Hi, here are some remarks about my work on LTS and ELTS in May 2025. - python-tornado (LTS/ELTS) DLA-4188-1 has been released to fix CVE-2025-47287. A PU for bookworm has been prepared as well (#1106819). I also backported the fix to Buster. However, I have not yet released it, because backporting the fix requires to add a new dependency on the package. I would like to discuss this first before going forward with the upload. - python-flask-cors (LTS) DLA-4197-1 has been released fixing CVE-2024-1681, CVE-2024-6839, CVE- 2024-6844, and CVE-2024-6866. I also examined CVE-2024-6221, but found that the vulnerable code had been introduced later. Thus, I marked the issue accordingly in the tracker. I also found that the fix for CVE- 2024-6839 was not complete and had not been tested by upstream, actually. Thus, I added my findings to the tracker, reopened #1100988, and sent a message to the maintainer. I also prepared a PU for Bookworm. But due to CVE-2024-6839 not being fully fixed in Sid, I have not yet opened the PU request. - u-boot (LTS) I've prepared an update to fix CVE-2021-27138 and CVE-2021-27097. The patchset is actually larger than expected, and a test is failing after applying all patches. No DLA has been released yet. I'm currently looking into the error shown. - libreoffice (LTS) After testing the prepared upload, DLA-4205-1 has been released that fixes CVE-2025-1080 and CVE-2025-2866. - mysql-connector-python (ELTS) I continued working on the remaining CVEs. But process was very slow. - misc I looked into multiple issues and added my findings to the security tracker accordingly. Thanks to Freexian and Freexian's sponsors for making these projects possible: https://www.freexian.com/lts/debian/#sponsors). Regards, Daniel
Attachment:
signature.asc
Description: This is a digitally signed message part