Hello,
June was my twenty-fourth month working on LTS and ELTS. Thank you to
Freexian and Freexian's sponsors for making these projects possible:
<https://www.freexian.com/lts/debian/#sponsors>
LTS
- libmojolicious-perl
- After concluding the e-mail discussion mentioned in my last report,
marked CVE-2024-58134 as ignored.
It might still be possible to fix CVE-2024-58135.
- Marked CVE-2021-47208 as ignored. The fix requires a significant
change to Mojolicious's API and it would be likely to break
applications. As the CVE involves only a risk of DoS, I think we
should leave it unfixed rather than risk the regressions.
- busybox
- Pinged the maintainers about co-ordinating for various CVEs.
- Correspondence.
ELTS
- glibc
- Released ELA-1451-1 addressing CVE-2025-0395 in jessie and stretch.
- Released ELA-1452-1 addressing CVE-2025-0395 and CVE-2025-4802 in
buster.
- libmojolicious-perl
- Marked CVE-2024-58134 and CVE-2021-47208 are ignored for buster, per
the above.
- openssl
- Marked CVE-2025-4575 as not affecting the ELTS dists: the vulnerable
code was introduced (much) later.
- Fixed CVE-2024-13176 for buster in git.
- Briefly reviewed changes in response to my feedback last month on one
aspect of the upcoming transition to use debusine to run ELTS builds.
--
Sean Whitton
Attachment:
signature.asc
Description: PGP signature