Hello, June was my twenty-fourth month working on LTS and ELTS. Thank you to Freexian and Freexian's sponsors for making these projects possible: <https://www.freexian.com/lts/debian/#sponsors> LTS - libmojolicious-perl - After concluding the e-mail discussion mentioned in my last report, marked CVE-2024-58134 as ignored. It might still be possible to fix CVE-2024-58135. - Marked CVE-2021-47208 as ignored. The fix requires a significant change to Mojolicious's API and it would be likely to break applications. As the CVE involves only a risk of DoS, I think we should leave it unfixed rather than risk the regressions. - busybox - Pinged the maintainers about co-ordinating for various CVEs. - Correspondence. ELTS - glibc - Released ELA-1451-1 addressing CVE-2025-0395 in jessie and stretch. - Released ELA-1452-1 addressing CVE-2025-0395 and CVE-2025-4802 in buster. - libmojolicious-perl - Marked CVE-2024-58134 and CVE-2021-47208 are ignored for buster, per the above. - openssl - Marked CVE-2025-4575 as not affecting the ELTS dists: the vulnerable code was introduced (much) later. - Fixed CVE-2024-13176 for buster in git. - Briefly reviewed changes in response to my feedback last month on one aspect of the upcoming transition to use debusine to run ELTS builds. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature