LTS report February 2025 ======================== 1. I backported jetty9 version 9.4.56 to bookworm and bullseye in order to address CVE-2024-8184 and CVE-2024-9823. Since Jetty 9 has been discontinued upstream there will be no targeted patches for CVE-2024-6763 and CVE-2024-6762. Looking closer at the problem at the hand, both issues pose only a low risk to users, since it is unlikely the affected features are used in production. Also in both cases sensible workarounds do exist. A new jetty9 version 9.4.57 was uploaded to unstable only recently. I decided to incorporate the changes in the upcoming update and delayed the security release to give users more time for feedback in case of an unlikely regression. 2. I completed the update for openjpeg2 fixing 5 CVE. While testing the security release I discovered a regression in one of the patches which may lead to memory exhaustion in some cases. Eventually I could identify an upstream commit which appeared to remedy the problem. There are still four open CVE which have not been acknowledged or worked on upstream. For now those issues have been postponed and we will look at them again as soon as more information are available. 3. Together with Emmanual Bourg I have been working on jetty12 which will replace jetty9 in Debian. I have been tasked with looking into better support for the new jetty server configuration and replacing the dependency on libjetty9-java with the new binary package libjetty12-java in Debian's Java eco system. This is relevant for long-term users since Jetty is, apart from Tomcat, one of the supported servlet engines and webserver. 4. We also made a stab at updating bouncycastle, a Java library which implements various security and encryption algorithms. Like last time this caused various autopkgtest regressions in reverse-dependencies. Currently it is doubtful whether 1.80 can migrate to testing and be part of the next stable release. The current version 1.77 has been stable and reliable though. 5. I have been LTS frontdesk from 03.02.2025 until 09.02.2025 triaging newly discovered CVE in supported packages.