In December 2025 I've worked on the below listed packages for Freexian (E)LTS[1]. This is my tenth month involved with the (E)LTS efforts. Many thanks to Freexian and our sponsors [2] for providing this opportunity! libsoup2.4 =========== As promised last month, I did another round of looking at new CVEs for libsoup2.4. I went through the open CVEs that where unadressed in any release and identified 4 which had upstream fixes which where merged. CVE ID Debian bug report ---------------+------------------- CVE-2025-4969 #1106325 CVE-2025-4948 #1106337 CVE-2025-4945 #1106375 CVE-2025-4476 #1107757 (There where several other open CVEs, but either they where still unadressed, low prio, or the upstream proposed patch was not merged yet.) Most of the fixes where trivial backports, but CVE-2025-4945 fixes required a bit more investigations. The affected code lived in another file. There where some glib->old libsoup api porting needed. Some time was spent on analysing a test failure in a backported test, but it turned out that new (libsoup3) code did not support iso8601 formatted dates and test expected them to fail, but they are actually supported in libsoup2.4 -- thus that testcase was disabled. libsoup 2.74.3-11 was uploaded as a team upload to sid. I synced with gnome-team that was not a problem. Beware that libsoup2.4 is no longer part of testing and is up for removal from unstable (finally!). Changes to debian/latest (+ tag) where pushed to both gnome-team repo as well as lts-team repo. Updates where made to security-tracker git repo data/CVE/list to mark the CVEs as handled in sid. The same fixes where then backported to bullseye and uploaded (via debusine.debian.net) and announced as [DLA-4398-1]. While the security-tracker is now showing alot more green, future work is still needed in adressing stable and old-stable. While stable has some of the fixes already uploaded, old-stable is lagging behind. This needs to be adressed, not only for the users of these releases, but also to avoid LTS regressions once bookworm (old-stable) moves to LTS maintenance. pgbouncer ========= I worked on backporting fixes for CVE-2025-12819 to trixie, bookworm and bullseye and also CVE-2025-2291 for bookworm. For trixie and bookworm, SPU and OSPU reports has been filed respectively as: * https://bugs.debian.org/1124079 * https://bugs.debian.org/1124080 For bullseye (LTS) the update was uploaded and announced as [DLA-4422-1]. net-snmp ======== Updated packages fixing CVE-2025-68615 in bullseye, buster and stretch has been prepared. Still waiting for all checks to go through before the packages can be migrated to the archive and the paperwork to announce these updates, which will be picked up in the new year! I've been in contact with net-snmp debian maintainer to confirm that stable/oldstable is being taken care of. Also helped figure out some problems in unstable/sid where the new upstream release broke some reverse dependencies. metadata confusion ================== utkarsh2102 noticed there was a problem with the metadata about fixed CVEs for php-horde-css-parser, and also helped fix it up [utkarsh2102-fix]. This was similar to the problem I spotted and Santiago helped me fix in xrdp package last month. Two times makes this a pattern and there where thus some discussions about potential documentation improvements. I filed two separate MRs for discussion and one got merged and the other we decided to leave as is (since docs has already been improved since) [beac-was-here]. trixie debusine uploads ======================= In the dla-needed.txt for pgbouncer the NOTEs asked for a OSPU / SPU upload and I thus got to work on trixie for the first time. Having found using debusine very convenient, I tried it for trixie for the first time but found it not working for me. With the help of the very friendly people in #debian-lts it was identified that uploads to debusine.debian.net targeting trixie is not yet supported in the debusine-client version shipped in trixie itself. Thus the solution which made it work was to install debusine-client from trixie-backports. It did not strike me as something to look at as I simply used dput to upload, so thought it might be worth mentioning here in case someone else is also uploading from trixie you probably want to update debusine-client to a backported version before you also run into problems. Regards, Andreas Henriksson [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors [DLA-4398-1] https://lists.debian.org/debian-lts-announce/2025/12/msg00009.html [utkarsh2102-fix] 87afaaf19ce56123bc9508d9c6cd5360b18114ef ELTS security-tracker git repo. [beac-was-here] https://gitlab.com/freexian/services/deblts-team/documentation/-/commit/cf45177bdbfe65b16426eb9620682e6d4e68628d [DLA-4422-1] https://lists.debian.org/debian-lts-announce/2025/12/msg00033.html
Attachment:
signature.asc
Description: PGP signature