Debian LTS and ELTS report - June 2025

To: debian-lts@lists.debian.org
Subject: Debian LTS and ELTS report - June 2025
From: Carlos Henrique Lima Melara <charles@debian.org>
Date: Mon, 30 Jun 2025 22:10:36 -0300
Message-id: <[🔎] z67xg6gi7fw7f6x4cwsj6qs77yt5p7x77mf77bx2oa7nm5vdf6@ytvnohsme4r6>

I've worked during June 2025 on the below listed packages, for
Freexian LTS/ELTS [1].

Many thanks to Freexian and sponsors [2] for providing this opportunity!

LTS
===

- Published DLA-4213-1 for curl/bullseye to fix CVE-2023-27534
  regression.
  (https://lists.debian.org/debian-lts-announce/2025/06/msg00011.html)

- Triaged CVE-2025-4598/systemd
    - Backported and tested the fix for bullseye.
    - Fix is ready, but mailed debian-lts@l.d.o to get feedback about
      fixing a stack overflow bug when using CoredumpFilter such as
      systemd-run -t --property CoredumpFilter=all ls /tmp.
      (https://lists.debian.org/debian-lts/2025/06/msg00035.html)

ELTS
====

- Published ELA-1455-1 for curl/jessie to fix CVE-2023-27534,
  CVE-2023-28321 and CVE-2023-28322.
  (https://www.freexian.com/lts/extended/updates/ela-1455-1-curl/)

- Published ELA-1068-2 for curl/stretch,buster to fix CVE-2023-27534
  regression.
  (https://www.freexian.com/lts/extended/updates/ela-1068-2-curl/)

- Started to work on openvpn to fix CVE-2022-0547 and CVE-2024-5594.

Both
====

- Chased down a regression in the upstream fix for CVE-2023-27534
  affecting all suites (ELTS, LTS, stable, testing and sid).
  (https://github.com/curl/curl/issues/17534)
    - Submited a patch upstream to fix the bug
      (https://github.com/curl/curl/commit/0ede81dcc61844cecce8904fb4de24319afeb024)
    - Applied the fix to all suites but sid/testing.
        - samueloph did it for sid/testing (thanks!).
        - Submitted bookworm-pu (#1107902).
          (https://bugs.debian.org/1107902)

Tooling, Documentation and Misc.
================================

- Improvements to LTS website:
    - Fixed LTS website "Installing" page changing a reference from
      Buster to Bullseye.
      (https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/commit/e4d5381973002d49e935573891d352fbbc942054)
    - Add info about current LTS (bullseye) architecture support in FAQ.
      (https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/20)

- Attended (E)LTS meeting


Best regards,
Charles

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Reply to:

Next by Date: E?LTS report
Next by thread: E?LTS report
Index(es):
- Date
- Thread