I've worked during may on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

imagemagick
--------------------

As usual a huge part of my time was consecrated to imagemagick. Note that 
backport is difficult due to fixes accross two major version 

* I released DLA-4559-1 fixing
   CVE-2026-33899 CVE-2026-33900 CVE-2026-33901 CVE-2026-33905 CVE-2026-33908 
CVE-2026-34238 CVE-2026-40310 CVE-2026-40311
* I relased ELA-1706-1 fixing
  CVE-2026-33899 CVE-2026-33900 CVE-2026-33901 CVE-2026-33905 CVE-2026-33908 
CVE-2026-34238 CVE-2026-40310 CVE-2026-40311 CVE-2026-42050
* Released sid version fixing
   CVE-2026-42050, CVE-2026-42326, CVE-2026-45031, CVE-2026-45358, 
CVE-2026-45359, CVE-2026-45624, CVE-2026-45664, CVE-2026-46520, 
  CVE-2026-46521, CVE-2026-46522, CVE-2026-46523, CVE-2026-46557, 
CVE-2026-46559, CVE-2026-46692, CVE-2026-46693, CVE-2026-47165, CVE-2026-47166
* I backport to trixie and security team release DSA-6298-1
   CVE-2026-42050, CVE-2026-42326, CVE-2026-45031, CVE-2026-45358, 
CVE-2026-45359, CVE-2026-45624, CVE-2026-45664, CVE-2026-46520, CVE-2026-46521, 
   CVE-2026-46522, CVE-2026-46523, CVE-2026-46557, CVE-2026-46559, 
CVE-2026-46692, CVE-2026-46693, CVE-2026-47165, CVE-2026-47166
* I backport to bookworm and security team release DSA-6310-1 fixing
   CVE-2026-42050, CVE-2026-42326, CVE-2026-45031, CVE-2026-45358, 
CVE-2026-45359, CVE-2026-45624, CVE-2026-45664, CVE-2026-46520, CVE-2026-46521, 
   CVE-2026-46522, CVE-2026-46523, CVE-2026-46559, CVE-2026-46692, 
CVE-2026-46693, CVE-2026-47165, CVE-2026-47166
* I released DLA-4609-1 fixing the same CVE
* I Backport to buster
* I Investigate failure for rmagick i386/buster
* I backport Backport to stretch

apache2
-------------
I fixed CVE-2026-24072 CVE-2026-29169 CVE-2026-33006 CVE-2026-33007 
CVE-2026-33523 CVE-2026-33857 CVE-2026-34032 CVE-2026-34059
I dtermined that CVE-2026-23918 does not affects buster and stretch
I  Fix buster and released ELA-1719-
I Triaged stretch and Backport to stretch

Here main difficulty was I need to backport some function from apr-utils. 
Because changes are self contained I determine a static helper
was the best course of action

I release strech ELA-1728-1

nodejs
----------

Note here we are without upstream support (EOL). Moreover I contacted for some 
CVE suse because they mistriagged.
I was thanks and acknowledged

I Release DSA 6272-1 that fix CVE-2025-23085 CVE-2025-23166 CVE-2025-55131
CVE-2025-59465 CVE-2025-59466 CVE-2026-21710
CVE-2026-21713 CVE-2026-21714

For bullseye, I determine that CVE-2025-55131 is not a concern for bullseye.
I also determine that CVE-2025-59466 should be ignored (experimental feature)
Finally I etermine that CVE-2026-21710 is not present (vulnerable code 
introduced later)
I propose a release  DLA-4598-1 fixing CVE-2025-59465 CVE-2026-21637 
CVE-2026-21714

For buster, I triage and fix remaining CVE I release ELA-1734-1


Review
-----------

Review patches for nghttp2
Investigate failure of ca-certificate-java on buster with arnaudr

Cheers

rouca

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to