ELTS report April 2025
======================

1. I completed and issued ELA-1402-1 fixing CVE-2024-47072 for libxstream-java
   in jessie and buster. The fix was straightforward and the tests showed no
   regressions.

2. I have been working on fixing CVE-2024-46901 in subversion, an advanced
   version control system, for all three supported ELTS distributions. While
   the underlying security issue could be addressed quickly, I discovered a
   build failure for our supported version in Debian 8 "jessie". The problem is
   unrelated to the newly applied security patch. Looking closer I found that
   the error originated from the header file gmem.h in glib2.0. Apparently the
   inline keyword is not defined which leads to a compiler error. I still need
   to investigate which glib2.0 patch introduced the regression and if there are other
   repercussions. A glib2.0 regression update for Jessie will follow shortly.
   The subversion security updates for stretch and buster have been uploaded to
   our build servers already and passed all tests.

3. I continued the work on edk2, the open source implementation
   of the Unified Extensible Firmware Interface. In total I have been working
   on 22 different CVE now. edk2 comes with some integrated automated tests but
   takes quite a long time to build which makes it a bit of a hassle to debug
   bugs. I also did some QEMU tests and am confident to release the update
   soon.

4. tomcat9: I am in the middle of upgrading tomcat9 to the latest supported
   upstream version. Although this is something we try to avoid in ELTS
   releases, I feel this is necessary to fix HTTP2 related issues such as
   CVE-2024-34750 or CVE-2025-31650. There have been many changes and
   improvements to the HTTP2 codebase over the last two years and some of these
   changes are a requirement to address newly discovered CVE. It is impossible
   to tell whether there are undetected vulnerabilities in our tomcat9 version
   which may have been fixed with other previous upstream releases.
   Applications should all continue to work without any changes but we will
   monitor the situation closely.