[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS & ELTS -- June 2025



Hello,

June was my twenty-fourth month working on LTS and ELTS.  Thank you to
Freexian and Freexian's sponsors for making these projects possible:
    <https://www.freexian.com/lts/debian/#sponsors>

LTS

- libmojolicious-perl

  - After concluding the e-mail discussion mentioned in my last report,
    marked CVE-2024-58134 as ignored.
    It might still be possible to fix CVE-2024-58135.

  - Marked CVE-2021-47208 as ignored.  The fix requires a significant
    change to Mojolicious's API and it would be likely to break
    applications.  As the CVE involves only a risk of DoS, I think we
    should leave it unfixed rather than risk the regressions.

- busybox

  - Pinged the maintainers about co-ordinating for various CVEs.

- Correspondence.

ELTS

- glibc

  - Released ELA-1451-1 addressing CVE-2025-0395 in jessie and stretch.

  - Released ELA-1452-1 addressing CVE-2025-0395 and CVE-2025-4802 in
    buster.

- libmojolicious-perl

  - Marked CVE-2024-58134 and CVE-2021-47208 are ignored for buster, per
    the above.

- openssl

  - Marked CVE-2025-4575 as not affecting the ELTS dists: the vulnerable
    code was introduced (much) later.

  - Fixed CVE-2024-13176 for buster in git.

- Briefly reviewed changes in response to my feedback last month on one
  aspect of the upcoming transition to use debusine to run ELTS builds.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature


Reply to: