[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS and ELTS - May 2025



Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors


LTS

- fossil
  - Fix client to support remote apache2 patched with CVE-2024-24795.
    Last year fixes didn't make it to neither bookworm nor bullseye:
    https://bugs.debian.org/1070069
    https://bugs.debian.org/1070998
    https://bugs.debian.org/1071417
  - Tidy Git branches
    https://salsa.debian.org/lts-team/packages/fossil
  - DLA-4158-1: improved bullseye fix
    https://lists.debian.org/debian-lts-announce/2025/05/msg00010.html
  - Prepare bookworm update, accepted and published in 12.11
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104760
    https://www.debian.org/News/2025/20250517

- Front-Desk (weeks 19 and 21)
  - Replaced Santiago week 21, so exceptionally 2 FD weeks
  - Send notes to previous and next Front-Desk shifts contributors to
    help harmonize triage and ease follow-ups
  - Mark 21 packages for update, postpone 1 package
  - Triage or precise bullseye triage for 40 CVEs;
    help Security Team analyze some untriaged CVEs
  - Tidy work queue and update status for 6 packages
  - debian-security-support: add musescore to limited security support
    https://salsa.debian.org/debian/debian-security-support/-/merge_requests/42
  - angular.js: consider EOL
    https://lists.debian.org/debian-lts/2025/05/msg00013.html
  - Help Bastien with related JavaScript embedded libraries issues,
    and how to articulate this effort with the security tracker
  - lts-do-call-me: reference Debian maintainers active in LTS
  - Reference call for help with old/dead Gnome libraries
    https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/212


ELTS

- Front-Desk (weeks 19 and 21)
  - Replaced Santiago week 21, so exceptionally 2 FD weeks
  - Send notes to previous and next Front-Desk shifts contributors to
    help harmonize triage and ease follow-ups
  - Associate CVEs from newer, branched Debian packages with different
    names to older ELTS packages (golang*, jetty*, mysql*,
    postgresql*, python*, *setuptools, sqlite*, tomcat*, transfig*,
    twitter-bootstrap*); track more renamed packages (libav,
    shorewall6, python-setuptools)
  - Mark 16 supported packages for update, drop 2 with no actionable
    work, restore 2 packages with postponed work
  - Triage or precise bullseye triage for >25 CVEs
  - Tidy work queue and update status for 12 packages
  - Drop some obsolete (temporary, rejected) CVEs from ELTS
  - Review history of newly supported packages, in stretch
    https://gitlab.com/freexian/services/deblts-team/extended-lts/-/issues/251
  - Coordinate modsecurity-apache contribution
    https://salsa.debian.org/lts-team/packages/modsecurity-apache/-/merge_requests/1
  - Fix ELA-1409-1/zabbix CVE references for jessie
  - Revisit triage of libmojolicious-perl with security team and
    contributor, as well as follow-up internally
    https://lists.debian.org/debian-lts/2025/05/msg00052.html

- subversion
  - Start working on update but conflict with another contributor who
    failed to provide status update, fortunately soon enough

- poppler
  - Start fixing pending and new vulnerabilities
  - Study/test potential API/ABI breakage, as some reverse
    dependencies target internal API that needs fixing
  - To be continued next month


Common documentation and tooling

- LTS Documentation docs

  - TestSuites
    - mailman: new page
      https://lts-team.pages.debian.net/wiki/TestSuites/mailman.html
    - zabbix: add note from Tobias on locating patches
      https://lts-team.pages.debian.net/wiki/TestSuites/zabbix.html
    - packages.yml internal database: reference new testsuites

  - Development Asan: review update
    (more UBSAN info and global clean-up)
    https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/19

- Debian Wiki

  - Static Linking: More on C static linking, including glibc-related
    rebuilds in bookworm 12.11
    https://wiki.debian.org/StaticLinking

- Tooling

  - cvehist: fast CVE triage history
    (follow-up of last month)
    Clean-up, document & publish code
    https://salsa.debian.org/beuc/cvehist/-/tree/cvesplit-code
    Clarify tool constraints
    https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/86#note_616500

  - package-operations: parse configuration without pyxian
    This would help make this script public -- now merged!
    https://gitlab.com/freexian/services/deblts-team/debian-lts/-/merge_requests/62
    + 2 follow-up fixes
  - package-operations: fix removal of vcs_elts field when marking a
    package for update, allow editing it, and misc. fixes

  - Salsa CI pipeline semi-fork for lts/elts
    - Merge standard Salsa pipeline and adapt to recent changes
      This pulls last month's work on piuparts
      https://salsa.debian.org/lts-team/pipeline/-/merge_requests/27
    - Also help fix piuparts issue in mariadb
      (actually not related to my recent patch)
      https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/443
      and add feedback on related issue
      https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/370
    - pipeline-lts: close obsolete MR
      https://salsa.debian.org/lts-team/pipeline/-/merge_requests/18

- Internal documentation

  - Discussion and internal documentation review on handling and
    tracking updates to stable
  - Discussion/clarification on using extra available hours within the
    team

- Discussion on handling low/medium-severity CVEs
  https://lists.debian.org/debian-lts/2025/05/msg00073.html

- Team Meeting (via IRC)
  https://meetbot.debian.net/debian-lts/2025/debian-lts.2025-05-22-14.00.html

-- 
Sylvain Beucler
Debian LTS Team


Reply to: