ELTS report June 2025 ===================== 1. ELA-1480-1. I continued the work on varnish for older versions after the previous work for buster and issued a security update fixing CVE-2025-47905 in stretch. The vulnerability required patch adjustments and changes to the test suite but the problem could be successfully addressed. CVE-2025-30346 turned out to be more difficult since the tests did fail probably because of a missing function in the stretch version of varnish. It was unclear if stretch was even affected and whether the 400 Bad Request response triggered the same misbehavior as in buster. Since the overall severity of the problem was low and and an exploit unlikely, I decided to ignore the problem. 2. tomcat9.: I continued the work on a security update of tomcat9 in buster. While the version for bullseye is ready and will be uploaded to bullseye-security on Monday, 14.07.2025, (pending a decision how to choose a proper version for the update) I discovered some regressions for buster when I rebuilt all reverse-dependencies of tomcat9. The regressions are either caused by the older version of bnd, a tool to create OSGi bundles, or a patch to detect the Java version correctly. The result are missing Java classes which cause build failures for lucene-solr and tomcatjss. I am still investigating the root cause of the problem and why it happens on buster but not on bullseye. Complicating matters new vulnerabilities have been reported for tomcat. Currently I work with version 9.0.107 which should include the fixes for all of them now. 3. I have been ELTS frontdesk from 30.06.2025 until 06.07.2025. Since most of the work was done in July, more details are included in the July report. 4. mbedtls.: I did some preliminary work on mbedtls in buster which involved finding more information about the latest released CVE and if it was feasible to address postponed issues from last year. The update requires coordination with other team members in the near future who worked on mbedtls in bullseye. 5. edk2.: Unfortunately it turned out that at least one of the patches introduced a regression and I am currently contemplating if I should release a partial security update or better backport edk2 from bullseye to buster since the changes are already huge.