I've worked during may on the below listed packages, for Freexian LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity! imagemagick -------------------- As usual a huge part of my time was consecrated to imagemagick. Note that backport is difficult due to fixes accross two major version * I released DLA-4559-1 fixing CVE-2026-33899 CVE-2026-33900 CVE-2026-33901 CVE-2026-33905 CVE-2026-33908 CVE-2026-34238 CVE-2026-40310 CVE-2026-40311 * I relased ELA-1706-1 fixing CVE-2026-33899 CVE-2026-33900 CVE-2026-33901 CVE-2026-33905 CVE-2026-33908 CVE-2026-34238 CVE-2026-40310 CVE-2026-40311 CVE-2026-42050 * Released sid version fixing CVE-2026-42050, CVE-2026-42326, CVE-2026-45031, CVE-2026-45358, CVE-2026-45359, CVE-2026-45624, CVE-2026-45664, CVE-2026-46520, CVE-2026-46521, CVE-2026-46522, CVE-2026-46523, CVE-2026-46557, CVE-2026-46559, CVE-2026-46692, CVE-2026-46693, CVE-2026-47165, CVE-2026-47166 * I backport to trixie and security team release DSA-6298-1 CVE-2026-42050, CVE-2026-42326, CVE-2026-45031, CVE-2026-45358, CVE-2026-45359, CVE-2026-45624, CVE-2026-45664, CVE-2026-46520, CVE-2026-46521, CVE-2026-46522, CVE-2026-46523, CVE-2026-46557, CVE-2026-46559, CVE-2026-46692, CVE-2026-46693, CVE-2026-47165, CVE-2026-47166 * I backport to bookworm and security team release DSA-6310-1 fixing CVE-2026-42050, CVE-2026-42326, CVE-2026-45031, CVE-2026-45358, CVE-2026-45359, CVE-2026-45624, CVE-2026-45664, CVE-2026-46520, CVE-2026-46521, CVE-2026-46522, CVE-2026-46523, CVE-2026-46559, CVE-2026-46692, CVE-2026-46693, CVE-2026-47165, CVE-2026-47166 * I released DLA-4609-1 fixing the same CVE * I Backport to buster * I Investigate failure for rmagick i386/buster * I backport Backport to stretch apache2 ------------- I fixed CVE-2026-24072 CVE-2026-29169 CVE-2026-33006 CVE-2026-33007 CVE-2026-33523 CVE-2026-33857 CVE-2026-34032 CVE-2026-34059 I dtermined that CVE-2026-23918 does not affects buster and stretch I Fix buster and released ELA-1719- I Triaged stretch and Backport to stretch Here main difficulty was I need to backport some function from apr-utils. Because changes are self contained I determine a static helper was the best course of action I release strech ELA-1728-1 nodejs ---------- Note here we are without upstream support (EOL). Moreover I contacted for some CVE suse because they mistriagged. I was thanks and acknowledged I Release DSA 6272-1 that fix CVE-2025-23085 CVE-2025-23166 CVE-2025-55131 CVE-2025-59465 CVE-2025-59466 CVE-2026-21710 CVE-2026-21713 CVE-2026-21714 For bullseye, I determine that CVE-2025-55131 is not a concern for bullseye. I also determine that CVE-2025-59466 should be ignored (experimental feature) Finally I etermine that CVE-2026-21710 is not present (vulnerable code introduced later) I propose a release DLA-4598-1 fixing CVE-2025-59465 CVE-2026-21637 CVE-2026-21714 For buster, I triage and fix remaining CVE I release ELA-1734-1 Review ----------- Review patches for nghttp2 Investigate failure of ca-certificate-java on buster with arnaudr Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors
signature.asc
Description: This is a digitally signed message part.
