Re: Issues fixed in buster and bookworm but not in bullseye

To: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org, Sylvain Beucler <beuc@beuc.net>, Santiago Ruano Rincón <santiagorr@riseup.net>
Subject: Re: Issues fixed in buster and bookworm but not in bullseye
From: Adrian Bunk <bunk@debian.org>
Date: Tue, 26 Aug 2025 23:38:05 +0300
Message-id: <[🔎] aK4bLYDEq7mE88Cd@localhost>
In-reply-to: <[🔎] aJlDeKU_AZcal51b@localhost>
References: <CAPP0f97e2sCzA27BhiRycrmx+5ONyeZOMbqgdu6C6bTNituh=Q@mail.gmail.com> <71e25275a843ed1b13598e6e29cfb449da50c606.camel@debian.org> <73542984-4b08-4c0c-bfb2-7094797736fb@beuc.net> <[🔎] aJlDeKU_AZcal51b@localhost>

On Sun, Aug 10, 2025 at 09:12:24PM -0400, Roberto C. Sánchez wrote:
> On Wed, Jul 30, 2025 at 09:14:22AM +0200, Sylvain Beucler wrote:
> > 
> > So, most of the remaining 23 packages, especially as it's only 1-2 CVEs for
> > each package, and especially when they are not sponsored, are very
> > low-priority.
> > 
> (Apologies for the late reply.)
> 
> I concur. Let's not get carried away adding loads of packages to the
> queue. If there are legitimately high priority CVEs (which for this
> group of packages there aren't), then that's another thing.

A starting point would be to stop regressing on that in bookworm.

There is also a certain gap between Freexian touting its contributions 
to non-LTS stable releases, and frequent failure at the simple task of 
also submitting DLA updates to bookworm.

I went manually through all bullseye DLAs, and these are the ones
I found that currently need work for bookworm:

[DLA 3858-1] ruby2.7 security update
[DLA 3865-1] frr security update
[DLA 3886-1] nodejs security update (in dsa-needed, DSA worked on since February)
[DLA 3893-1] expat security update
[DLA 3909-1] zabbix security update (in dsa-needed)
[DLA 3926-1] perl security update
[DLA 3928-1] ffmpeg security update
[DLA 3952-1] unbound security update
[DLA 3978-1] editorconfig-core security update
[DLA 3984-1] zabbix security update (in dsa-needed)
[DLA 3997-1] php-laravel-framework security update (in dsa-needed)
[DLA 4006-1] python-django security update (in dsa-needed, DSA worked on since December)
[DLA 4018-1] ruby2.7 security update
[DLA 4019-1] busybox security update
[DLA 4027-1] sympa security update (in dsa-needed)
[DLA 4029-1] frr security update
[DLA 4030-1] python-django security update (in dsa-needed, DSA worked on since December)
[DLA 4032-1] iperf3 security update
[DLA 4039-1] ffmpeg security update
[DLA 4041-1] python-aiohttp security update
[DLA 4046-1] ark security update (in dsa-needed)
[DLA 4049-1] rust-openssl security update
[DLA 4053-1] freerdp2 security update
[DLA 4056-1] golang-glog security update
[DLA 4067-1] nodejs security update (in dsa-needed, DSA worked on since February)
[DLA 4073-1] ffmpeg security update
[DLA 4082-1] ruby2.7 security update
[DLA 4083-1] squid security update
[DLA 4084-1] libmodbus security update
[DLA 4086-1] python-django security update (in dsa-needed, DSA worked on since December)
[DLA 4103-1] suricata security update
[DLA 4113-1] php-horde-imp security update
[DLA 4115-1] ruby-saml security update (in dsa-needed, DSA worked on since March)
[DLA 4131-1] zabbix security update (in dsa-needed)
[DLA 4140-1] libsoup2.4 security update
[DLA 4145-1] expat security update
[DLA 4149-1] nagvis security update
[DLA 4150-1] u-boot security update
[DLA 4151-1] golang-github-gorilla-csrf security update
[DLA 4153-1] containerd security update
[DLA 4166-1] xrdp security update
[DLA 4180-1] pgbouncer security update
[DLA 4182-1] syslog-ng security update
[DLA 4186-1] php-twig security update
[DLA 4190-1] mydumper security update
[DLA 4197-1] python-flask-cors security update
[DLA 4204-1] twitter-bootstrap3 security update
[DLA 4210-1] python-django security update (in dsa-needed, DSA worked on since December)
[DLA 4215-1] ublock-origin security update
[DLA 4222-1] activemq security update
[DLA 4227-1] dcmtk security update
[DLA 4233-1] nagvis security update
[DLA 4238-1] sslh security update
[DLA 4245-1] libcommons-fileupload-java security update
[DLA 4246-1] libowasp-esapi-java security update
[DLA 4262-1] libcommons-lang-java security update
[DLA 4263-1] ruby-graphql security update
[DLA 4270-1] apache2 security update
[DLA 4274-1] mbedtls security update (in dsa-needed)

As said this list was compiled manually, feel free to ask if any item 
looks incorrect.

I was checking the status in the security tracker, it is possible that 
the bookworm information in the tracker is incorrect (as was the case 
for two of my DLAs).

@Roberto, Santiago:
There are ~ 3 days left for getting anything into bookworm before 2026.

@Sylvain:
https://security-tracker.debian.org/tracker/CVE-2025-30349
[bookworm] - php-horde-imp <ignored> (Horde in Bookworm is broken due to PHP 8 issues and will be removed in the next point release)
Do you know what happened to that removal?

@Sylvain:
Packages on my list that are missing in the lts-cve-triage.py output 
(and no issue created) but should be there:

apache2:
pu request is a mess with multiple people proposing multiple debdiffs 
(#1109084).

expat:
Maintainer update blocked due to something we might have previously 
solved in ELTS (#1102752).

golang-github-gorilla-csrf:
In dla-needed due to binNMU issues in LTS.

libsoup2.4:
In dla-needed for additional CVEs.

mydumper:
No action after receiving instructions from SRM in May (#1106790).

nagvis:
dla-needed says:
  NOTE: 20250629: PU is ready and will be tested before sending the PU request

php-laravel-framework:
Package is in dla-needed for a new CVE.

python-aiohttp:
[bookworm] - python-aiohttp <ignored> (Minor issue)
The problem here is the "ignored" tagging in bookworm,
which might make a generic fix impossible.

python-flask-cors:
SRM ACK in July but upload missing (#1108508).

ruby2.7:
Needs checking renamed-packages.lts
A pu request in #1103854 does not seem to fix all CVEs that were fixed 
in DLAs.

ruby-saml:
In dla-needed for a new CVE.

squid:
In dla-needed for additional CVEs.

suricata:
In dla-needed for additional CVEs.

twitter-bootstrap3:
SRM ACK in June but upload missing (#1107088).

u-boot:
In dla-needed for additional CVEs.

ublock-origin:
SRM ACK in June but upload missing (#1107607).

It might be useful to also check whether a version >= the one listed
as fixing a CVE in next-oldstable-point-update.txt is in oldstable-new 
and/or oldstable-proposed-updates:
$ rmadison -a source -s oldstable-proposed-updates,oldstable-new node-tmp
node-tmp   | 0.2.2+dfsg+~0.2.3-1.1~deb12u1 | oldstable-proposed-updates | source
$ rmadison -a source -s oldstable-proposed-updates,oldstable-new firebird3.0
firebird3.0 | 3.0.11.33637.ds4-2+deb12u1 | oldstable-new | source
$
Whether a pu request is missing/submitted/moreinfo requires querying
the BTS (in lts-cve-triage.py or manually).

Packages can be in dla-needed for many reasons, the bookworm-pu request 
(or DSA) should have been prepared and submitted at the same time as the DLA.

> Regards,
> 
> -Roberto

cu
Adrian

Reply to:

References:
- Re: Issues fixed in buster and bookworm but not in bullseye
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: EOLing nvidia-graphics-drivers for bullseye?
Next by Date: Bug#1112227: libwebkit2gtk-4.0-37: Gnome Online Accounts not working, shows error "Webkit encountered an internal error"
Previous by thread: Re: Issues fixed in buster and bookworm but not in bullseye
Next by thread: Bug#1112227: libwebkit2gtk-4.0-37: Gnome Online Accounts not working, shows error "Webkit encountered an internal error"
Index(es):
- Date
- Thread