Hi everyone,

In June, I worked on backporting the integration tests from ansible-core/sid to ansible/buster. While running the test suite against both the unpatched and patched trees, I identified several regressions introduced by earlier CVE fixes and resolved all of them.

One particularly notable regression was related to the fix for CVE-2020-14330. A commit had been backported that was never accepted upstream because it introduced regressions. As a result, it broke the integration tests for an earlier fix (CVE-2021-20228). Tracking this down required bisecting the commits in the packaging repository and repeatedly running a substantial portion of the test suite, with most of the effort spent waiting for the tests to complete.

I also reviewed the bind9/stretch security fixes prepared by Bastien Roucariès, where I found a regression in the fix that was backported to earlier branches by upstream.

Additionally, I fixed CVE-2026-11332 in ansible-core/trixie in preparation for the upcoming ansible LTS fix.

For vim/trixie, I coordinated with the Vim maintainer and fixed the following 
CVEs:

- CVE-2025-53905
- CVE-2025-53906
- CVE-2026-25749
- CVE-2026-26269
- CVE-2026-28417
- CVE-2026-28418
- CVE-2026-28419
- CVE-2026-28420
- CVE-2026-28421
- CVE-2026-28422
- CVE-2026-32249
- CVE-2026-33412
- CVE-2026-34982
- CVE-2026-35177
- CVE-2026-39881

I will release those fixes once I have backported all fixes and thoroughly tested the final package candidate.

Thanks to our sponsors for making this work possible, and to Freexian for coordinating these efforts!

Regards,
Lee Garrett,
Debian LTS Team

Reply via email to