In May 2026 I've worked on the below listed packages for Freexian (E)LTS [1].
This is my fifteenth month involved with the (E)LTS efforts.

Many thanks to Freexian and our sponsors [2] for providing this opportunity!


# Packages

firewalld
=========

Backported fix for CVE-2026-4948 to LTS and announced [DLA-4585-1].
Identified that there was already a pending stable-propored-update
for trixie [firewalld-spu].
Remaining work is to handle oldstable!
While looking at backporting to ELTS (buster) it was identified that the
affected code was not yet added, thus the bug was marked as not-affected
for buster in the security-tracker.

Prepared an update for oldstable (bookworm) and submitted a proposed-update
bug report to release-team [firewalld-ospu]. This was acked, approved
and processed swiftly by the stable release managers.

evince & atril
==============

Backported upstream fix for argv command injection RCE in evince to LTS and
annonuced [DLA-4596-1]. Similar for MATE fork of evince, atril, annouced in
[DLA-4597-1].

Prepared updated evince packages for ELTS (stretch and buster)
and published as [ELA-1731-1].

I prepared updated atril packages for stable (trixie) and oldstable (bookworm)
and sent offer to security team to upload these, with [debian-mate] in CC.

jq
==

Backported upstream fixes for 11 CVEs to bullseye (LTS) and announced
[DLA-4599-1]. Work is still needed on other suites.

(Unfortunately I misseg that there was 12 CVEs to handle when uploading,
so I backported the final remaining fix as well and pushed to lts-team/packages
git repo for now pending future upload.)

# Other

I participated in the monthly lts team meeting on IRC.

# References

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors
[DLA-4585-1] https://lists.debian.org/debian-lts-announce/2026/05/msg00029.html
[firewalld-spu] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135642
[firewalld-ospu] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137166
[DLA-4596-1] https://lists.debian.org/debian-lts-announce/2026/05/msg00041.html
[DLA-4597-1] https://lists.debian.org/debian-lts-announce/2026/05/msg00042.html
[ELA-1731-1] https://www.freexian.com/lts/extended/updates/ela-1731-1-evince/
[DLA-4599-1] https://lists.debian.org/debian-lts-announce/2026/05/msg00044.html
[debian-mate] https://lists.debian.org/debian-mate/2026/05/msg00007.html

Reply via email to