-2025-32912, CVE-2025-32913,
    CVE-2025-32914 and CVE-2025-46420.

  - I worked on backporting the fix for CVE-2025-46421 from libsoup3 to
    libsoup2.4 but got stuck.  Neither upstream's tests for the fix
    backport, nor the proof-of-concept exploit.  I unclaimed the package
    seeking feedback from others on what to do: I could dive deep into
    getting those tests or the PoC to work but I am not sure whether
    that would be a sensible time investment.

  - Reviewed and merged a backport to bookworm of my fixes to sid,
    submitted by someone else, on salsa.

- libmojolicious-perl

  - Opened a discussion with the sid maintainers about resolving
    CVE-2024-58134.  The problem is one of insecure defaults.  Upstream
    consider it to be application author's responsibility not to use the
    default session secrets.  I have proposed writing a Debian-specific
    patch to regenerate the secrets.

  - I had initially marked CVE-2024-58135 as ignored for bullseye
    because upstream's fix requires backporting libcryptx-perl.
    However, Sylvain Beucler took a look and noticed that it was not at
    all obvious that a newer version of libcryptx-perl is actually
    required.  I wrote to upstream about it and indeed, it would seem
    that older CryptX will likely work, but I'll need to do some
    testing, which I haven't got to yet.

- busybox

  - Wrote to the maintainers about co-ordinating for various CVEs.

- glibc

  - Released DLA-4181-1 addressing CVE-2025-4802.

  - Wrote to the Release Team to ask them about tooling for triggering
    rebuilds of statically built C binaries.  Thanks to Sylvain Beucler
    for pointing out that we might need to do this.

- Participated in the monthly meeting.

- Correspondence.

ELTS

- glibc

  - Prepared backports of the fix for CVE-2025-0395 to jessie, stretch
    and buster, and the fix for CVE-2025-4802 to buster.  At the time of
    writing I am waiting for autopkgtests to complete before I can
    release DLAs.

    glibc upstream have added a lot of test suite infrastructure in
    recent years in pure C.  So they have custom file copying utilities,
    custom temporary file creation utilities, etc., that required
    backporting in order for the new tests to work.  This took some time
    to complete, because each utility requires .c and .h entries,
    Makefile entries, etc. (it was an interesting experience that made
    me feel like the glibc maintainers really love and admire the
    language whose standard library they maintain; they could have used
    shell scripts for this work, I think, but chose not to).

- libmojolicious-perl

  - Marked CVE-2024-58134 and CVE-2024-58135 as postponed for buster.

- Provided some feedback on one aspect of the upcoming transition to use
  debusine to run ELTS builds.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature


Reply to: