Hi, here are some remarks about my work last month. - u-boot (LTS/OSPU) DLA 4320-1 has finally been released fixing the oustanding CVE-2021- 27097 and CVE-2021-27138. Thanks to jspricke for helping with the testing. The OSPU fixing 6 CVEs has been prepared (#1116947). - libcommons-lang3-java (LTS/ELTS/OSPU/SPU) DLA 4286-2 was released fixing a regression. ELA-1530-1 was released to fix CVE-2025-48924 in ELTS. The SPU (#1116951) has been created. The OSPU (#1113711) has been checked for the regression, but didn't require any changes. - libcommons-lang-java (LTS/ELTS/OSPU/SPU) DLA 4262-2 and ELA-1510-2 were released fixing a regression. The OSPU (#1112669) and SPU (#1112671) had to be updated. - python-h2 (LTS) DLA-4290-1 has been released fixing CVE-2025-57804. - python-internetarchive (LTS/OSPU) DLA 4314-1 has been released fixing CVE-2025-58438. The OSPU has been prepared, but not yet reported to the BTS. - pytorch (LTS) I continued my work. However, a whole bunch of new CVEs has been reported without any reaction from the pytorch maintainers. Thus, I have now prepared a DLA upload to only fix the RCE (CVE-2025-32434), which is currently being tested. All other fixes are postponed until there is more clarity on how pytorch will progress in Sid and how the maintainers will address the >20 open CVEs. We should discuss backporting a new version instead of fixing all these issues. - misc As usual, I added information and patch links to the CVE tracker. Thanks to Freexian and Freexian's sponsors for making these projects possible: https://www.freexian.com/lts/debian/#sponsors). Regards, Daniel
Attachment:
signature.asc
Description: This is a digitally signed message part