LTS report April 2025 ===================== 1. php-twig: As written in my previous report the fix for CVE-2024-51755 was a breaking change and it turned out the patch for CVE-2025-24374 was broken too. I believe I could address CVE-2024-51754 though and will release the update as is now. There is not much what we can do about the two other CVE at this point and I rather suggest to upgrade to php-twig in bookworm if these issues are of any concern to you. I plan to address these issues there via a bookworm point update soon. 2. I continued the work on edk2, the open source implementation of the Unified Extensible Firmware Interface. In total I have been working on 19 different CVE now. edk2 comes with some integrated automated tests but takes quite a long time to build which makes it a bit of a hassle to debug bugs. I also did some QEMU tests and am confident to release the update soon. 3. tomcat9: I am in the middle of upgrading tomcat9 to the latest supported upstream version. Although this is something we try to avoid in LTS releases, I feel this is necessary to fix HTTP2 related issues such as CVE-2024-34750 or CVE-2025-31650. There have been many changes and improvements to the HTTP2 codebase over the last two years and some of these changes are a requirement to address newly discovered CVE. It is impossible to tell whether there are undetected vulnerabilities in our tomcat9 version which may have been fixed with other previous upstream releases. Applications should all continue to work without any changes but we will monitor the situation closely. I prepared a new version for unstable and will upload it first. Although this is not strictly necessary since we have removed the tomcat server stack there, it makes sense to have the latest release also in our new upcoming stable release. We also need to find a way to update bookworm in order to synchronize the versions across all distributions. The same situation applies there (no server stack) and theoretically we could skip it but I intend to ask the stable release team for advice.