The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for January.
Activity summary
During the month of January, 20 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).
The team released 33 DLAs fixing 216 CVEs.
The team continued preparing security updates in its usual rhythm. Beyond the updates targeting Debian 11 (“bullseye”), which is the current release under LTS, the team also proposed updates for more recent releases (Debian 12 (“bookworm”) and Debian 13 (“trixie”)), including Debian unstable. We highlight several notable security updates here below.
Notable security updates:
- python3.9, prepared by Andrej Shadura (DLA-4455-1), fixing multiple vulnerabilities in the Python interpreter.
- php, prepared by Guilhem Moulin (DLA-4447-1), fixing two vulnerabilities that could yield to request forgery or denial of service.
- apache2, prepared by Bastien Roucariès DLA-4452-1, fixing four CVEs.
- linux-6.1, prepared by Ben Hutchings (DLA-4436-1), as a regular update of the linux 6.1 backport to Debian 11.
- python-django, prepared by Chris Lamb (DLA-4458-1), resolving multiple vulnerabilities.
- firefox-esr prepared by Emilio Pozuelo Monfort (DLA-4439-1)
- gnupg2, prepared by Roberto Sánchez (DLA-4437-1), fixing multiple issues, including CVE-2025-68973 that could potentially be exploited to execute arbitrary code.
- apache-log4j2, prepared by Markus Koschany (DLA-4444-1)
- ceph, prepared by Utkarsh Gupta (DLA-4460-1)
- inetutils, prepared by Andreas Henriksson (DLA-4453-1), fixing an authentication bypass in telnetd.
Moreover, Sylvain Beucler studied the security support status of p7zip, a fork of 7zip that has become unmaintained upstream. To avoid letting the users continue using an unsupported package, Sylvain has investigated a path forward in collaboration with the security team and the 7zip maintainer, looking to replace p7zip with 7zip. It is to note however that 7zip developers don’t reveal the information about the patches that fix CVEs, making it difficult to backport single patches to fix vulnerabilities in Debian released versions.
Contributions from outside the LTS Team:
Thunderbird, prepared by maintainer Christoph Goehre. The DLA (DLA-4442-1) was published by Emilio.
The LTS Team has also contributed with updates to the latest Debian releases:
- Bastien uploaded gpsd to unstable, and proposed updates for trixie #1126121 and bookworm #1126168 to fix two CVEs.
- Bastien also prepared the imagemagick updates for trixie and bookworm, released as DSA-6111-1, along with the bullseye update DLA-4448-1.
- Chris proposed a trixie point update for python-django (#112646), and the work for bookworm was completed in February (#1079454). The longstanding bookworm update required tracking down a regression in the django-storages packages.
- Markus prepared tomcat10 updates for trixie and bookworm (DSA-6120-1), and tomcat11 for trixie (DSA-6121-1)
- Thorsten Alteholz prepared bookworm point updates for zvbi (#1126167) to fix five CVEs; taglib (#1126273) to fix one CVE; and libuev (#1126370) to fix one CVE.
- Utkarsh prepared an unstable update of node-lodash to fix one CVE.
Other than the work related to updates, Sylvain made several improvements to the documentation and tooling used by the team.
Individual Debian LTS contributor reports
- Abhijith PA
- Andreas Henriksson
- Andrej Shadura
- Bastien Roucariès
- Ben Hutchings
- Carlos Henrique Lima Melara
- Chris Lamb
- Daniel Leidert
- Emilio Pozuelo Monfort
- Guilhem Moulin
- Jochen Sprickerhof
- Lee Garrett
- Markus Koschany
- Paride Legovini
- Roberto C. Sánchez
- Santiago Ruano Rincón
- Sylvain Beucler
- Thorsten Alteholz
- Tobias Frost
- Utkarsh Gupta
Thanks to our sponsors
Sponsors that joined recently are in bold.
- Platinum sponsors:
- Toshiba Corporation (for 124 months)
- Civil Infrastructure Platform (CIP) (for 92 months)
- VyOS Inc (for 56 months)
- Gold sponsors:
- F. Hoffmann-La Roche AG (for 134 months)
- CONET Deutschland GmbH (for 118 months)
- Plat’Home (for 117 months)
- University of Oxford (for 74 months)
- EDF SA (for 46 months)
- Dataport AöR (for 21 months)
- CERN (for 19 months)
- Silver sponsors:
- Domeneshop AS (for 139 months)
- Nantes Métropole (for 133 months)
- Akamai - Linode (for 129 months)
- Univention GmbH (for 125 months)
- Université Jean Monnet de St Etienne (for 125 months)
- Ribbon Communications, Inc. (for 119 months)
- Exonet B.V. (for 109 months)
- Leibniz Rechenzentrum (for 103 months)
- Ministère de l’Europe et des Affaires Étrangères (for 87 months)
- Dinahosting SL (for 74 months)
- Upsun Formerly Platform.sh (for 68 months)
- Deveryware (for 62 months)
- Moxa Inc. (for 62 months)
- sipgate GmbH (for 60 months)
- OVH US LLC (for 58 months)
- Tilburg University (for 58 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 49 months)
- THINline s.r.o. (for 22 months)
- Copenhagen Airports A/S (for 16 months)
- Conseil Départemental de l’Isère
- Bronze sponsors:
- Seznam.cz, a.s. (for 140 months)
- Evolix (for 139 months)
- Linuxhotel GmbH (for 137 months)
- Intevation GmbH (for 136 months)
- Daevel SARL (for 135 months)
- Megaspace Internet Services GmbH (for 134 months)
- Greenbone AG (for 133 months)
- NUMLOG (for 133 months)
- WinGo AG (for 132 months)
- Entr’ouvert (for 124 months)
- Adfinis AG (for 121 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 116 months)
- Tesorion (for 116 months)
- Bearstech (for 107 months)
- LiHAS (for 107 months)
- Catalyst IT Ltd (for 102 months)
- Demarcq SAS (for 96 months)
- Université Grenoble Alpes (for 82 months)
- TouchWeb SAS (for 74 months)
- SPiN AG (for 71 months)
- CoreFiling (for 67 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 58 months)
- Tem Innovations GmbH (for 53 months)
- WordFinder.pro (for 53 months)
- CNRS DT INSU Résif (for 51 months)
- Soliton Systems K.K. (for 47 months)
- Alter Way (for 44 months)
- Institut Camille Jordan (for 34 months)
- SOBIS Software GmbH (for 19 months)
- Tuxera Inc. (for 10 months)
- OPM-OP AS