Allgemein

Freexian Collaborators: Monthly report about Debian Long Term Support, November 2025 (by Santiago Ruano Rincón)

Von [email protected] Loading...
Freexian Collaborators: Monthly report about Debian Long Term Support, November 2025 (by Santiago Ruano Rincón)

The Debian LTS Team, funded by [Freexian’s Debian LTS offering]
(https://www.freexian.com/lts/debian/), is pleased to report its activities for
November.

Activity summary

During the month of November, 18 contributors have been
paid to work on Debian LTS (links to individual
contributor reports are located below).

The team released 33 DLAs
fixing 219 CVEs.

The LTS Team kept going with the usual cadence of preparing security updates for Debian
11 “bullseye”, but also for Debian 12 “bookworm”, Debian 13 “trixie” and even
Debian unstable.
As in previous months, we are pleased to say that there have been multiple
contributions of LTS uploads by Debian Fellows outside the regular LTS Team.

Notable security updates:

  • Guilhem Moulin prepared DLA 4365-1
    for unbound, a caching DNS resolver, fixing a cache poisoning vulnerability
    that could lead to domain hijacking.
  • Another update related to DNS software was made by Andreas Henriksson. Andreas
    completed the work on bind9, released as
    DLA 4364-1 to fix
    cache poisoning and Denial of Service (DoS) vulnerabilities.
  • Chris Lamb released DLA 4374-1
    to fix a potential arbitrary code execution vulnerability in pdfminer, a tool
    for extracting information from PDF documents.
  • Ben Hutchings published a regular security update for the linux 6.1 bullseye
    backport, as DLA 4379-1.
  • A couple of other important recurrent updates were prepared by Emilio Pozuelo,
    who handled firefox-esr and thunderbird (in collaboration with Christoph
    Goehre), published as DLAs
    DLA 4370-1 and
    DLA 4372-1,
    respectively.

Contributions from fellows outside the LTS Team:

  • Thomas Goirand uploaded a bullseye update for
    keystone
    and
    swift
  • Jeremy Bícha prepared the bullseye update for
    gst-plugins-base1.0
  • As mentioned above, Christoph Goehre prepared the
    bullseye update for thunderbird.
  • Mathias Behrle provided feedback about the tryton-server and tryton-sao vulnerabilities that were disclosed last month, and helped to review the bullseye patches for tryton-server.

Other than the regular LTS updates for bullseye, the LTS Team has also
contributed updates to the latest Debian releases:

  • Bastien Roucariès prepared a bookworm update for
    squid,
    the web proxy cache server.
  • Carlos Henrique Lima Melara filed a bookworm point update
    request     for gdk-pixbuf to fix
    CVE-2025-7345, a heap buffer overflow vulnerability that could lead to
    arbitrary code execution.
  • Daniel Leidert prepared bookworm and
    trixie updates for r-cran-gh to fix
    CVE-2025-54956, an issue that may expose user credentials in HTTP responses.
  • Along with the bullseye updates for unbound mentioned above, Guilhem helped
    to prepare the trixie update
    for unbound.
  • In collaboration with Lukas Märdian, Tobias Frost prepared
    trixie and
    bookworm
    updates for log4cxx, the C++ port of the logging framework for JAVA.
  • Jochen Sprickerhof prepared a bookworm update for syslog-ng.
  • Utkarsh completed the bookworm update
    for wordpress, addressing multiple security issues in the popular blogging
    tool.

Beyond security updates, there has been a significant effort in revamping our
documentation, aiming to make the processes more clear and consistent for all
the members of the team. This work was mainly carried out by Sylvain, Jochen
and Roberto.

We would like to express our gratitude to the sponsors for making the Debian
LTS project possible. Also, special thanks to the fellows outside the LTS
team for their valuable help.

Individual Debian LTS contributor reports

Thanks to our sponsors

Sponsors that joined recently are in bold.