Hi everyone,
In June, I worked on backporting the integration tests from ansible-core/sid to
ansible/buster. While running the test suite against both the unpatched and
patched trees, I identified several regressions introduced by earlier CVE fixes
and resolved all of them.
One particularly notable regression was related to the fix for CVE-2020-14330. A
commit had been backported that was never accepted upstream because it
introduced regressions. As a result, it broke the integration tests for an
earlier fix (CVE-2021-20228). Tracking this down required bisecting the commits
in the packaging repository and repeatedly running a substantial portion of the
test suite, with most of the effort spent waiting for the tests to complete.
I also reviewed the bind9/stretch security fixes prepared by Bastien Roucariès,
where I found a regression in the fix that was backported to earlier branches by
upstream.
Additionally, I fixed CVE-2026-11332 in ansible-core/trixie in preparation for
the upcoming ansible LTS fix.
For vim/trixie, I coordinated with the Vim maintainer and fixed the following
CVEs:
- CVE-2025-53905
- CVE-2025-53906
- CVE-2026-25749
- CVE-2026-26269
- CVE-2026-28417
- CVE-2026-28418
- CVE-2026-28419
- CVE-2026-28420
- CVE-2026-28421
- CVE-2026-28422
- CVE-2026-32249
- CVE-2026-33412
- CVE-2026-34982
- CVE-2026-35177
- CVE-2026-39881
I will release those fixes once I have backported all fixes and thoroughly
tested the final package candidate.
Thanks to our sponsors for making this work possible, and to Freexian for
coordinating these efforts!
Regards,
Lee Garrett,
Debian LTS Team