ELTS report June 2025
=====================


1. ELA-1480-1. I continued the work on varnish for older versions after the
               previous work for buster and issued a security update fixing
               CVE-2025-47905 in stretch. The vulnerability required patch adjustments
               and changes to the test suite but the problem could be successfully
               addressed.
               CVE-2025-30346 turned out to be more difficult since the tests
               did fail probably because of a missing function in the stretch
               version of varnish. It was unclear if stretch was even
               affected and whether the 400 Bad Request response triggered the same
               misbehavior as in buster. Since the overall severity of the
               problem was low and and an exploit unlikely, I decided to ignore
               the problem.

2. tomcat9.:   I continued the work on a security update of tomcat9 in buster. While the
               version for bullseye is ready and will be uploaded to bullseye-security on
               Monday, 14.07.2025, (pending a decision how to choose a proper
               version for the update) I discovered some regressions for buster
               when I rebuilt all reverse-dependencies of tomcat9. The
               regressions are either caused by the older version of bnd, a
               tool to create OSGi bundles, or a patch to detect the Java
               version correctly. The result are missing Java classes which
               cause build failures for lucene-solr and tomcatjss. I am still
               investigating the root cause of the problem and why it happens
               on buster but not on bullseye. Complicating matters new vulnerabilities
               have been reported for tomcat. Currently I work with version
               9.0.107 which should include the fixes for all of them now.

3. I have been ELTS frontdesk from 30.06.2025 until 06.07.2025. Since most of
   the work was done in July, more details are included in the July report.

4. mbedtls.: I did some preliminary work on mbedtls in buster which involved finding more
             information about the latest released CVE and if it was feasible to address
             postponed issues from last year. The update requires coordination with other
             team members in the near future who worked on mbedtls in bullseye.

5. edk2.: Unfortunately it turned out that at least one of the patches introduced a
          regression and I am currently contemplating if I should release a partial
          security update or better backport edk2 from bullseye to buster since the
          changes are already huge.