LTS report November 2024
=========================


1. I have been working on updating libxstream-java and fixing mainly
   CVE-2024-47072 and CVE-2021-43859. It is used in several other important
   packages to parse XML code. This update is mostly done and will be released
   in the 50 week of 2024.

2. I re-visited CVE-2024-10963 in pam, a core linux package. Eventually upstream
   decided to act on the problem and introduced a new configuration option to
   mitigate the problem. The change would require manual interaction by users.
   During the discussion it turned out that the problem was introduced in pam
   1.5.3 which is only shipped in Debian testing and sid. Users of Debian 11
   and Debian 12 are not affected.

3. I continued the work on upgrading all tomcat releases in Debian. The new
   versions will be available in the 50/51 week of 2024.

4. I continued the work on jetty9 fixing 4 CVE in Debian 11 and Debian 12.