Hi, On 30/07/2025 02:17, Daniel Leidert wrote:
On Wed, 2025-07-30 at 05:21 +0530, Utkarsh Gupta wrote:Whilst on front desk this week, I am noticing 23 packages that are of the status: "Issues fixed in buster and bookworm but not in bullseye". In my opinion, this is problematic as those who will be upgrading from buster -> bullseye will see it as a regression, as they'll now be vulnerable once again.That basically is the same reason why we fix issues fixed in Bullseye in Bookworm. So, to me it makes absolute sense. Do you have a list of these packages?
TL;DR: there are many more urgent CVEs to fix.This is from bin/lts-cve-triage.py, with the new report called: "Issues fixed in buster and bookworm but not in bullseye [caution: new report]".
(Note: the "[caution: new report]", this is from this month's Sprint.)Here's what I wrote in https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/11#note_629554:
-----
Testing !222 as FD, I added 3 packages to dla-needed.txt today:
dla: add exempi
dla: add modsecurity-crs
dla: add batik
These had 24/7/6 CVEs to sync respectively, from a past buster-lts DLA.
However all the other (numerous) results are mostly us being a bit
zealous in ELTS, and bookworm getting an upstream fix through unstable
before its release. We might want to restrict to specific bookworm
updates. I have an heuristic for this in another lts-cve-triage report
that looks for +debXXuXX in the version number.
I also expect this kind of situation to be less frequent as we're now
more active and thorough in SPUs.
-----So, most of the remaining 23 packages, especially as it's only 1-2 CVEs for each package, and especially when they are not sponsored, are very low-priority.
Cheers! Sylvain