LTS and ELTS report March 2026
==============================

Unfortunately this month was cut short due to a bereavement in my family.

Debian LTS
==========

1. I reviewed a security update of asterisk, an open-source private branch
   exchange, fixing 4 CVE for bullseye prepared by Lukas Märdian.

2. I took care of all administrative tasks of the security announcement DSA-6160-1
   for netty fixing 6 CVE in bookworm and trixie.

3. tomcat11/10/9/8: Nine new security vulnerabilities have been discovered in
   Tomcat, a Java servlet and JSP engine. I investigated the problems and
   found that all supported tomcat versions in Debian are affected.
   My first step was to prepare a security update for tomcat11. Only a
   few days later upstream released another security announcement which
   referred to another batch of discovered CVE. I decided to wait until they
   made a new release and packaged new versions of tomcat11 11.0.21, tomcat10
   10.1.54 and tomcat9 9.0.117. In the meantime we dropped support for tomcat10
   in Debian 14 "forky" to make it clear that we support only one tomcat
   version per release, Debian 13 being the exception from this rule.

   As soon as these updates have been released next week I intend to backport
   the same tomcat9 version to ELTS.