Hi, This is summary on the work I did for Debian LTS and ELTS in November 2025. Thanks to Freexian and sponsors for making this possible [0].
### LTS work - CVE-2025-64181/openexr: verified that bullseye is not affected, and mark it as such. - Joined the Python Team to maintain LTS uploads there. - python-gevent: Configured git branches and Salsa CI for LTS uploads. Backported upstream fix CVE-2023-41419, including tests. The bullseye package does not run tests at package build time. I had to modify the packaging to run them. The testsuite does not run cleanly on Debian (this is know), but I was able to verify that the newly added tests all pass. As I didn’t get to a clean pass I didn’t commit these changes. This step took most time while working at CVE-2023-41419. Released DLA-4377-1. - samba: Backport upstream fix and tests for CVE-2025-9640. Fixed Salsa CI pipeline. Performed testing, keeping in mind the package is high-popcon. Released DLA-4384-1. - sogo: Backported upstream fix for CVE-2025-63498. Released DLA-4386-1. Reached out the the Maintainers about repo location for LTS uploads. - Attended the monthly IRC meeting. ### ELTS work - CVE-2025-64181/openexr: verify that buster and stretch are not affected, and mark them as such. - CVE-2023-41419/python-gevent: I backported the Bullseye fixes to both Buster and Stretch, but I was not able to run the package test suite yet, despite spending quite some time on it. I do not feel confident releasing ELAs without test runs. I’ll carry over to next month. NOTEs are updated accordingly. Cheers, Paride [0] https://www.freexian.com/lts/debian/#sponsors
