Monthly report about Debian Long Term Support, February 2026

The Debian LTS Team, funded by [Freexian’s Debian LTS offering] (https://www.freexian.com/lts/debian/), is pleased to report its activities for February.

Activity summary

During the month of February, 20 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 35 DLAs fixing 527 CVEs.

We also welcomed Arnaud Rebillout to the team and had to say farewell to Roberto, who left the team after more than nine years as part of it.

The team continued preparing security updates in its usual rhythm. Beyond the updates targeting Debian 11 (“bullseye”), which is the current release under LTS, the team also proposed updates for more recent releases (Debian 12 (“bookworm”) and Debian 13 (“trixie”)), including Debian unstable.

Notable security updates:

• Guilhem Moulin prepared DLA 4492-1 for gnutls28 to fix vulnerabilities which may led to Denial of Service
• Utkarsh Gupta prepared DLA 4464-1 for xrdp, to fix a a vulnerability that could allow remote attackers to execute arbitrary code on the target system
• Emilio Pozuelo Monfort prepared DLA-4465-1 to replace ClamAV 1.0 with ClamAV 1.4. This latter is the current LTS version supported by upstream.
• Markus Koschany prepared DLA 4468-1 for tomcat9, to fix a vulnerability that can be used to bypass security constraints.
• Santiago Ruano Rincón prepared DLA 4471-1 to update package debian-security-support, the Debian security coverage checker.
• Bastien Roucariès prepared DLA 4473-1 for zabbix, to fix a potential remote code execution vulnerability.
• Paride Legovini prepared DLA 4478-1 for tcpflow, to fix a vulnerability that might result in DoS and potentially code execution.
• Thorsten Alteholz prepared DLA 4477-1 for munge, to fix a vulnerability which may allow local users to leak the MUNGE cryptographic key and forge arbitrary credentials.
• Ben Hutchings prepared DLA 4475-1 and DLA 4476-1 for Linux kernel updates.
• Chris Lamb prepared DLA 4482-1 for ceph, to fix SSL certificate checking in the Python bindings.
• Andreas Henriksson prepared DLA 4491-1 to fix vulnerabilities in glib2.0, which could result in denial of service, memory corruption or potentially arbitrary code execution.

Contributions from outside the LTS Team:

• The update of nova was prepared by the maintainer, Thomas Goirand. The corresponding DLA 4486-1 was published by Carlos Henrique Lima Melara.
• The updates of thunderbird were prepared by the maintainer Christoph Goehre. The corresponding DLA 4466-1 and DLA 4495-1 was published by Emilio Pozuelo Monfort.

The LTS Team has also contributed with updates to the latest Debian releases:

• Jochen prepared a point update of wireshark for bookworm (#1127945).
• Jochen prepared point updates of erlang for trixie (#1127606) and bookworm (#1127607).
• Bastien helped preparing DSA 6160-1 for netty and uploaded a fixed package to unstable.
• Bastien prepared a point update of zabbix for trixie (#1127437).
• Tobias prepared a point update of modsecurity-crs for bookworm (#1128655).
• Tobias prepared a point update of busybox for bookworm (#1129503).
• Tobias helped preparing DSA 6138-1 for libpng1.6.
• Daniel prepared point updates of python-authlib for trixie (#1129477) and bookworm (#1129246).
• Ben uploaded several Linux kernel packages to trixie-backports and bookworm-backports.
• Ben prepared point updates of wireless-regdb for trixie and bookworm.

Other than the work related to updates, Sylvain made several improvements to the documentation and tooling used by the team.

Some milestones in the lifecycle of two Debian releases are just around the corner. The support of Debian 12 will be handover to the LTS team on June 11th 2026. After August 31st, support for Debain 11 will move from Debain LTS to ELTS managed by Freexian.

Individual Debian LTS contributor reports

• Abhijith PA
• Andreas Henriksson
• Arnaud Rebillout
• Bastien Roucariès
• Ben Hutchings
• Carlos Henrique Lima Melara
• Chris Lamb
• Daniel Leidert
• Emilio Pozuelo Monfort
• Guilhem Moulin
• Jochen Sprickerhof
• Lee Garrett
• Lucas Kanashiro
• Markus Koschany
• Paride Legovini
• Santiago Ruano Rincón
• Sylvain Beucler
• Thorsten Alteholz
• Tobias Frost
• Utkarsh Gupta

Thanks to our sponsors

Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 125 months)
  • Civil Infrastructure Platform (CIP) (for 93 months)
  • VyOS Inc (for 57 months)
• Gold sponsors:
  • F. Hoffmann-La Roche AG (for 135 months)
  • CONET Deutschland GmbH (for 119 months)
  • Plat’Home (for 118 months)
  • University of Oxford (for 75 months)
  • EDF SA (for 47 months)
  • Dataport AöR (for 22 months)
  • CERN (for 20 months)
• Silver sponsors:
  • Domeneshop AS (for 140 months)
  • Nantes Métropole (for 134 months)
  • Akamai - Linode (for 129 months)
  • Univention GmbH (for 126 months)
  • Université Jean Monnet de St Etienne (for 126 months)
  • Ribbon Communications, Inc. (for 120 months)
  • Exonet B.V. (for 110 months)
  • Leibniz Rechenzentrum (for 104 months)
  • Ministère de l’Europe et des Affaires Étrangères (for 88 months)
  • Dinahosting SL (for 75 months)
  • Upsun Formerly Platform.sh (for 69 months)
  • Moxa Inc. (for 63 months)
  • Deveryware (for 62 months)
  • sipgate GmbH (for 61 months)
  • OVH US LLC (for 59 months)
  • Tilburg University (for 59 months)
  • GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 50 months)
  • THINline s.r.o. (for 23 months)
  • Copenhagen Airports A/S (for 17 months)
  • Conseil Départemental de l’Isère (for 3 months)
• Bronze sponsors:
  • Evolix (for 140 months)
  • Seznam.cz, a.s. (for 140 months)
  • Intevation GmbH (for 137 months)
  • Linuxhotel GmbH (for 137 months)
  • Daevel SARL (for 136 months)
  • Megaspace Internet Services GmbH (for 135 months)
  • Greenbone AG (for 134 months)
  • NUMLOG (for 134 months)
  • WinGo AG (for 133 months)
  • Entr’ouvert (for 125 months)
  • Adfinis AG (for 122 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 117 months)
  • Tesorion (for 117 months)
  • Bearstech (for 108 months)
  • LiHAS (for 108 months)
  • Catalyst IT Ltd (for 103 months)
  • Demarcq SAS (for 97 months)
  • Université Grenoble Alpes (for 83 months)
  • TouchWeb SAS (for 75 months)
  • SPiN AG (for 72 months)
  • CoreFiling (for 68 months)
  • Observatoire des Sciences de l’Univers de Grenoble (for 59 months)
  • Tem Innovations GmbH (for 54 months)
  • WordFinder.pro (for 53 months)
  • CNRS DT INSU Résif (for 52 months)
  • Soliton Systems K.K. (for 47 months)
  • Alter Way (for 45 months)
  • Institut Camille Jordan (for 35 months)
  • SOBIS Software GmbH (for 20 months)
  • Tuxera Inc. (for 11 months)
  • OPM-OP AS (for 3 months)

par Thorsten Alteholz 13 mars, 2026 . Tags : debian-lts, planet-debian, report , 981 Mots.