Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors


LTS

- p7zip / p7zip-rar / 7zip
  - Continue work from past month (the p7zip fork is now unmaintained,
    and (newer) 7zip package doesn't share details on individual CVE
    fixes, hampering security support).
  - Tidy Git branches and fix Salsa-CI
    https://salsa.debian.org/debian/7zip/-/pipelines
    https://salsa.debian.org/debian/p7zip/-/pipelines
    https://salsa.debian.org/debian/p7zip-rar/-/pipelines
  - Final reverse dependencies testing, investigating false positives.
  - Fix upcoming bookworm version in the security tracker.
  - trixie update released: 7zip (upgrade fix)
    Stable Point Updates (OSPU)
    https://www.debian.org/News/2026/20260516
  - bookworm updates released: p7zip, p7zip-rar, 7zip
    Old-Stable Point Updates (OSPU)
    https://www.debian.org/News/2026/2026051602
  - bullseye updates released: p7zip, p7zip-rar
    DLA-4576-1, DLA-4577-1
    https://lists.debian.org/debian-lts-announce/2026/05/msg00020.html
    https://lists.debian.org/debian-lts-announce/2026/05/msg00021.html

- zulucrypt
  - Confirm high vulnerability CVE-2025-53391 on bullseye
  - Ask for removal as package is not maintained
    RM: zulucrypt/5.7.1-2
    https://bugs.debian.org/1135634

- rails
  - Fixes to previous upload, following buster work (see below).
  - Address serialization vulnerability (CVE-2022-32224), including
    subsequent fixes to maximize backward compatibility.
  - DLA-4578-1
    https://lists.debian.org/debian-lts-announce/2026/05/msg00022.html

- Front Desk (week 21 2026)
  - High CVE activity and a bit of backlog to deal with
  - Mark 29 packages for update
  - Triage or precise bullseye triage for ~150 CVEs
  - Tidy work queue and team package information for 3 packages
  - Reference missing bookworm erlang CVEs fixed in Debian 12.14


ELTS

- rails
  - Fix serialization vulnerability (CVE-2022-32224), including
    subsequent fixes to maximize backward compatibility.
  - Rework testing: disable test suite on build as it produces
    inconsistent results, ensure it reports failures from autopkgtest.
  - Rework a few unreleased patches and fix tests.
  - Reverse-dependencies testing, check false positives.
  - ELA-1716-1 (15 CVEs)
    https://www.freexian.com/lts/extended/updates/ela-1716-1-rails/

- Front Desk (week 21 2026)
  - High CVE activity and a bit of backlog to deal with
  - Mark 29 supported packages for update, drop 1 package
  - Triage or precise bullseye triage for >80 CVEs
  - Tidy work queue and update status for 3 packages
  - Associate CVEs from newer, branched Debian packages with different
    names to older ELTS packages (golang*, mongodb*, netty*, python*,
    ruby*, unbound*); reference libyang/libyang2
  - Clean-up obsolete and unimportant-priority ELTS entries
  - Prepare FD week a bit beforehand: fix openjdk triage, reference
    not-affected openssl/openssl1.0 CVEs, reference released DSAs in
    the work queue.


Common documentation and tooling

- Public documentation

  - TestSuites: rails
    rework for buster and bullseye, test against redmine when
    possible, patch validation process, test more components
    https://lts-team.pages.debian.net/wiki/TestSuites/rails.html

  - April recap
    https://lists.debian.org/debian-lts/2026/05/msg00030.html

- Tooling

  - lts-cve-triage.py: fix exception in corner case

  - debusine: report issue
    Regression analysis reports regressions introduced by other packages
    https://salsa.debian.org/freexian-team/debusine/-/work_items/1461

- Team/users help

  - curl bug report in (obsolete) jessie-elts
    https://lists.debian.org/debian-lts/2026/05/msg00011.html

  - proftpd-dfsg: help guide maintainer for LTS upload
    https://lists.debian.org/debian-lts/2026/05/msg00021.html

  - ruby SPU: suggest alternate course of action, more likely to be accepted
    https://bugs.debian.org/1103854#31

  - Freexian Security Policy (draft): feedback

- Team meeting (IRC)
  https://meetbot.debian.net/debian-lts/2026/debian-lts.2026-05-28-14.00.html

-- 
Sylvain Beucler
Debian LTS Team

Reply via email to