LTS and ELTS report November 2025 ================================= 1. I have been working together with Bastien Roucaries on the Java package netty. I reviewed version 1:4.1.48-11 and 1:4.1.48-12 which addressed various CVE such as CVE-2025-58057, CVE-2025-58056, CVE-2025-55163 and CVE-2025-59419. I also tested the changes and rebuilt affected reverse-dependencies of netty. The changes happened in Debian unstable first due to the overall complexity and in order to detect possible regressions early. Later the security fixes will be backported to older LTS and ELTS releases as well. 2. While working on Java related packages, I took the opportunity to look into jackson-core, the central package for parsing JSON files for Java. There is CVE-2025-52999 which causes a denial-of-service when parsing deeply nested JSON input and the solution is to introduce a configurable option to limit the nesting depth. I believe we could simplify the patch by just using the new sensible default of a maximum nesting depth of 1000 which should be plenty for almost all use cases. CVE-2025-49128 is a minor information disclosure problem and should not cause any real life issues. 3. mbedtls is a cryptographic library written in C. I investigated CVE-2025-54764 and CVE-2025-59438 for bullseye and also had a look at our current situation in bookworm. From my point of view we should upgrade mbedtls to a newer release of the long-term supported 2.28 branch. Additionally we could use some of the patches for bullseye and apply them in bookworm as well. I intend to propose this solution to Debian's security team. The situation in bullseye is more complicated because we cannot simply upgrade to 2.28 which would introduce interface changes. The patches for CVE-2025-54764 and CVE-2025-59438 do not apply cleanly which also makes testing more difficult. An attacker must have local access to the system thus exploiting these issues is hard to achieve without having compromised the system already. The work for mbedtls is ongoing and will require a team review because of the non-trivial nature of the fix. 4. tomcat8/9/10/11: I investigated all 12 currently open CVE for tomcat8 in stretch and backported five of them to the actual 8.5.54 version. Then I used a different approach by packaging the latest available release of tomcat8 8.5.100. This version would also fix some minor issues from the past which had to be postponed. It also simplifies some of the newer backports and improves tomcat's test suite and makes it overall more robust due to several non-security related improvements. The work is ongoing but I feel using 8.5.100 as the baseline version is more benefical for users which is why I intend to continue following this path. I also had some discussions with Bastien Roucaries about the state of tomcat9 and I believe we found a way to partially address the build failures with two reverse-dependencies but most importantly document the new changes which might affect custom user applications.