I've worked during October 2025 on the below listed packages, for Freexian LTS/ELTS [1]
libpng1.6 (DLA-4396-1, ELA-1589-1, DSA-to-be-announced) ======================================================= (This report inclusdes some foreshadowing for December) libpng1.6 has reported several vulnerabilities; the upstream project classified two of the four published vulnerabilities as high severity. The task at hand was to update libpng1.6 across the full set of Debian releases, coordinating with the security team to ensure the release of the fixes was properly managed. Including LTS/ELTS, that meant fixing six suites. The fixes themselves where quite straightforward to backport to the versions in Debian - libpng is quite a slow-moving mature project, which helped a lot. However, the standard PNG library is literally used almost everywhere; I think it is fair to say it's a key part of every operating system. This, of course, requires a great deal of effort to ensure that the update won’t break anything. I ran extensive testing on the update, building reverse dependencies, using autopkgtests in those builds, and also doing some manual testing in VMs. Some packages were too large for Salsa’s CI, so I built those locally to make sure everything looked fine. (As a side note, Debusine was a huge help in these tasks, especially for determining whether an autopkgtest failure was a regression or if the package was already failing before.) At the end of November I was getting ready to release the upload and sent the security team all the debdiffs for review and upload coordination, uploaded them to the security master for further processing. In the meantime, I prepared all the other releases, ran them through Debusine for final checks, and was about to upload… when the libpng project reported a brand new CVE, assessed as high severity. It was clear that this new CVE also needed to be addressed. I reached out to the security team again, coordinated with them, and confirmed that they agreed this vulnerability should be fixed as part of the same already- prepared upload. So: rinse, lather, repeat -- backporting, preparing, and testing again -- and now all six suites should be once again prepared and safe soon. Just when the updates were almost ready and well into testing, I noticed a new email in my mailbox -- from the libpng's project announce mailing list -- announcing yet another new upstream version. The email greeted me with the introductory words: "... but it worked on my machine, and it passed CI verification also!" For a second or two I feared that the third time would be the charm. Luckily, after reading the email, they did not mean a broken update or new security fixes. So, finally, I was able to release libpng to LTS/ELTS, and stable/oldstable will be released by the security team shortly. log4cxx ======= Prepared the trixie stable-proposes-update to close 2 CVEs in stable that have been previously been fixed in LTS. The has been included to stable point release shortly after. zabbix ====== Reached out to the security team how to handle zabbix for bookworm. (I'll still need to follow up on that) [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
signature.asc
Description: PGP signature
