LTS and ELTS report February 2026
=================================

Debian LTS
==========

1. netty.

   I reviewed and tested a larger security update of netty, a Java NIO
   client/server framework which is often used for network applications, fixing
   6 CVE. The update covered all supported distributions, bullseye, bookworm
   and trixie. Since Debian's version of netty is quite similar across all
   distributions, preparing updates for all supported stable releases was a
   logical choice.

   Most of the work had been done by Bastien Roucaries with one patch
   contribution from myself. I focused on testing the resulting package,
   rebuilding reverse-dependencies and looking into potential test failures.
   The update will be released on 12.03.2026.

2. jackson-core.

   I have continued my work on jackson-core, a Java JSON library. While I was
   investigating CVE-2025-52999, I found that just implementing a hard limit
   for the nesting depth of JSON files would leave out several other upstream
   changes and could have been too short-sighted. In the past upstream had
   already implemented different checks and constraints, but nobody assigned a
   CVE for them. In my opinion we need to backport more commits and even new
   classes in order to be able to support those configuratble new limits. This
   would also have a direct impact on jackson-databind and the whole jackson*
   package family in Debian. Updates of jackson-core are usually tightly coupled with
   other jackson packages and different versions of those packages may cause
   inconsistencies and build failures.
   At the moment it is unclear what is the best way forward. Parsing deeply
   nested JSON files may currently result in a StackOverFlow error and the
   termination of the application that uses jackson-core. Depending on the use
   case this may be only a minor nuisance or part of a bigger problem. Right
   now I am focusing on the latest stable release of jackson-core in trixie in
   order to find out how promising a backport of these changes might be before
   I turn back to the much older version in bullseye.

ELTS
====

1. tomcat8.

   I have been mainly working on completing the new security update for
   tomcat8. As with the previous updates for tomcat 11, 10 and 9, the
   introduction of a new upstream release for tomcat8 was required due to many
   complex changes to the underlying code base. On top of that I backported
   some patches from tomcat9 to fix the latest reported CVE.