Debian LTS and ELTS - December 2025

To: debian-lts@lists.debian.org
Subject: Debian LTS and ELTS - December 2025
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 5 Jan 2026 09:36:35 +0100
Message-id: <[🔎] aVt4ExruIfQQLmnk@mail.beuc.net>
Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors


LTS

- lasso
  - Complex test environment requiring both an identity provider to
    authenticate against, and an identity client using the lasso library
    (see documentation below)
  - Identify reproducer for critical RCE vulnerability
  - Import (superficial) autopkgtests from later releases;
    run test suite on build
  - Create entirely new Salsa project (no prior Git history in Debian)
    https://salsa.debian.org/lts-team/packages/lasso
  - DLA-4397-1
    https://lists.debian.org/debian-lts-announce/2025/12/msg00008.html
    https://salsa.debian.org/lts-team/packages/lasso/-/commit/d8191ed05765389d1c1e49b3ea0c2af7075b0677

- hdf5: now marked as limited security support in Git package repository
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117722 (merged)
  https://salsa.debian.org/debian/debian-security-support/-/merge_requests/52 (ping)

- keras: EOL status approved, proceed with EOL procedure
  https://salsa.debian.org/debian/debian-security-support/-/merge_requests/53

- Front Desk (week 1 2025/2026, first half)
  - Mark 2 packages for update
  - Triage or precise bullseye triage for 6 CVEs
  - Enquire about python-django status (many postponed CVEs);
    also mark it for SPU/OSPU ((old)stable point updates):
    https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/300


ELTS

- libapache2-mod-auth-openidc
  - Continued from previous month
  - Complex test environment requiring an identity provider to
    authenticate against (see documentation below)
  - Identify introductory commit for CVE-2025-31492, helping determine
    that ELTS is not affected
  - Update Salsa CI and git-buildpackage, fix tests
  - ELA-1587-1
    https://www.freexian.com/lts/extended/updates/ela-1587-1-libapache2-mod-auth-openidc/
    https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-openidc/-/commit/8244ac5d1df606a7c402bd2d149459af43e756ab

- lasso
  - Common work with LTS
  - Another complex test environment requiring an identity provider to
    authenticate against (see also documentation below)
  - Difficult backports and debugging
  - ELA-1590-1
    https://www.freexian.com/lts/extended/updates/ela-1590-1-lasso/
    https://salsa.debian.org/lts-team/packages/lasso/-/commit/d6997aba1a891280f872dd106b4ed5a20fc84770
    https://salsa.debian.org/lts-team/packages/lasso/-/commit/767837815fe33605968b7aabb2c5fd5172c37616

- Front Desk (week 1 2025/2026, first half)
  - Mark 2 supported packages for update, dropped 1 package
  - Triage or precise bullseye triage for 1 CVE
  - Tidy work queue and update status for 3 packages
  - Associate CVEs from newer, branched Debian packages with different
    names to older ELTS packages (gnupg*, golang*, netty*)


Common documentation and tooling

- Public documentation

  - TestSuites
    - libapache2-mod-auth-openidc: new entry; test install and configuration
      https://lts-team.pages.debian.net/wiki/TestSuites/libapache2-mod-auth-openidc.html
    - lemonldap-ng: libapache2-mod-auth-openidc requires an OpenID
      identity provider, so I wrote another new entry for lemonldap-ng
      https://lts-team.pages.debian.net/wiki/TestSuites/lemonldap-ng.html
    - lasso: new entry; enable test suite; attempt to run authentic2
      https://lts-team.pages.debian.net/wiki/TestSuites/lasso.html
    - SimpleSAMLphp: lasso requires a SAML identity provider, so I
      followed and improved our SimpleSAMLphp entry
      https://lts-team.pages.debian.net/wiki/TestSuites/simplesamlphp.html
    - libapache2-mod-auth-mellon: lasso requires a SAML client that
      uses lasso, so I wrote yet another new entry:
      https://lts-team.pages.debian.net/wiki/TestSuites/libapache2-mod-auth-mellon.html
    - golang: simplify code snippet and syntax
      https://lts-team.pages.debian.net/wiki/TestSuites/golang.html
    - TestSuites: reference new pages from previous months
      https://lts-team.pages.debian.net/wiki/TestSuites.html

  - Development
    - Source package: fix git-buildpackage snippet; make it more visible
      https://lts-team.pages.debian.net/wiki/Development.html#building-the-final-dsc
    - DLA ID reservation: recommend gen-DLA *source.changes
      https://lts-team.pages.debian.net/wiki/Development.html#claim-a-dla-id-in-dla-list

  - Technical workflows: sbuild: multiple fixes and clarifications
    https://lts-team.pages.debian.net/technical-workflows.html#sbuild

  - November recap
    https://lists.debian.org/debian-lts/2025/12/msg00008.html

- Private documentation
  - Recommend using gen-ELA with a source.changes file

- Tooling
  - cvehist: increase disk space over time; propose fix to Freexian
    sysadmin; also upgrade base container to trixie
    https://salsa.debian.org/lts-team/cvehist

- Help around on IRC and LTS mailing-list
  https://lists.debian.org/debian-lts/2025/12/msg00020.html

- Internal discussion on Salsa CI vs. debusine and possible
  deprecation

- (short) Team meeting (Jitsi)
  https://lists.debian.org/debian-lts/2025/12/msg00032.html

-- 
Sylvain Beucler
Debian LTS Team
Reply to:
Prev by Date: Re: Bug#1079454: bookworm-pu: package python-django/3:3.2.19-1+deb12u2
Next by Date: Documentation recap - December
Previous by thread: Re: Bug#1079454: bookworm-pu: package python-django/3:3.2.19-1+deb12u2
Next by thread: Documentation recap - December
Index(es):
- Date
- Thread