LTS report March 2025
=====================

1. I have been the LTS frontdesk from 24.03.2025 to 30.03.2025. I was
   responsible for triaging newly discovered CVE in packages such as vim, augeas,
   geshi, gnupg2, libxslt, pandas, xorg-server, mariadb, mercurial, atop, exim4,
   php-horde, squid3, varnish, zvbi, cifs-utils, corosync, erlang, ffmpeg,
   fig2dev, golang-1.11, golang-go.crypto, golang-golang-x-oauth2, gunicorn,
   libdata-entropy-perl, libmatio, mbedtls, mongo-c-driver, rabbitmq-server,
   simplesamlphp and tomcat9.

2. DLA-4108-1. Prepared and issued a security update for tomcat9 fixing 1 CVE
               in bullseye.

3. DSA-5893-1. Prepared and issued a security update for tomcat10 fixing 1 CVE
               in bookworm. As usual the update was in line with our
               long-standing tomcat policy to have consistent security updates
               across all supported Debian releases since tomcat10 will replace
               tomcat9 and be the next LTS supported version of the popular
               Java web server and servlet engine.

4. DLA-4106-1. Issued the postponed security update for jetty9 fixing 3 CVE
   DSA-5894-1. in bullseye and bookworm. Both versions are identical. The
               jetty9 binary package was temporarily uninstallable because I
               missed the fact that the dependency strength on sysvinit-utils
               was incorrect for the bullseye update which required a second
               upload issued as DLA-4106-2 to address the problem.
               In addition CVE-2024-6763 has been marked as unimportant because
               Jetty9 uses a completely different protocol standard.

5. DLA-4111-1. Issued a security update for commons-vfs fixing 1 CVE in
               bullseye. I plan to issue an update for bookworm shortly because
               the upstream versions are identical.

6. I have been working on a security update for php-twig, a popular PHP template
   engine. I noticed that CVE-2024-51755 introduces a breaking change.
   Currently I don't plan to address this minor issue because I fear this might
   break existing applications. I would rather advise to upgrade to PHP Twig
   3.x for someone who is concerned about it.

   CVE-2024-51754: Bullseye users are only partially affected by this
   vulnerability because support for argument unpacking (SpreadUnary.php) was
   added later.

7. I have been working on fixing several security issues in edk2, the open
   source implementation of the Unified Extensible Firmware Interface. I had
   previously worked on it for the buster release and I intend to synchronize
   the patches for our stable release Debian 12 "bookworm" with these older
   versions.