Debian LTS and ELTS - April 2026
Here is my public monthly report.
Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors
LTS
- p7zip / p7zip-rar
- Continue work from past month (the p7zip fork is now unmaintained,
and (newer) 7zip package doesn't share details on individual CVE
fixes, hampering security support)
- 7zip: push oldstable-proposed-update (OSPU) for review
https://release.debian.org/proposed-updates/oldstable.html
https://bugs.debian.org/bug=1129934
- 7zip, p7zip-rar: prepare and push OSPU for review
https://bugs.debian.org/1132466
https://bugs.debian.org/1132759
- 7zip, 7zip-rar: update bookworm-backports, coordinating with
previous uploaders, and adding bookworm->trixie upgrade fixes:
https://packages.debian.org/bookworm-backports/7zip
https://packages.debian.org/bookworm-backports/7zip-rar
- 7zip/trixie: prepare small stable-proposed-update (SPU) with
bookworm->trixie upgrade fixes:
https://bugs.debian.org/1133148
https://release.debian.org/proposed-updates/stable.html
- Push to Salsa and Salsa-CI
https://salsa.debian.org/debian/7zip/-/pipelines
https://salsa.debian.org/debian/p7zip/-/pipelines
https://salsa.debian.org/debian/p7zip-rar/-/pipelines
- Ask Emilio (LTS Team member) for review in the hope of making
packages available for testing before mi-May bookworm point update.
- awstats
- Coordinate SPU/OSPU with maintainer, following DLA-4509-1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131878#28
- Reproduce the issue and test on production systems
- SPU (bookworm, accepted): https://bugs.debian.org/1132727
- OSPU (bullseye, accepted): https://bugs.debian.org/1132728
- perl
- Fix CVE-2025-40909, following bookworm SPU
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112449
- Simplify fix to avoid touching the Perl build system
- Stress-test debusine regression testing :)
https://debusine.debian.net/debian/developers/work-request/572100/
- DLA-4538-1
https://lists.debian.org/debian-lts-announce/2026/04/msg00018.html
- Work queue
- Drop 10 packages with from the work queue with no immediate action
or no known users (no sponsors and low popcon).
- Update status for 3 packages.
- Propose spip for EOL
https://salsa.debian.org/lts-team/lts-updates-tasks/-/work_items/342
- Ping python-ply EOL proposal
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/320
ELTS
- perl
- Shared work with LTS, see above.
- Further simplify fix to avoid backporting newer Perl functions to
stretch.
- Importing Git to Salsa and switch to git-buildpackage, to avoid
using 2 other different Git managers
https://salsa.debian.org/lts-team/packages/perl/-/pipelines
- ELA-1685-1
https://www.freexian.com/lts/extended/updates/ela-1685-1-perl/
- nss
- Prepare update for buster and stretch, following DLA-4508-1
- Update Salsa-CI for ELTS
https://salsa.debian.org/lts-team/packages/nss/-/pipelines
- Fix-up bullseye Git
https://salsa.debian.org/lts-team/lts-updates-tasks/-/work_items/336
- ELA-1684-1
https://www.freexian.com/lts/extended/updates/ela-1684-1-nss/
- libapache2-mod-auth-openidc
- Newly supported package for stretch -- hence with a backlog.
- Determine 2 CVEs not-affected, fix all others.
- Find, fix and report to MITRE another stretch-specific buffer overflow.
- Update documentation for testing (see below).
- Setup Salsa-CI
https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-openidc/-/pipelines
- ELA-1691-1
https://www.freexian.com/lts/extended/updates/ela-1691-1-libapache2-mod-auth-openidc/
Common documentation and tooling
- Public documentation
- Technical workflows
debusine staging limitation
https://lts-team.pages.debian.net/technical-workflows.html#debusine-staging
- Development
Testing reverse dependencies: update debusine status, reference
salsa-ci support, link autopkgtest instructions
https://lts-team.pages.debian.net/wiki/Development.html#test-the-update
Regression update: clarify and deduplicate section
https://lts-team.pages.debian.net/wiki/Development.html#special-case-regression-update
- TestSuites
lemonldap-ng, libapache2-mod-auth-openidc: testing on stretch
https://lts-team.pages.debian.net/wiki/TestSuites/lemonldap-ng.html
https://lts-team.pages.debian.net/wiki/TestSuites/libapache2-mod-auth-openidc.html
- Debian Wiki: DebusineDebianNet
Back-end selection for autopkgtest
Simplify syntax & display for one-liner code samples
https://wiki.debian.org/DebusineDebianNet#autopkgtest_backend_selection
- March recap
https://lists.debian.org/debian-lts/2026/04/msg00018.html
- Private documentation: review regression topic from Jochen
- Tooling
- debusine: beta-test / report more issues
upload-to-bookworm-backports does not find backported build dependencies
https://salsa.debian.org/freexian-team/debusine/-/issues/1423
upload-to-trixie gives confusing error message
https://salsa.debian.org/freexian-team/debusine.debian.net/support/-/issues/15
Regression tracking: unnecessary reference tasks?
https://salsa.debian.org/freexian-team/debusine/-/issues/1443
Regression tracking uses incorrect reference version
https://salsa.debian.org/freexian-team/debusine.debian.net/support/-/issues/17
- Investigate high bandwidth usage from the security-tracker Git repository;
no fix for now, only a fix for the blocked UI diff.
https://salsa.debian.org/salsa/support/-/issues/578#note_748126
- Attempt to fix missing HTML diffs for timekeeping.ledger and
data/CVE-EXTENDED-LTS/list; hard-coded limit of 0.5MB sadly:
https://gitlab.com/gitlab-org/gitlab/-/work_items/591440
- Team help
- python3
- help Arnaud with dropping CVE fixes and warn about new high-rate CVE
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/308
- suggest Emmanuel coordinate with Arnaud for the buster package.
- Guide new Debian contributor
https://lists.debian.org/debian-lts/2026/04/msg00025.html
https://lists.debian.org/debian-lts/2026/04/msg00027.html
https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/283
- Reserve and announce DLA-4554-1 for calibre, for abhijith
https://lists.debian.org/debian-lts/2026/04/msg00034.html
https://lists.debian.org/debian-lts-announce/2026/04/msg00036.html
--
Sylvain Beucler
Debian LTS Team
Reply to: