E?LTS report

To: debian-lts@lists.debian.org, debian-lts@lists.debian.org
Subject: E?LTS report
From: Bastien Roucaries <rouca@debian.org>
Date: Sun, 01 Jun 2025 17:39:36 +0200
Message-id: <[🔎] 3347551.N7aMVyhfb1@debian-ei>

I've worked during may on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS
===

nodejs
----------

Found CVE-2025-47153 and patch it.

Certain build processes for libuv and Node.js for 32-bit systems,
 such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb 
for  Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 
Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but 
uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to 
out-of-bounds access

Release DLA 4152-1 (need to rebuild of few dependencies)

krb5
-------

Backport fix of CVE-2025-3576
Backport to bullseyes
Do a risk analysis about default with other member of LTS team

mariadb-10.5
-------------------

Triagge bug
Backport to 10.5
Release DLA-4154-1

angular
-----------

solve REDOS

ELTS
====

postgresSQL/stretch
-----------------------------

Backport CVE-2025-1094 fixes
Release ELA

postgresSQL/jessie
----------------------------

Try to Backport CVE-2025-1094 fixes
Ignore CVE-2025-1094 due to too risky (data corruption risk)

libuv1
--------

Fix CVE-2020-8252
Release ELA-1416-1

nodejs
----------

Fix CVE-2025-47153

krb5
-------

Backport fix of CVE-2025-3576
Discuss fixes with team
By risk analysis disable by default fix due to risk of incompatibility
Improve patches

wpa
------

Release ELA-1419-1

ghostscript
----------------

Fix a few CVE
Fix CVE-2025-27830:
    A buffer overflow occurs during serialization of
    DollarBlend in a font, for base/write_t1.c and psi/zfapi.c.
 Fix CVE-2025-27831: The DOCXWRITE and TXTWRITE devices have a text
    buffer overflow via long characters.
 Fix CVE-2025-27832: The NPDL device was vulnerable to integer
    overflow leading to a buffer overflow.
 Fix CVE-2025-27835: A buffer overflow occurs when converting
    glyphs to Unicode
  Fix CVE-2025-27836: The BJ10V device has a Print buffer overflow

tcpdf
--------
Help santiago with reDoS issue

mariadb
------------
Triage CVES. Contact upstream for commit
Backport CVE-2023-52970
Investigate consequence of CVE-2025-30693

twitter-bootstrap3
---------------------------

Investigate CVE-2025-1647
Propose to drop IE8
Backport fixes to all distribution by creating a patch (EOL upstream)

Other
=====

I attend montly meeting.

Cheers

rouca

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Re: tcpdf {old,}stable security update
Next by Date: Debian (E)LTS report for May 2025
Previous by thread: Re: tcpdf {old,}stable security update
Next by thread: Debian LTS and ELTS -- May 2025
Index(es):
- Date
- Thread