Debian LTS and ELTS report for November 2025
In November 2025 I've worked on the below listed packages for Freexian
LTS/ELTS [1]. This is my ninth month and continuing making progress, but
not able to use all allocated hours on LTS side (partially because of
spending too much time on ELTS).
Many thanks to Freexian and our sponsors [2] for providing this
opportunity!
LTS
====
I continued the work on bind9 update for bullseye which I started last
month. Since bind9 is a widely used package there where extra time spent
on making sure things where in order and testing. The result was
published to bullseye-security as bind9 1:9.16.50-1~deb11u4 and
announced in [DLA 4364-1].
After working on libsoup2.4 for ELTS (see below), I started wading
through the remaining open CVEs to see what the upstream status was. I
wrote a bunch of personal notes about things and also extended the
security-tracker notes with additional hints on what was addressed
upstream, etc. The summary is that some of the remaining open CVEs have
been addressed upstream, but several are still unaddressed (and some
even considered very low priority). More work is needed, which I'll
likely proceed with in upcoming month.... Note that there are open bugs
about removing libsoup2.4 (and remaining rdeps) from unstable (which
IMHO is long overdue).
ELTS
====
As per usual expectations that the same person handles both LTS and
ELTS, my plan was to look into bind9 updates here as well. Santiago also
explicitly asked me about this. I thus briefly looked into this, but
quickly drew the conclusion that this would take up much more time
(atleast for me) to adress then I had available. While upstream no
longer supports the older versions of bind9 we have in ELTS (buster,
stretch) they have a branch (bind-9.11) which seemed relevant to look at
and has gotten atleast one of the in bullseye (LTS) recently addressed
CVE's backported to it.
Unfortunately the early 9.11.x versions we have and the much later
9.11.y releases (and the bind-9.11 branch) has deviated alot making it
non-trivial to backport even from the bind-9.11 branch to our releases.
A discussion was initiated with my findings on the topic so far, a
request that someone else pick this up and an open question if we should
possibly consider updating to a later 9.11.x version in ELTS. Bastien
noticed that libisc had a SO version bump, which could make this a
no-go.
I also noticed that xrdp was back on the ela-needed list, even though I
had recently fixed the relevant problems. I fixed up my mistake that
made the newer xrdp package revision show up as vulnerable and removed
xrdp from the list.
I worked on updating libsoup2.4 in buster and stretch. I came to the
conclusion that with the high number of incoming CVEs it would probably
be best to address this in multiple rounds. After checking with
#debian-elts that this sounded sane, I proceeded to backport the
previously released bullseye (LTS) fixes to buster and stretch (ELTS)
versions of libsoup2.4. A bunch of non-obvious changes where
unfortunately needed that extended the time needed for this work. This
included using older C language version in the older releases, function
signature changes (int -> gsize) which caused seemingly "unrelated"
(pre-existing) tests to fail. After some debugging all the problems
where identified and fixed. The result was released to ELTS and
announced in [ELA 1581-1]. The ela-needed entry for libsoup2.4 was *not*
removed (as it needs more rounds). Notes where added about the situation
and that next round should start in sid/unstable, etc.
I also attended the LTS collaborators meeting on IRC.
This month I want to send some special thanks to Santiago and pochu,
among all the other very helpful people in #debian-lts / #debian-elts.
Regards,
Andreas Henriksson
[1] https://www.freexian.com/lts/
[2] https://www.freexian.com/lts/debian/#sponsors
[DLA 4364-1] https://lists.debian.org/debian-lts-announce/2025/11/msg00007.html
[ELA 1581-1] https://www.freexian.com/lts/extended/updates/ela-1581-1-libsoup2.4/
Reply to: