I've worked during may on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === nodejs ---------- Found CVE-2025-47153 and patch it. Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access Release DLA 4152-1 (need to rebuild of few dependencies) krb5 ------- Backport fix of CVE-2025-3576 Backport to bullseyes Do a risk analysis about default with other member of LTS team mariadb-10.5 ------------------- Triagge bug Backport to 10.5 Release DLA-4154-1 angular ----------- solve REDOS ELTS ==== postgresSQL/stretch ----------------------------- Backport CVE-2025-1094 fixes Release ELA postgresSQL/jessie ---------------------------- Try to Backport CVE-2025-1094 fixes Ignore CVE-2025-1094 due to too risky (data corruption risk) libuv1 -------- Fix CVE-2020-8252 Release ELA-1416-1 nodejs ---------- Fix CVE-2025-47153 krb5 ------- Backport fix of CVE-2025-3576 Discuss fixes with team By risk analysis disable by default fix due to risk of incompatibility Improve patches wpa ------ Release ELA-1419-1 ghostscript ---------------- Fix a few CVE Fix CVE-2025-27830: A buffer overflow occurs during serialization of DollarBlend in a font, for base/write_t1.c and psi/zfapi.c. Fix CVE-2025-27831: The DOCXWRITE and TXTWRITE devices have a text buffer overflow via long characters. Fix CVE-2025-27832: The NPDL device was vulnerable to integer overflow leading to a buffer overflow. Fix CVE-2025-27835: A buffer overflow occurs when converting glyphs to Unicode Fix CVE-2025-27836: The BJ10V device has a Print buffer overflow tcpdf -------- Help santiago with reDoS issue mariadb ------------ Triage CVES. Contact upstream for commit Backport CVE-2023-52970 Investigate consequence of CVE-2025-30693 twitter-bootstrap3 --------------------------- Investigate CVE-2025-1647 Propose to drop IE8 Backport fixes to all distribution by creating a patch (EOL upstream) Other ===== I attend montly meeting. Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors
Attachment:
signature.asc
Description: This is a digitally signed message part.