Debian LTS and ELTS - May 2025
Here is my public monthly report.
Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors
LTS
- fossil
- Fix client to support remote apache2 patched with CVE-2024-24795.
Last year fixes didn't make it to neither bookworm nor bullseye:
https://bugs.debian.org/1070069
https://bugs.debian.org/1070998
https://bugs.debian.org/1071417
- Tidy Git branches
https://salsa.debian.org/lts-team/packages/fossil
- DLA-4158-1: improved bullseye fix
https://lists.debian.org/debian-lts-announce/2025/05/msg00010.html
- Prepare bookworm update, accepted and published in 12.11
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104760
https://www.debian.org/News/2025/20250517
- Front-Desk (weeks 19 and 21)
- Replaced Santiago week 21, so exceptionally 2 FD weeks
- Send notes to previous and next Front-Desk shifts contributors to
help harmonize triage and ease follow-ups
- Mark 21 packages for update, postpone 1 package
- Triage or precise bullseye triage for 40 CVEs;
help Security Team analyze some untriaged CVEs
- Tidy work queue and update status for 6 packages
- debian-security-support: add musescore to limited security support
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/42
- angular.js: consider EOL
https://lists.debian.org/debian-lts/2025/05/msg00013.html
- Help Bastien with related JavaScript embedded libraries issues,
and how to articulate this effort with the security tracker
- lts-do-call-me: reference Debian maintainers active in LTS
- Reference call for help with old/dead Gnome libraries
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/212
ELTS
- Front-Desk (weeks 19 and 21)
- Replaced Santiago week 21, so exceptionally 2 FD weeks
- Send notes to previous and next Front-Desk shifts contributors to
help harmonize triage and ease follow-ups
- Associate CVEs from newer, branched Debian packages with different
names to older ELTS packages (golang*, jetty*, mysql*,
postgresql*, python*, *setuptools, sqlite*, tomcat*, transfig*,
twitter-bootstrap*); track more renamed packages (libav,
shorewall6, python-setuptools)
- Mark 16 supported packages for update, drop 2 with no actionable
work, restore 2 packages with postponed work
- Triage or precise bullseye triage for >25 CVEs
- Tidy work queue and update status for 12 packages
- Drop some obsolete (temporary, rejected) CVEs from ELTS
- Review history of newly supported packages, in stretch
https://gitlab.com/freexian/services/deblts-team/extended-lts/-/issues/251
- Coordinate modsecurity-apache contribution
https://salsa.debian.org/lts-team/packages/modsecurity-apache/-/merge_requests/1
- Fix ELA-1409-1/zabbix CVE references for jessie
- Revisit triage of libmojolicious-perl with security team and
contributor, as well as follow-up internally
https://lists.debian.org/debian-lts/2025/05/msg00052.html
- subversion
- Start working on update but conflict with another contributor who
failed to provide status update, fortunately soon enough
- poppler
- Start fixing pending and new vulnerabilities
- Study/test potential API/ABI breakage, as some reverse
dependencies target internal API that needs fixing
- To be continued next month
Common documentation and tooling
- LTS Documentation docs
- TestSuites
- mailman: new page
https://lts-team.pages.debian.net/wiki/TestSuites/mailman.html
- zabbix: add note from Tobias on locating patches
https://lts-team.pages.debian.net/wiki/TestSuites/zabbix.html
- packages.yml internal database: reference new testsuites
- Development Asan: review update
(more UBSAN info and global clean-up)
https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/19
- Debian Wiki
- Static Linking: More on C static linking, including glibc-related
rebuilds in bookworm 12.11
https://wiki.debian.org/StaticLinking
- Tooling
- cvehist: fast CVE triage history
(follow-up of last month)
Clean-up, document & publish code
https://salsa.debian.org/beuc/cvehist/-/tree/cvesplit-code
Clarify tool constraints
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/86#note_616500
- package-operations: parse configuration without pyxian
This would help make this script public -- now merged!
https://gitlab.com/freexian/services/deblts-team/debian-lts/-/merge_requests/62
+ 2 follow-up fixes
- package-operations: fix removal of vcs_elts field when marking a
package for update, allow editing it, and misc. fixes
- Salsa CI pipeline semi-fork for lts/elts
- Merge standard Salsa pipeline and adapt to recent changes
This pulls last month's work on piuparts
https://salsa.debian.org/lts-team/pipeline/-/merge_requests/27
- Also help fix piuparts issue in mariadb
(actually not related to my recent patch)
https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/443
and add feedback on related issue
https://salsa.debian.org/salsa-ci-team/pipeline/-/issues/370
- pipeline-lts: close obsolete MR
https://salsa.debian.org/lts-team/pipeline/-/merge_requests/18
- Internal documentation
- Discussion and internal documentation review on handling and
tracking updates to stable
- Discussion/clarification on using extra available hours within the
team
- Discussion on handling low/medium-severity CVEs
https://lists.debian.org/debian-lts/2025/05/msg00073.html
- Team Meeting (via IRC)
https://meetbot.debian.net/debian-lts/2025/debian-lts.2025-05-22-14.00.html
--
Sylvain Beucler
Debian LTS Team
Reply to: