LTS and ELTS report December 2025
=================================

Debian LTS
==========

1. I have been LTS frontdesk from 22.12.2025 to 28.12.2025. During this time I
   was responsible for triaging and analyzing newly discovered security
   vulnerabilities (CVE) in the following Debian packages: avahi, fluidsynth,
   imagemagick, net-snmp, python-filelock, qemu, gimp, gdcm, nbconvert, gnupg2,
   dcmtk, apache-log4j2, direwolf, fonttools, freedombox, igmpproxy,
   node-nodemailer, proxychains-ng, python-marshmallow, robocode, rtl-433 and
   ruby-httparty.

   The package with the most severe security impact appeared to be net-snmp
   because of a remotely exploitable buffer overflow vulnerability.
   (CVE-2025-68615). In the beginning there were not enough information to make
   a decision. I investigated the problem and requested more details from
   upstream and fortunately it turned out they had already contacted Craig
   Small, Debian maintainer of net-snmp, via private email and provided a
   targeted solution for the problem but didn't want to make it public. This
   issue was later addressed by Andreas Henriksson for bullseye via DLA-4430-1.

2. dcmtk: I prepared a security update for dcmtk fixing 2 CVE in bullseye
          (CVE-2025-14607 and CVE-2025-14841) because I had previously worked
          on the same package. There may be a follow-up update for bookworm and
          trixie in the future but the detected issues are not critical and a
          fix can be postponed for now.

3. apache-log4j: I prepared a security update for apache-log4j, a popular logging
                 framework for Java and addressed a possible man-in-the-middle
                 attack. (CVE-2025-68161)

ELTS
====


1. I have been the ELTS frontdesk from 22.12.2025 to 28.12.2025. During this time I
   was responsible for triaging and analyzing newly discovered security
   vulnerabilities (CVE) in the following Debian packages: avahi, fluidsynth,
   imagemagick, python-filelock, qemu, gimp, u-boot, gdcm, net-snmp, dcmtk,
   apache-log4j and gnupg2.

2. dcmtk and apache-log4j: Both packages went out of support in January 2026
   but I decided to finish the update because the CVE were reported shortly
   before the EOL date. In addition apache-log4j in bullseye and buster are
   identical and the differences in dcmtk are also quite minor and a lot of
   additional time was not required. Hence the main focus was on QA and testing
   the packages for the supported ELTS distributions.

3. tomcat8: I continued to work on tomcat8 based on the latest
            available release 8.5.100. So far I could only address half of the
            19 open CVE for tomcat8 and I intend to release a partial security
            update now because the new version is already a great improvement
            over the status quo. Backporting the patches for tomcat9 is
            non-trivial since both versions have diverged significantly over
            the past years. Not all of the remaining issues may affect current
            users of tomcat8 though because of unlikely configuration options,
            use cases or general server environments which make it very
            difficult to exploit the reported vulnerabilities. Thus we will
            review the remaining problems later and decide on a case-by-case
            basis wether it makes sense to backport more tomcat9 patches to
            tomcat8.