Debian LTS/ELTS report - March 2026
During the month of March 2026 and on behalf of Freexian, I worked on the
following:
ca-certificates-java
--------------------
With Bastien Roucaries, we keep making progress on backporting latest
versions of ca-certificates and ca-certificates-java in Debian LTS and
older.
At this point, and after much research and testing, it seems obvious that
GCJ-6 (in Debian ELTS buster) was never meant to work with
ca-certificates-java. It's also becoming clear that GCJ-6 should be treated
as unsupported, due to numerous issues. For example, its crypto support is
severly outdated and hardly usable these days.
Focusing on the only Java runtime left to support (openjdk), we found more
issues and we're still working on that.
python
------
I worked on the proposed upload for Python 3.11 in bookworm (#1126814), and
proposed a new version, after feedback from Moritz and Sylvain. This upload
address a batch of CVEs that were already fixed in LTS, but are not yet in
oldstable.
I also worked on the latest batch of Python CVEs, the work is mostly done
for Python 3.9, however the patches are not yet merged upstream, and not in
Debian either. So for now this work is just sitting in Git, it will be
released in LTS when the time is ripe.
python-cryptography
-------------------
I worked on CVE-2026-26007, the first step being to apply the fix provided
by upstream to the package in Debian stable (trixie). However backporting
the fix to older versions is more challenging: the code impacted has been
rewritten from Python to Rust, and upsteam only fixes the more recent Rust
version. So backporting will involve rewritting the patch in Python, which
is do-able but requires the right person with the right skills.
Consequently, this CVE was marked as "postponed" for Debian LTS and older,
as it doesn't seem any urgent anyway.
Thanks
------
Thanks to our sponsors for making this possible, and to Freexian for
handling the offering: <https://www.freexian.com/lts/debian/#sponsors>.
--
Arnaud
Reply to: