Hi, This is summary on the work I did for Debian LTS and ELTS in October 2025. Thanks to Freexian and sponsors for making this possible [0].
Debian LTS ========== * Fixed CVE-2025-54988 in the tika package and released DLA 4350-1. This was the first DLA for the package, at least in recent times, so I created a new debian/bullseye branch and configured Salsa CI on it. Work happened in the maintainer's repository. * I investigated fixing CVE-2025-27515 in php-laravel-framework, but gave up on it as I didn't feel I could compete the work in a reasonable time. I left notes with my findings in dla-needed, hopefully useful for the next person that will try tackling it. * I am in the process of reviewing/improving the following page, given that is still targets tooling in bookworm, considering it the latest stable release: https://lts-team.pages.debian.net/wiki/TestSuites/autopkgtest.html#autopkgtest * I attended the monthly Debian LTS team meeting. Debian ELTS =========== * I investigated CVE-2025-43960 in adminer, to eventually drop it from ela-needed, as the vulnerability is not present in the software as packaged in Debian. * I released ELA-1562-1 to fix CVE-2025-59798 and CVE-2025-59799 in both buster and stretch. I switches Salsa CI to the lts-team pipeline for these ELTS releases. * I investigated CVE-2025-48385/git and marked buster and stretch as not affected (vulnerable code not present). * I released ELA-1565-1 for git, fixing CVE-2025-27613, CVE-2025-46835, CVE-2025-48384 in both buster and stretch. Again, I made sure to have working Salsa CI on the ELTS branches, something we didn't have before. This was a complex ELA requiring non-trivial backporting and testing in a GUI environment (VMs for ELTS releases with a graphical console). Misc ==== I spent some time experimenting with debusine to make a better use of it in the context of LTS/ELTS work. Cheers, Paride [0] https://www.freexian.com/lts/debian/#sponsors
