Allgemein

Freexian Collaborators: Monthly report about Debian Long Term Support, January 2026 (by Santiago Ruano Rincón)

Von [email protected] Loading...
Freexian Collaborators: Monthly report about Debian Long Term Support, January 2026 (by Santiago Ruano Rincón)

The Debian LTS Team, funded by Freexian’s Debian LTS offering,
is pleased to report its activities for January.

Activity summary

During the month of January, 20 contributors have been
paid to work on Debian LTS (links to individual
contributor reports are located below).

The team released 33 DLAs
fixing 216 CVEs.

The team continued preparing security updates in its usual rhythm. Beyond the
updates targeting Debian 11 (“bullseye”), which is the current release under LTS,
the team also proposed updates for more recent releases (Debian 12 (“bookworm”)
and Debian 13 (“trixie”)), including Debian unstable. We highlight several notable
security updates here below.

Notable security updates:

  • python3.9, prepared by Andrej Shadura
    (DLA-4455-1),
    fixing multiple vulnerabilities in the Python interpreter.
  • php, prepared by Guilhem Moulin
    (DLA-4447-1),
    fixing two vulnerabilities that could yield to request forgery or denial of
    service.
  • apache2, prepared by Bastien Roucariès
    DLA-4452-1, fixing
    four CVEs.
  • linux-6.1, prepared by Ben Hutchings
    (DLA-4436-1), as a
    regular update of the linux 6.1 backport to Debian 11.
  • python-django, prepared by Chris Lamb
    (DLA-4458-1),
    resolving multiple vulnerabilities.
  • firefox-esr prepared by Emilio Pozuelo Monfort
    (DLA-4439-1)
  • gnupg2, prepared by Roberto Sánchez
    (DLA-4437-1),
    fixing multiple issues, including
    CVE-2025-68973
    that could potentially be exploited to execute arbitrary code.
  • apache-log4j2, prepared by Markus Koschany
    (DLA-4444-1)
  • ceph, prepared by Utkarsh Gupta
    (DLA-4460-1)
  • inetutils, prepared by Andreas Henriksson
    (DLA-4453-1),
    fixing an authentication bypass in telnetd.

Moreover, Sylvain Beucler studied the security support status of p7zip, a fork
of 7zip that has become unmaintained upstream. To avoid letting the users
continue using an unsupported package, Sylvain has investigated a path forward
in collaboration with the security team and the 7zip maintainer, looking to
replace p7zip with 7zip. It is to note however that 7zip developers don’t
reveal the information about the patches that fix CVEs, making it difficult
to backport single patches to fix vulnerabilities in Debian released versions.

Contributions from outside the LTS Team:

Thunderbird, prepared by maintainer Christoph Goehre. The DLA
(DLA-4442-1) was
published by Emilio.

The LTS Team has also contributed with updates to the latest Debian releases:

  • Bastien uploaded gpsd to
    unstable,
    and proposed updates for trixie #1126121
    and bookworm #1126168 to fix two CVEs.
  • Bastien also prepared the imagemagick updates for trixie and bookworm,
    released as
    DSA-6111-1, along
    with the bullseye update
    DLA-4448-1.
  • Chris proposed a trixie point update for python-django
    (#112646), and the work for bookworm was
    completed in February (#1079454). The
    longstanding bookworm update required tracking down a regression in the
    django-storages packages.
  • Markus prepared tomcat10 updates for trixie and bookworm
    (DSA-6120-1), and
    tomcat11 for trixie
    (DSA-6121-1)
  • Thorsten Alteholz prepared bookworm point updates for zvbi
    (#1126167) to
    fix five CVEs; taglib
    (#1126273) to fix
    one CVE; and libuev
    (#1126370) to fix
    one CVE.
  • Utkarsh prepared an unstable update of
    node-lodash
    to fix one CVE.

Other than the work related to updates, Sylvain made several improvements to
the documentation and tooling used by the team.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.