Hi, here are some remarks about my work during last month. - node-tar (ELTS / LTS / OSPU/SPU/DSA) DLA-4552-1 was released fixing CVE-2024-28863, CVE-2026-23745, CVE- 2026-24842, CVE-2026-26960, CVE-2026-29786, and CVE-2026-31802. Since the maintainer beat me to a DSA candidate, but without some of the patches I identified, I attempted to get in contact with them to discuss these differnces before uploading the OSPU. Unfortunately, I didn't receive a response yet. I have started to work on the Buster upload. - python-aiohttp (LTS) I have fixes ready for 14 of the open CVEs, which leaves 3 remaining issues to be dealt with before it can be uploaded. - pypdf2 (LTS) I went through multiple of the reports. My findings are that multiple issues likely do not affect version 1.26.0 in Bullseye. However, due to the heavy code changes between version 6, the version in which all of the issues were fixed, and version 1.26, it is hard to say if the remaining issues affect that version. And attenpting to verify it and fix it, might be very time-consuming if even possible. Thus, IMHO, we cannot properly support that version of pypdf2 in Bullseye. I am going to open a Gitlab issue to have a discussion about the future support of pypdf2. - misc I reviewed eamanu's release candidates of python-authlib, pyasn1, and python-flask-httpauth. As always, I put my findings in the security tracker where appropriate. Thanks to Freexian and Freexian's sponsors for making these projects possible: https://www.freexian.com/lts/debian/#sponsors). Regards, Daniel
Attachment:
signature.asc
Description: This is a digitally signed message part