Gentle reminder: issues fixed in bullseye but not in bookworm

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Gentle reminder: issues fixed in bullseye but not in bookworm
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Sun, 7 Dec 2025 07:49:25 +0530
Message-id: <[🔎] CAPP0f94a_kDcBtZKrU1q6710mTu_GEg4L11yjJ54kp_ACNiLRQ@mail.gmail.com>
Hi LTS team,

Whilst triaging packages for LTS, the report also shows us issues
fixed in bullseye but not in bookworm.

This is a gentle reminder: **if** you've worked on any of the packages
below and issued a DLA for them, please consider fixing them in
bullseye via a pu or DSA (modulo the security team wants to do that).

---

Issues fixed in bullseye but not in bookworm (low priority) [caution:
new report]
cf. https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/?label_name%5B%5D=%28O%29SPU
:

* activemq
https://deb.freexian.com/extended-lts/tracker/source-package/activemq
  - CVE-2025-27533
https://deb.freexian.com/extended-lts/tracker/CVE-2025-27533  [wf
secteam triage]

* busybox
https://deb.freexian.com/extended-lts/tracker/source-package/busybox
  - CVE-2023-42365
https://deb.freexian.com/extended-lts/tracker/CVE-2023-42365
  - CVE-2023-42364
https://deb.freexian.com/extended-lts/tracker/CVE-2023-42364
  - CVE-2022-48174
https://deb.freexian.com/extended-lts/tracker/CVE-2022-48174

* dcmtk
https://deb.freexian.com/extended-lts/tracker/source-package/dcmtk
  - CVE-2025-9732
https://deb.freexian.com/extended-lts/tracker/CVE-2025-9732
  - CVE-2025-2357
https://deb.freexian.com/extended-lts/tracker/CVE-2025-2357
  - CVE-2022-4981
https://deb.freexian.com/extended-lts/tracker/CVE-2022-4981

* editorconfig-core
https://deb.freexian.com/extended-lts/tracker/source-package/editorconfig-core
  - CVE-2024-53849
https://deb.freexian.com/extended-lts/tracker/CVE-2024-53849

* erlang
https://deb.freexian.com/extended-lts/tracker/source-package/erlang
  - CVE-2025-48041
https://deb.freexian.com/extended-lts/tracker/CVE-2025-48041
  - CVE-2025-48039
https://deb.freexian.com/extended-lts/tracker/CVE-2025-48039
  - CVE-2025-48038
https://deb.freexian.com/extended-lts/tracker/CVE-2025-48038

* geographiclib
https://deb.freexian.com/extended-lts/tracker/source-package/geographiclib
  - CVE-2025-60751
https://deb.freexian.com/extended-lts/tracker/CVE-2025-60751

* git
https://deb.freexian.com/extended-lts/tracker/source-package/git
  - CVE-2025-48384
https://deb.freexian.com/extended-lts/tracker/CVE-2025-48384
  - CVE-2025-46835
https://deb.freexian.com/extended-lts/tracker/CVE-2025-46835
  - CVE-2025-27613
https://deb.freexian.com/extended-lts/tracker/CVE-2025-27613

* iperf3
https://deb.freexian.com/extended-lts/tracker/source-package/iperf3
  - CVE-2024-53580
https://deb.freexian.com/extended-lts/tracker/CVE-2024-53580

* libarchive
https://deb.freexian.com/extended-lts/tracker/source-package/libarchive
  - CVE-2025-5918
https://deb.freexian.com/extended-lts/tracker/CVE-2025-5918

* libcommons-fileupload-java
https://deb.freexian.com/extended-lts/tracker/source-package/libcommons-fileupload-java
  - CVE-2025-48976
https://deb.freexian.com/extended-lts/tracker/CVE-2025-48976

* libmodbus
https://deb.freexian.com/extended-lts/tracker/source-package/libmodbus
  - CVE-2024-10918
https://deb.freexian.com/extended-lts/tracker/CVE-2024-10918

* libowasp-esapi-java
https://deb.freexian.com/extended-lts/tracker/source-package/libowasp-esapi-java
  - CVE-2025-5878
https://deb.freexian.com/extended-lts/tracker/CVE-2025-5878

* libwebsockets
https://deb.freexian.com/extended-lts/tracker/source-package/libwebsockets
  - CVE-2025-11678
https://deb.freexian.com/extended-lts/tracker/CVE-2025-11678
  - CVE-2025-11677
https://deb.freexian.com/extended-lts/tracker/CVE-2025-11677

* log4cxx
https://deb.freexian.com/extended-lts/tracker/source-package/log4cxx
  - CVE-2025-54813
https://deb.freexian.com/extended-lts/tracker/CVE-2025-54813
  - CVE-2025-54812
https://deb.freexian.com/extended-lts/tracker/CVE-2025-54812

* mediawiki
https://deb.freexian.com/extended-lts/tracker/source-package/mediawiki
  - CVE-2025-61656
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61656  [wf
secteam triage]
  - CVE-2025-61655
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61655  [wf
secteam triage]
  - CVE-2025-61653
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61653  [wf
secteam triage]
  - CVE-2025-61646
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61646  [wf
secteam triage]
  - CVE-2025-61643
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61643  [wf
secteam triage]
  - CVE-2025-61641
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61641  [wf
secteam triage]
  - CVE-2025-61640
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61640  [wf
secteam triage]
  - CVE-2025-61639
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61639  [wf
secteam triage]
  - CVE-2025-61638
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61638  [wf
secteam triage]
  - CVE-2025-61635
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61635  [wf
secteam triage]
  - ...

* nodejs
https://deb.freexian.com/extended-lts/tracker/source-package/nodejs
  - CVE-2025-23085
https://deb.freexian.com/extended-lts/tracker/CVE-2025-23085

* pgagent
https://deb.freexian.com/extended-lts/tracker/source-package/pgagent
  - CVE-2025-0218
https://deb.freexian.com/extended-lts/tracker/CVE-2025-0218

* pgbouncer
https://deb.freexian.com/extended-lts/tracker/source-package/pgbouncer
  - CVE-2025-2291
https://deb.freexian.com/extended-lts/tracker/CVE-2025-2291

* php-twig
https://deb.freexian.com/extended-lts/tracker/source-package/php-twig
  - CVE-2024-51754
https://deb.freexian.com/extended-lts/tracker/CVE-2024-51754

* pypy3
https://deb.freexian.com/extended-lts/tracker/source-package/pypy3
  - CVE-2025-8291
https://deb.freexian.com/extended-lts/tracker/CVE-2025-8291
  - CVE-2025-6069
https://deb.freexian.com/extended-lts/tracker/CVE-2025-6069
  - CVE-2025-1795
https://deb.freexian.com/extended-lts/tracker/CVE-2025-1795
  - CVE-2025-0938
https://deb.freexian.com/extended-lts/tracker/CVE-2025-0938
  - CVE-2024-11168
https://deb.freexian.com/extended-lts/tracker/CVE-2024-11168
  - CVE-2024-7592
https://deb.freexian.com/extended-lts/tracker/CVE-2024-7592
  - CVE-2024-6923
https://deb.freexian.com/extended-lts/tracker/CVE-2024-6923
  - CVE-2024-6232
https://deb.freexian.com/extended-lts/tracker/CVE-2024-6232

* python-authlib
https://deb.freexian.com/extended-lts/tracker/source-package/python-authlib
  - CVE-2025-62706
https://deb.freexian.com/extended-lts/tracker/CVE-2025-62706  [wf
secteam triage]
  - CVE-2025-61920
https://deb.freexian.com/extended-lts/tracker/CVE-2025-61920  [wf
secteam triage]
  - CVE-2025-59420
https://deb.freexian.com/extended-lts/tracker/CVE-2025-59420  [wf
secteam triage]
  - CVE-2024-37568
https://deb.freexian.com/extended-lts/tracker/CVE-2024-37568

* python-eventlet
https://deb.freexian.com/extended-lts/tracker/source-package/python-eventlet
  - CVE-2025-58068
https://deb.freexian.com/extended-lts/tracker/CVE-2025-58068

* python-gevent
https://deb.freexian.com/extended-lts/tracker/source-package/python-gevent
  - CVE-2023-41419
https://deb.freexian.com/extended-lts/tracker/CVE-2023-41419

* python-h2
https://deb.freexian.com/extended-lts/tracker/source-package/python-h2
  - CVE-2025-57804
https://deb.freexian.com/extended-lts/tracker/CVE-2025-57804

* python-pip
https://deb.freexian.com/extended-lts/tracker/source-package/python-pip
  - CVE-2025-8869
https://deb.freexian.com/extended-lts/tracker/CVE-2025-8869
  - CVE-2023-5752
https://deb.freexian.com/extended-lts/tracker/CVE-2023-5752

* pytorch
https://deb.freexian.com/extended-lts/tracker/source-package/pytorch
  - CVE-2025-32434
https://deb.freexian.com/extended-lts/tracker/CVE-2025-32434

* ruby-graphql
https://deb.freexian.com/extended-lts/tracker/source-package/ruby-graphql
  - CVE-2025-27407
https://deb.freexian.com/extended-lts/tracker/CVE-2025-27407

* ruby-saml
https://deb.freexian.com/extended-lts/tracker/source-package/ruby-saml
  - CVE-2025-54572
https://deb.freexian.com/extended-lts/tracker/CVE-2025-54572  [wf
secteam triage]
  - CVE-2025-25293
https://deb.freexian.com/extended-lts/tracker/CVE-2025-25293  [wf
secteam triage]
  - CVE-2025-25292
https://deb.freexian.com/extended-lts/tracker/CVE-2025-25292  [wf
secteam triage]
  - CVE-2025-25291
https://deb.freexian.com/extended-lts/tracker/CVE-2025-25291  [wf
secteam triage]

* sogo
https://deb.freexian.com/extended-lts/tracker/source-package/sogo
  - CVE-2025-63498
https://deb.freexian.com/extended-lts/tracker/CVE-2025-63498  [wf
secteam triage]

* sslh
https://deb.freexian.com/extended-lts/tracker/source-package/sslh
  - CVE-2025-52936
https://deb.freexian.com/extended-lts/tracker/CVE-2025-52936

* sympa
https://deb.freexian.com/extended-lts/tracker/source-package/sympa
  - CVE-2024-55919
https://deb.freexian.com/extended-lts/tracker/CVE-2024-55919  [wf
secteam triage]

* tiff
https://deb.freexian.com/extended-lts/tracker/source-package/tiff
  - CVE-2024-13978
https://deb.freexian.com/extended-lts/tracker/CVE-2024-13978

* wordpress
https://deb.freexian.com/extended-lts/tracker/source-package/wordpress
  - CVE-2025-58674
https://deb.freexian.com/extended-lts/tracker/CVE-2025-58674  [wf
secteam triage]
  - CVE-2025-58246
https://deb.freexian.com/extended-lts/tracker/CVE-2025-58246  [wf
secteam triage]
  - CVE-2024-31111
https://deb.freexian.com/extended-lts/tracker/CVE-2024-31111  [wf
secteam triage]
  - CVE-2024-6307
https://deb.freexian.com/extended-lts/tracker/CVE-2024-6307  [wf
secteam triage]

* xrdp
https://deb.freexian.com/extended-lts/tracker/source-package/xrdp
  - CVE-2024-39917
https://deb.freexian.com/extended-lts/tracker/CVE-2024-39917
  - CVE-2023-42822
https://deb.freexian.com/extended-lts/tracker/CVE-2023-42822
  - CVE-2023-40184
https://deb.freexian.com/extended-lts/tracker/CVE-2023-40184
Reply to:
Follow-Ups:
- Re: Gentle reminder: issues fixed in bullseye but not in bookworm
  - From: Tobias Frost <tobi@debian.org>
- Re: Gentle reminder: issues fixed in bullseye but not in bookworm
  - From: Daniel Leidert <dleidert@debian.org>
- Re: Gentle reminder: issues fixed in bullseye but not in bookworm
  - From: Abhijith PA <abhijith@debian.org>
Prev by Date: Re: security update for libpng1.6
Next by Date: Re: Gentle reminder: issues fixed in bullseye but not in bookworm
Previous by thread: Documentation recap - November
Next by thread: Re: Gentle reminder: issues fixed in bullseye but not in bookworm
Index(es):
- Date
- Thread