Debian LTS and ELTS report: October 2025
Hi,
This is summary on the work I did for Debian LTS and ELTS in October
2025. Thanks to Freexian and sponsors for making this possible [0].
Debian LTS
==========
* Fixed CVE-2025-54988 in the tika package and released DLA 4350-1. This
was the first DLA for the package, at least in recent times, so I
created a new debian/bullseye branch and configured Salsa CI on it. Work
happened in the maintainer's repository.
* I investigated fixing CVE-2025-27515 in php-laravel-framework, but
gave up on it as I didn't feel I could compete the work in a reasonable
time. I left notes with my findings in dla-needed, hopefully useful for
the next person that will try tackling it.
* I am in the process of reviewing/improving the following page, given
that is still targets tooling in bookworm, considering it the latest
stable release:
https://lts-team.pages.debian.net/wiki/TestSuites/autopkgtest.html#autopkgtest
* I attended the monthly Debian LTS team meeting.
Debian ELTS
===========
* I investigated CVE-2025-43960 in adminer, to eventually drop it from
ela-needed, as the vulnerability is not present in the software as
packaged in Debian.
* I released ELA-1562-1 to fix CVE-2025-59798 and CVE-2025-59799 in both
buster and stretch. I switches Salsa CI to the lts-team pipeline for
these ELTS releases.
* I investigated CVE-2025-48385/git and marked buster and stretch as not
affected (vulnerable code not present).
* I released ELA-1565-1 for git, fixing CVE-2025-27613, CVE-2025-46835,
CVE-2025-48384 in both buster and stretch. Again, I made sure to have
working Salsa CI on the ELTS branches, something we didn't have before.
This was a complex ELA requiring non-trivial backporting and testing in
a GUI environment (VMs for ELTS releases with a graphical console).
Misc
====
I spent some time experimenting with debusine to make a better use of it
in the context of LTS/ELTS work.
Cheers,
Paride
[0] https://www.freexian.com/lts/debian/#sponsors
Reply to: