The Debian LTS Team, funded by [Freexian’s Debian LTS offering] (https://www.freexian.com/lts/debian/), is pleased to report its activities for December.
Activity summary
During the month of December, 18 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).
The team released 41 DLAs fixing 252 CVEs.
The team currently focuses on preparing security updates for Debian 11 “bullseye”, but also looks for contributing with updates for Debian 12 “bookworm”, Debian 13 “trixie” and even Debian unstable.
Notable security updates:
- libsoup2.4 (DLA-4398-1), prepared by Andreas Henrikson, fixing several vulnerabilities.
- glib2.0 (DLA-4412-1), published by Emilio Pozuelo Monfort, addressing multiple issues.
- lasso (DLA-4397-1), prepared by Sylvain Beucler, addressing multiple issues, including a critical remote code execution (RCE) vulnerability (CVE-2025-47151)
- roundcube (DLA 4415-1), prepared by Guilhem Moulin, fixing a cross-site-scripting (XSS) (CVE-2025-68461) and an information disclosure (CVE-2025-68460) vulnerabilities
- mediawiki (DLA 4428-1), published by Guilhem, fixing multiple vulnerabilities could lead to information disclosure, denial of service or privilege escalation.
- While the DLA has not been published yet, Charles Henrique Melara proposed upstream fixes for seven CVEs in ffmpeg: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21275.
- python-apt (DLA 4408-1), prepared by Utkarsh Gupta, in coordination with the Debian Security Team and Julian Andres Klode, the apt’s maintainer.
- libpng1.6 (DLA-4396-1), published by Tobias Frost, completing the work started the previous month.
Notable non-security updates:
- tzdata (DLA-4403-1), prepared by Emilio, including the latest changes to the leap second list and its expiry date, which was set for the end of December.
Contributions from outside the LTS Team:
- Christoph Berg, co-maintainer of PostgreSQL in Debian, prepared a postgresql-13 update, released as DLA-4420-1
The LTS Team has also contributed with updates to the latest Debian releases:
- Andreas proposed trixie and bookworm point updates for pgbouncer
- Abhijith PA prepared a bookworm point update for php-dompdf
- Thorsten Alteholz prepared an unstable update and a trixie point update for libcoap3
- Thorsten prepared or completed different updates for unstable, trixie and bookworm for packages related to cups: an unstable update of cups to fix several issues related to the latest security update, a trixie point update for libcupsfilters, and trixie and bookworm point updates for cups-filter.
- Bastien Roucariès prepared unstable, trixie and bookworm point updates for imagemagick
- Bastien completed the bookworm point update for angular.js and the bookworm point update for squid.
- Charles completed the bookworm point update for gdk-pixbuf.
- Utkarsh prepared a trixie update for wordpress, that was released as DSA-6091-1.
- Tobias prepared bookworm and trixie updates for libpng1.6, released as DSA-6076-1.
- Tobias prepared sogo updates targeting unstable, and point updates of trixie and bookworm
Individual Debian LTS contributor reports
- Abhijith PA
- Andreas Henriksson
- Andrej Shadura
- Bastien Roucariès
- Ben Hutchings
- Carlos Henrique Lima Melara
- Chris Lamb
- Daniel Leidert
- Emilio Pozuelo Monfort
- Guilhem Moulin
- Jochen Sprickerhof
- Markus Koschany
- Roberto C. Sánchez
- Santiago Ruano Rincón
- Sylvain Beucler
- Thorsten Alteholz
- Tobias Frost
- Utkarsh Gupta
Thanks to our sponsors
Sponsors that joined recently are in bold.
- Platinum sponsors:
- Toshiba Corporation (for 123 months)
- Civil Infrastructure Platform (CIP) (for 91 months)
- VyOS Inc (for 55 months)
- Gold sponsors:
- F. Hoffmann-La Roche AG (for 133 months)
- CONET Deutschland GmbH (for 117 months)
- Plat’Home (for 116 months)
- University of Oxford (for 73 months)
- EDF SA (for 45 months)
- Dataport AöR (for 20 months)
- CERN (for 18 months)
- Silver sponsors:
- Domeneshop AS (for 138 months)
- Nantes Métropole (for 132 months)
- Akamai - Linode (for 128 months)
- Univention GmbH (for 124 months)
- Université Jean Monnet de St Etienne (for 124 months)
- Ribbon Communications, Inc. (for 118 months)
- Exonet B.V. (for 108 months)
- Leibniz Rechenzentrum (for 102 months)
- Ministère de l’Europe et des Affaires Étrangères (for 86 months)
- Dinahosting SL (for 73 months)
- Upsun Formerly Platform.sh (for 67 months)
- Deveryware (for 61 months)
- Moxa Inc. (for 61 months)
- sipgate GmbH (for 59 months)
- OVH US LLC (for 57 months)
- Tilburg University (for 57 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 48 months)
- THINline s.r.o. (for 21 months)
- Copenhagen Airports A/S (for 15 months)
- Conseil Départemental de l’Isère
- Bronze sponsors:
- Seznam.cz, a.s. (for 139 months)
- Evolix (for 138 months)
- Intevation GmbH (for 135 months)
- Linuxhotel GmbH (for 135 months)
- Daevel SARL (for 134 months)
- Megaspace Internet Services GmbH (for 133 months)
- Greenbone AG (for 132 months)
- NUMLOG (for 132 months)
- WinGo AG (for 131 months)
- Entr’ouvert (for 123 months)
- Adfinis AG (for 120 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 115 months)
- Tesorion (for 115 months)
- Bearstech (for 106 months)
- LiHAS (for 106 months)
- Catalyst IT Ltd (for 101 months)
- Demarcq SAS (for 95 months)
- Université Grenoble Alpes (for 81 months)
- TouchWeb SAS (for 73 months)
- SPiN AG (for 70 months)
- CoreFiling (for 66 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 57 months)
- Tem Innovations GmbH (for 52 months)
- WordFinder.pro (for 52 months)
- CNRS DT INSU Résif (for 50 months)
- Soliton Systems K.K. (for 46 months)
- Alter Way (for 43 months)
- Institut Camille Jordan (for 33 months)
- SOBIS Software GmbH (for 18 months)
- Tuxera Inc. (for 9 months)
- OPM-OP AS