[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS and ELTS - July 2025

Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors


LTS

- xmlrpc-c and libxmltok (both embed old expat copy, with open vulnerabilities)
  - Status update (request by LTS coordinator)
    https://lists.debian.org/debian-lts/2025/07/msg00006.html
  - Update internal packages database and work queues

- nginx (follow-up from last month)
  - Answer FTBFS (package build breakage) claim: false positive
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108837

- Front-Desk (week 29)
  - Mark 8 packages for update, drop 1 package
  - Triage or precise bullseye triage for >20 CVEs
  - Tidy work queue and update status for 2 packages
  - Associate Python 3 Standard Library (stdlib) CVEs to pypy3

  - Test front-desk tooling updates, following the
    LTS Security Tracker Sprint (cf. below)
    - New reports: missing bullseye fixes, missing bookworm follow-up
      Help final merge; first feedback; identify as new/beta reports;
      filter out packages already in dla-needed.txt
      https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/11#note_629554
      https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/220#note_629096
      Answer question from later front-desk person
      https://lists.debian.org/debian-lts/2025/07/msg00020.html
    - Tool to check CVE database for triage re-considerations: performance considerations
      https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/31
    - Better identify LTS-specific scripts; add description; update copyright information
    - Feature request: display the Git revision for the current online data
      https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/45
    - Clarify usage of the ELTS web tracker
      https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/222#note_628613
    - ELTS web tracker: report issue with missing compression support
      https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/94


ELTS

- ELTS CI
  - Investigate different package priority between build and test
    phases, for the staging repository (follow-up from last month)
    - Reproduce issue with fake application and dependency:
      https://debusine.freexian.com/freexian/elts/work-request/13818/
      https://debusine.freexian.com/freexian/elts/work-request/13841/
      https://debusine.freexian.com/freexian/elts/work-request/13934/
      https://debusine.freexian.com/freexian/elts/work-request/13987/
    - Discuss issue with helmut at DebCamp25: issue confirmed
      - Won't fix due to focus on debusine, and complexity to fix britney2
    - Documentation updated accordingly (cf. below)
  - Clean-up stale packages in ELTS staging repository
  - Report buildd error in stretch/britney2 (setup error)
  - Report redirection issue under deb.freexian.com/extended-lts/

- Front-Desk (week 29)
  - Mark 7 supported packages for update
  - Triage or precise bullseye triage for 15 CVEs
  - Tidy work queue and update status for 3 packages
  - Associate CVEs from newer, branched Debian packages with different
    names to older ELTS packages (freerdp*, golang*, openssl*, php*,
    py*, ruby2.*, sqlite*, squid*, tomcat*, unbound*)

- Salsa CI
  - Investigate buster autopkgtest breakage (since archived at Debian)
  - Propose fix in both autopkgtest-lxc (accepted) and debci (under review)
    https://salsa.debian.org/salsa-ci-team/autopkgtest-lxc/-/merge_requests/34
    https://salsa.debian.org/ci-team/debci/-/issues/227
    https://salsa.debian.org/ci-team/debci/-/merge_requests/298
  - Follow-up work: adding security or elts updates
    https://lists.debian.org/debian-lts/2025/07/msg00027.html



Common documentation and tooling

- LTS Documentation

  - Git workflow: revamp to reflect current practices
    https://lts-team.pages.debian.net/git-workflow-lts.html
    https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/22
    Review & merge: reference 'gbp import-dscs --debsnap'
    https://salsa.debian.org/lts-team/lts-team.pages.debian.net/-/merge_requests/21
  - golang: limitation with foreign architectures when identifying reverse dependencies
    https://lts-team.pages.debian.net/wiki/TestSuites/golang.html#identify-reverse-build-dependencies
  - pypy3: table to recap imported Python 3 Standard Library versions
    https://lts-team.pages.debian.net/wiki/TestSuites/pypy3.html
  - FAQ: update with current links and LTS info
    https://lts-team.pages.debian.net/wiki/FAQ.html
  - jessie EOL: drop some jessie-specific documentation
    wiki/Installing, wiki/TestSuites/*
  - Development: reference upstream-trixie tag
    https://lts-team.pages.debian.net/wiki/Development.html#keeping-track-of-lts-related-bugs
  - LTS/Extended: restore wheezy information for history; improve presentation
    https://wiki.debian.org/LTS/Extended
  - ARM Virtual Machine: notes for testing with Raspberry PI as an alternative
    https://lts-team.pages.debian.net/howtos/arm-vm.html

- Internal documentation
  - ELTS upload procedure
    Separate procedure overview and technical in-depth explanations
    Revise most of the document, consolidate bits from past discussions
    Update for latest debusine-related changes
  - Information for contributors
    Harmonize LTS and ELTS information
    Document commit notifications list
    Review and merge: Remove duplicate information [git-import-dsc]
    https://gitlab.com/freexian/services/deblts-team/documentation/-/merge_requests/28
  - Updates for jessie EOL
  - Clean-up old Git branches

- debusine
  - Feature request: SSH access to investigate build or test failures
    https://salsa.debian.org/freexian-team/debusine/-/issues/958
  - Bug reports
    Don't leak hostname through debusine-setup
    https://salsa.debian.org/freexian-team/debusine/-/issues/959
    Token page shows confusing scope
    https://salsa.debian.org/freexian-team/debusine/-/issues/961
    debusine provide-signature --help mismatch
    https://salsa.debian.org/freexian-team/debusine/-/issues/962
  - Beta-test new setup LTS/ELTS setup which is soon becoming mandatory
    Discuss with santiago and helmut on split vs. combined builds for ELTS
  - Test new provide-signature --local-file, required for a secure upload
    Report non-blocking bug with filename mismatch
    https://salsa.debian.org/freexian-team/debusine/-/issues/986

- debian-security-support: python-setuptools: clarify end-of-life status (python2)
  https://salsa.debian.org/debian/debian-security-support/-/merge_requests/47

- IRC Meeting
  https://meetbot.debian.net/debian-lts/2025/debian-lts.2025-07-24-14.00.html



DebCamp 25 Security Tracker sprint

https://lists.debian.org/debian-lts/2025/05/msg00055.html
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/87
https://mensuel.framapad.org/p/N81nLqSrCV37T5JZdX1Y

During the DebCamp25 LTS Team security tracker sprint I spent 40 hours
working on the following tasks:

- Mentor external contributors on-site and off-site, review merge requests

  - lts-cve-triage.py: check: DLA -> missing corresponding DSA
    https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/69
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/220
    Guide and review @flesueur's work
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/231
    (Separate tests) Clean-up Git branch, preparing for security team review

  - lts-cve-triage.py: ELA & DSA -> missing corresponding DLA
    https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/11
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/222
    Guide and review @flesueur's work

  - JSON export: fix BTS references for multi-packages CVEs
    https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/6
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/227
    Investigate root cause
    Review @eamanu proposal and implementx a simpler fix
    Rework the MR description and title, preparing for security team review

  - Track uploads to proposed-updates (SPU) in the web security tracker
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645201
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/230
    Review @rouca's work on his request


- lts-cve-triage.py (LTS CVE triage tool for front-desk shift)

  - lts-cve-triage: fix cache freshness detection
    https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/140585aedf1e89c0c9ba6ce652202333131357b2

  - bin/lts-needs-forward-port.py: drop
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/236
    See #69, now integrated in lts-needs-forward-port.py

  - lts-cve-triage.py: RFC: fix data structure (long term)
    https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/92
    While working on lts-cve-triage.py, much time was wasted due to
    impractical data structure, suggest alternatives and look for feedback


- cvehist (fast, per-CVE Git history): automate updates
  https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/86
  Coordinate with @helmutg (Freexian sysadmin) to deploy new infrastructure
  Move repository to:
  https://salsa.debian.org/lts-team/cvehist
  Fixes for production setup (TMPDIR support, potential buffer underflow)
  https://salsa.debian.org/lts-team/cvehist/-/commit/9d11d65ad8c16a5894016c948d5b637a3b639dc9
  https://salsa.debian.org/lts-team/cvehist/-/commit/76750adaa0cb385976729b12f9a28704e1b4d06c
  https://salsa.debian.org/lts-team/cvehist/-/commit/2a8c4900a5895eda1a7bbce9ac8d276f680ccfb1
  Update documentation
  https://lts-team.pages.debian.net/wiki/Development.html#debian-security-tracker


- Tracking vulnerabilities that don't affect the binaries (only in the sources)
  https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/32
  https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/221
  Follow-up on @samueloph's proposal and @carnil examples, request clarification
  Propose initial implementation with tentative <not-exploitable> tag
  Add documentation


- CVE consistency checks before security uploads
  (checks: fixed CVEs match fixed package, warn when <not-affected>)
  https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/61
  https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/43
  https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/226
  Clean-up past/stale attempts (close issues and MRs)
  Propose new implementation, with minimal intrusiveness for bin/gen-DSA


- Security Tracker Web fixes

  - Display unimportant CVEs in grey (package and CVE views),
        display ignored CVEs in orange (CVE view)
    https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/25
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/223
    Propose initial implementation, document corner cases for testing/reviewing
    Current database schema is different from data/CVE/list, hence non trivial

  - Display "not-affected" rather than the generic "fixed"
    https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/38
    https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/41
    (double request from Roberto and Henrique)
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/233
    Initial experiment, warn against conflict with other MRs,
      may need an update in the database schema or the JSON output

  - Turning text URL to link includes extraneous character
    https://bugs.debian.org/994897
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/234
    Propose fix, test against many corner-cases in the full data/CVE/list

  - 404 status for non-existent source package
    https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/39
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/225
    Describe impact with browser autocompletion
    Propose patch

  - Update Ubuntu Security URL
    https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/235
    Quick fix


- Bug triage

  - htmlspecialchars in the description column of CVEs
    https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/14
    Close (already fixed)

  - Implement downstream data/embedded-code-copies
    https://salsa.debian.org/security-tracker-team/security-tracker/-/issues/27
    Request for rationale
    Recommend existing tool (elts:bin/related-cves.py)

  - Update sprint status
    https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/87


--
Sylvain Beucler
Debian LTS Team
Reply to: