LTS and ELTS report January 2026 ================================ Debian LTS ========== 1. DLA-4443-1. Issued a security update for dcmtk fixing 2 CVE in bullseye. I prepared another update for bookworm fixing 5 CVE and trixie fixing 3 CVE. Since Debian's release team prefers to address CVE in unstable and testing first, I contacted the maintainer of dcmtk and asked for their preferences. 2. DLA-4444-1. Issued a security update for apache-log4j2 fixing 1 CVE in bullseye. Since I am also part of the Java team I will upload a new upstream release to address CVE-2025-68161 in unstable and testing. After that my intention is to upload the security updates for bookworm and trixie. 3. DLA-4468-1. Issued a security update for tomcat9 fixing 3 CVE in bullseye. This update also fixed a regression that prevented tomcat's start script from detecting installations of OpenJDK 17. (#1114028) 4. DSA-6120-1. Issued a security for tomcat10 fixing 13 CVE in bookworm and 11 CVE in trixie. Most of the work had been done at the end of last year. However I decided to package a new upstream release and incorporate some non-security bug fixes which had been addressed in the latest tomcat releases. Unfortunately we did not anticipate that new configuration options and default limits may cause problems to certain setups. (#1127560) In general these kind of problems should be reported directly to the upstream maintainers of tomcat because they might reconsider some of their decisions and implement different settings and limits then. Although these changes are all described in Debian's tomcatX-docs package, it is difficult to assess certain of them beforehand because use cases and requirements may differ. Since tomcat is a highly sophisticated piece of software, there is sometimes a trade-off between security and usability. We usually avoid new upstream releases in stable releases but we rated the security improvements to be of high importance this time. We intend to continue with targeted patches from now on. 5. DSA-6121-1. Issued a security update of tomcat11 fixing 11 CVE in trixie. ELTS ==== 1. ELA-1628-1. Issued a security update for edk2 fixing 15 CVE in buster. This was only the first part of a larger update. For the first part all work had already been done. Unfortunately the security fixes in edk2 are way too intrusive which is why a backport was the only way forward. 2. ELA-1615-2. Issued a regression update for tomcat9 that restored missing classes in tomcat9-jasper-el.jar 3. ELA-1629-1. Issued a security update for apache-log4j2 fixing 1 CVE in buster. 4. ELA-1630-1. Issued a security update for dcmtk fixing 2 CVE in buster. 5. ELA-1637-1. Issued a security update for tomcat9 fixing 3 CVE in buster. It was found that the regression update ELA-1615-2 was incomplete and that several classes were still missing in different jar files of the binary packages libtomcat9-java and libtomcat9-embed-java. The root cause of the problem was an outdated version of bnd, a tool to create and manage OSGi bundles. Together with five other source packages it had to be upgraded to a newer upstream release. Many Java packages build-depend on bnd, so at first it was unclear if we could simply upgrade the package or create new standalone packages which do not interfere with the rest of the Java ecosystem. After rebuilding all reverse-dependencies and more testing we found that a normal upgrade would suffice.