In January 2025 I've worked on the below listed packages for Freexian LTS/ELTS [1]. This is my eleventh month involved with the (E)LTS efforts.
Many thanks to Freexian and our sponsors [2] for providing this opportunity! net-snmp ======== I migrated the updates (which I prepared and reported about last month) to buster and stretch (ELTS). The updates was announced as [ELA-1603-1]. I also uploaded bullseye update, which included a fix for compatibility with Linux >= 6.7 as an additional bonus, and announced it as [DLA-4430-1]. pgbouncer ========= I got the go-ahead on my (old-)stable-proposed-updates from the release team, and thus proceeded to upload updates for bookworm (oldstable) and trixie (stable) -- which I prepared and reported about last month. * https://bugs.debian.org/1124079 * https://bugs.debian.org/1124080 gimp ==== I worked on the outstanding CVE's for bullseye. Identified that CVE-2025-14424 did not affect 2.10.x and marked it as such in tracking. While at it I also looked through the "unimportant" issues and included CVE-2022-30067 which where already fixed everywhere but bullseye and seemed relevant enough to fix. This was eventually announced as [DLA-4431-1]. I offered to help with bookworm-security and trixie-security, but jmm where apparently already on it. libmatio ======== I worked on the many open CVEs for libmatio in bullseye. One of them where unadressed in all suites. A new upstream release was uploaded (via binary-NEW) first to experimental and then to unstable which included the one needed fix. Unfortunately there was also a soname bump included in the upstream release for unclear reasons, which means a [transition] was needed. I reached out to #debian-science to discuss the situation... Alot of time also went into trying to figure out what the problem and fix was for CVE-2020-36428. The problem was supposedly fixed in a particular upstream release, but the actual fix could not be identified and was eventually through alot of detective work via other CVE ids that lead to the conclusion that this was actually an underlying issue in hdf5 (and the upstream "fix" was likely bumping to a new hdf5 version used in CI builds) rather than in libmatio itself. Additionally CVE-2025-2337 was investigated and concluded that the bullseye version of libmatio is likely not affected. Eventually the result was a fixed package for bullseye (LTS) and announced as [DLA-4459-1]. inetutils ========= I worked on the authentication bypass also known as CVE-2026-24061. I backported the fixes that had already been applied by the Debian package maintainer (originally from upstream) in unstable/testing/stable/oldstable to bullseye (LTS) [DLA-4453-1] and then to buster and stretch (ELTS) [ELA-1619-1]. A sneak peek of next month report is that I've claimed openssl for LTS, where multiple vulnerabilities has been identified using AI based methods which are currently being discussed in various forums online. Regards, Andreas Henriksson [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors [ELA-1603-1] https://www.freexian.com/lts/extended/updates/ela-1603-1-net-snmp/ [DLA-4430-1] https://lists.debian.org/debian-lts-announce/2026/01/msg00000.html [DLA-4431-1] https://lists.debian.org/debian-lts-announce/2026/01/msg00001.html [transition] https://lists.debian.org/debian-release/2026/01/msg00747.html [DLA-4459-1] https://lists.debian.org/debian-lts-announce/2026/01/msg00031.html [DLA-4453-1] https://lists.debian.org/debian-lts-announce/2026/01/msg00025.html [ELA-1619-1] https://www.freexian.com/lts/extended/updates/ela-1619-1-inetutils/
signature.asc
Description: PGP signature
