Here is my public monthly report.
Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors
LTS
- p7zip / p7zip-rar / 7zip
- Continue work from past month (the p7zip fork is now unmaintained,
and (newer) 7zip package doesn't share details on individual CVE
fixes, hampering security support).
- Tidy Git branches and fix Salsa-CI
https://salsa.debian.org/debian/7zip/-/pipelines
https://salsa.debian.org/debian/p7zip/-/pipelines
https://salsa.debian.org/debian/p7zip-rar/-/pipelines
- Final reverse dependencies testing, investigating false positives.
- Fix upcoming bookworm version in the security tracker.
- trixie update released: 7zip (upgrade fix)
Stable Point Updates (OSPU)
https://www.debian.org/News/2026/20260516
- bookworm updates released: p7zip, p7zip-rar, 7zip
Old-Stable Point Updates (OSPU)
https://www.debian.org/News/2026/2026051602
- bullseye updates released: p7zip, p7zip-rar
DLA-4576-1, DLA-4577-1
https://lists.debian.org/debian-lts-announce/2026/05/msg00020.html
https://lists.debian.org/debian-lts-announce/2026/05/msg00021.html
- zulucrypt
- Confirm high vulnerability CVE-2025-53391 on bullseye
- Ask for removal as package is not maintained
RM: zulucrypt/5.7.1-2
https://bugs.debian.org/1135634
- rails
- Fixes to previous upload, following buster work (see below).
- Address serialization vulnerability (CVE-2022-32224), including
subsequent fixes to maximize backward compatibility.
- DLA-4578-1
https://lists.debian.org/debian-lts-announce/2026/05/msg00022.html
- Front Desk (week 21 2026)
- High CVE activity and a bit of backlog to deal with
- Mark 29 packages for update
- Triage or precise bullseye triage for ~150 CVEs
- Tidy work queue and team package information for 3 packages
- Reference missing bookworm erlang CVEs fixed in Debian 12.14
ELTS
- rails
- Fix serialization vulnerability (CVE-2022-32224), including
subsequent fixes to maximize backward compatibility.
- Rework testing: disable test suite on build as it produces
inconsistent results, ensure it reports failures from autopkgtest.
- Rework a few unreleased patches and fix tests.
- Reverse-dependencies testing, check false positives.
- ELA-1716-1 (15 CVEs)
https://www.freexian.com/lts/extended/updates/ela-1716-1-rails/
- Front Desk (week 21 2026)
- High CVE activity and a bit of backlog to deal with
- Mark 29 supported packages for update, drop 1 package
- Triage or precise bullseye triage for >80 CVEs
- Tidy work queue and update status for 3 packages
- Associate CVEs from newer, branched Debian packages with different
names to older ELTS packages (golang*, mongodb*, netty*, python*,
ruby*, unbound*); reference libyang/libyang2
- Clean-up obsolete and unimportant-priority ELTS entries
- Prepare FD week a bit beforehand: fix openjdk triage, reference
not-affected openssl/openssl1.0 CVEs, reference released DSAs in
the work queue.
Common documentation and tooling
- Public documentation
- TestSuites: rails
rework for buster and bullseye, test against redmine when
possible, patch validation process, test more components
https://lts-team.pages.debian.net/wiki/TestSuites/rails.html
- April recap
https://lists.debian.org/debian-lts/2026/05/msg00030.html
- Tooling
- lts-cve-triage.py: fix exception in corner case
- debusine: report issue
Regression analysis reports regressions introduced by other packages
https://salsa.debian.org/freexian-team/debusine/-/work_items/1461
- Team/users help
- curl bug report in (obsolete) jessie-elts
https://lists.debian.org/debian-lts/2026/05/msg00011.html
- proftpd-dfsg: help guide maintainer for LTS upload
https://lists.debian.org/debian-lts/2026/05/msg00021.html
- ruby SPU: suggest alternate course of action, more likely to be accepted
https://bugs.debian.org/1103854#31
- Freexian Security Policy (draft): feedback
- Team meeting (IRC)
https://meetbot.debian.net/debian-lts/2026/debian-lts.2026-05-28-14.00.html
--
Sylvain Beucler
Debian LTS Team