Debian (E)LTS report for May 2025

To: debian-lts@lists.debian.org
Subject: Debian (E)LTS report for May 2025
From: Lee Garrett <debian@rocketjump.eu>
Date: Sun, 1 Jun 2025 22:20:45 +0200
Message-id: <[🔎] c06d542a-dfb4-4211-b12e-57b83d42c1d7@rocketjump.eu>

Hi everyone,

In May I did following LTS work:

Due to a misunderstanding I issued DLA 4167-1 (thunderbird) with quite somedelay, and had some follow-up discussion.

I issued DLA 4183-1 for setuptools, fixing CVE-2025-47273. I also fixed it inbookworm, and applied for a bookworm-pu. I fixed it in sid with permission ofthe maintainer, and applied for a trixie freeze exception. I tried verifying thefix via the published PoC, however that required some work setting up arepository to pull from, and since the fix was trivial I did not further pursuethat avenue.

I issued DLA 4190-1 for mydumper, fixing CVE-2025-30224. I also fixed it inbookworm and applied for a bookworm-pu. Since it FTBFS in sid, I only pushed thefix to the git packaging repo and left it unreleased, notifying the stablerelease managers about it. Since the package was severely out of date, and themaintainer inactive, I notified the MIA team about the inactive DD. I attemptedto reproduce the security issue by running the vulnerable version against mysqlwith the rewriter plugin (only available in sid), and followed the instructionsfrom the published PoC. I could however not reproduce the issue (it did nottrigger the local file read). Since the issue was present in the unfixed versionfrom reading the source, I applied the patch anyway. I also added autopkgteststo verify that no regressions occur.


For ELTS I did the following work:

I fixed CVE-2022-40897, CVE-2024-6345, CVE-2025-47273 in python-setuptools.Since the patches are only available for python 3, but the package itself ispython 2, backporting the CVE-2024-6345 patch took a bit more time than usual.As this patch touched many lines of code and the package is a build-dependencyfor many other packages, I decided to fix the unit tests (which also test someof the CVEs) and add them as autopkgtests. I spent some time checking two testfailures that turned out to be broken by previous Debian patches. The packagefor buster is complete, I expect backporting the patches and autopkgtests tojessie and stretch to be less work. I plan on releasing the packages once theCVEs are fixed in all ELTS releases.


Thanks to our sponsors for financing this work, and to Freexian for coordinating!

Regards,
Lee Garrett,
Debian LTS Team

Reply to:

Prev by Date: E?LTS report
Next by Date: Debian LTS and ELTS -- May 2025
Previous by thread: Debian (E)LTS report for May 2025
Next by thread: (E)LTS report for May 2025
Index(es):
- Date
- Thread