LTS report May 2025
===================

1. DLA 4186-1: I issued the security update of php-twig fixing 1 CVE in
               bullseye and tried to fix php-twig in bookworm as well.
               Unfortunately it turned out the bookworm version was affected by
               the same problems as in bullseye and a patch would introduce a
               breaking change. If at all I believe the best way to address all
               of those issues would be to upgrade to the latest available
               version in Debian testing but since none of them are critical I
               advise to make this decision on a case-by-case basis.

2. DLA 4187-1: Issued a security update of varnish, a high-performance web
               accelerator fixing 1 CVE in bullseye which potentially allowed a
               remote attacker to smuggle additional requests. The flaw was
               well documented by the upstream developers and the update went
               smoothly.

3. DLA 4206-1: Issued a security update of asterisk, a private branch exchange
               fixing 2 CVE in bullseye. Most notably this update introduced a
               new configuration option to prevent remote consoles from
               executing shell commands using the '!' prefix.

4. DLA-4207-1: Eventually I released the security update of edk2 fixing 16 CVE
               in bullseye. Four CVE patches are postponed (CVE-2023-45236,
               CVE-2023-45237, CVE-2024-38797, CVE-2025-2295). Those issues
               will be addressed as soon as the new upstream release has been
               tested in Debian testing and unstable and patches were
               backported to bookworm first. This was a large update (the diff
               between the old and new version is 1MB large)

5. I have been updating the Firefox and Chromium browser addon ublock-origin. I
   backported version 1.62.0 and applied a patch to address CVE-2025-4215. I fixed
   the same issue in Debian unstable (version 1.62.0+dfsg-2), bookworm via a point
   update (1.62.0+dfsg-0+deb12u1) and in bullseye (1.62.0+dfsg-0+deb11u1). Due to
   a technical issue with Debian's build servers the update is delayed but is
   expected to be announced shortly.

6. The new tomcat9 security update is ready but it takes a few more days to be
   tested. As it stands we will not backport this version to bookworm or
   trixie. It will have a smaller version number, so dist-upgrades should be
   easily possible although that would mean you will actually downgrade to an
   older version. Since the server stack of tomcat9 has been removed in these
   distributions, it should be of no consequences though. If you want to
   preserve the bullseye version, then you have to use the apt pinning
   mechanism to keep the package on hold.

7. I have been the LTS front desk from 12.05.2025 to 18.05.2025 and triaged
   newly discovered CVE in supported packages.