In May 2026 I've worked on the below listed packages for Freexian (E)LTS [1]. This is my fifteenth month involved with the (E)LTS efforts.
Many thanks to Freexian and our sponsors [2] for providing this opportunity! # Packages firewalld ========= Backported fix for CVE-2026-4948 to LTS and announced [DLA-4585-1]. Identified that there was already a pending stable-propored-update for trixie [firewalld-spu]. Remaining work is to handle oldstable! While looking at backporting to ELTS (buster) it was identified that the affected code was not yet added, thus the bug was marked as not-affected for buster in the security-tracker. Prepared an update for oldstable (bookworm) and submitted a proposed-update bug report to release-team [firewalld-ospu]. This was acked, approved and processed swiftly by the stable release managers. evince & atril ============== Backported upstream fix for argv command injection RCE in evince to LTS and annonuced [DLA-4596-1]. Similar for MATE fork of evince, atril, annouced in [DLA-4597-1]. Prepared updated evince packages for ELTS (stretch and buster) and published as [ELA-1731-1]. I prepared updated atril packages for stable (trixie) and oldstable (bookworm) and sent offer to security team to upload these, with [debian-mate] in CC. jq == Backported upstream fixes for 11 CVEs to bullseye (LTS) and announced [DLA-4599-1]. Work is still needed on other suites. (Unfortunately I misseg that there was 12 CVEs to handle when uploading, so I backported the final remaining fix as well and pushed to lts-team/packages git repo for now pending future upload.) # Other I participated in the monthly lts team meeting on IRC. # References [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors [DLA-4585-1] https://lists.debian.org/debian-lts-announce/2026/05/msg00029.html [firewalld-spu] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135642 [firewalld-ospu] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137166 [DLA-4596-1] https://lists.debian.org/debian-lts-announce/2026/05/msg00041.html [DLA-4597-1] https://lists.debian.org/debian-lts-announce/2026/05/msg00042.html [ELA-1731-1] https://www.freexian.com/lts/extended/updates/ela-1731-1-evince/ [DLA-4599-1] https://lists.debian.org/debian-lts-announce/2026/05/msg00044.html [debian-mate] https://lists.debian.org/debian-mate/2026/05/msg00007.html
