In November 2025 I've worked on the below listed packages for Freexian LTS/ELTS [1]. This is my ninth month and continuing making progress, but not able to use all allocated hours on LTS side (partially because of spending too much time on ELTS).
Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS ==== I continued the work on bind9 update for bullseye which I started last month. Since bind9 is a widely used package there where extra time spent on making sure things where in order and testing. The result was published to bullseye-security as bind9 1:9.16.50-1~deb11u4 and announced in [DLA 4364-1]. After working on libsoup2.4 for ELTS (see below), I started wading through the remaining open CVEs to see what the upstream status was. I wrote a bunch of personal notes about things and also extended the security-tracker notes with additional hints on what was addressed upstream, etc. The summary is that some of the remaining open CVEs have been addressed upstream, but several are still unaddressed (and some even considered very low priority). More work is needed, which I'll likely proceed with in upcoming month.... Note that there are open bugs about removing libsoup2.4 (and remaining rdeps) from unstable (which IMHO is long overdue). ELTS ==== As per usual expectations that the same person handles both LTS and ELTS, my plan was to look into bind9 updates here as well. Santiago also explicitly asked me about this. I thus briefly looked into this, but quickly drew the conclusion that this would take up much more time (atleast for me) to adress then I had available. While upstream no longer supports the older versions of bind9 we have in ELTS (buster, stretch) they have a branch (bind-9.11) which seemed relevant to look at and has gotten atleast one of the in bullseye (LTS) recently addressed CVE's backported to it. Unfortunately the early 9.11.x versions we have and the much later 9.11.y releases (and the bind-9.11 branch) has deviated alot making it non-trivial to backport even from the bind-9.11 branch to our releases. A discussion was initiated with my findings on the topic so far, a request that someone else pick this up and an open question if we should possibly consider updating to a later 9.11.x version in ELTS. Bastien noticed that libisc had a SO version bump, which could make this a no-go. I also noticed that xrdp was back on the ela-needed list, even though I had recently fixed the relevant problems. I fixed up my mistake that made the newer xrdp package revision show up as vulnerable and removed xrdp from the list. I worked on updating libsoup2.4 in buster and stretch. I came to the conclusion that with the high number of incoming CVEs it would probably be best to address this in multiple rounds. After checking with #debian-elts that this sounded sane, I proceeded to backport the previously released bullseye (LTS) fixes to buster and stretch (ELTS) versions of libsoup2.4. A bunch of non-obvious changes where unfortunately needed that extended the time needed for this work. This included using older C language version in the older releases, function signature changes (int -> gsize) which caused seemingly "unrelated" (pre-existing) tests to fail. After some debugging all the problems where identified and fixed. The result was released to ELTS and announced in [ELA 1581-1]. The ela-needed entry for libsoup2.4 was *not* removed (as it needs more rounds). Notes where added about the situation and that next round should start in sid/unstable, etc. I also attended the LTS collaborators meeting on IRC. This month I want to send some special thanks to Santiago and pochu, among all the other very helpful people in #debian-lts / #debian-elts. Regards, Andreas Henriksson [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors [DLA 4364-1] https://lists.debian.org/debian-lts-announce/2025/11/msg00007.html [ELA 1581-1] https://www.freexian.com/lts/extended/updates/ela-1581-1-libsoup2.4/
