LTS and ELTS report April 2026
==============================

Debian LTS
==========

1. I have been working on embargoed security problems for a major Debian
   package. At the moment I cannot share any details since the embargo has not
   been lifted yet because the upstream developers discovered a patch
   regression which is severe enough to postpone their next security release.

2. jackson-core:
   I uploaded version 2.14.1-2 to unstable which fixes CVE-2025-52999. The
   changes affect mainly another jackson library, namely jackson-databind. I am
   aware of a build failure (#1135410) which I intend to fix now by adding a
   small patch to jackson-databind as well. Another option was to revert the
   change in jackson-core to throw IOExceptions when certain parsing limits are
   reached but that seemed counter-intuitive for those users who expect the
   same upstream behavior in Debian.

3. tomcat:
   While I was preparing security updates for all supported tomcat releases to fix
   all currently open CVE (9), I discovered that tomcat-native for tomcat9 had
   to be updated as well which delayed the release. The issue is at least
   related to CVE-2026-34500 and is caused by new upstream patches to OpenSSL
   CLIENT CERT authentications. The version of tomcat-native in bullseye is too
   old and requires a new upstream version to align the behavorial changes made
   in tomcat. Otherwise this leads to countless error messages and potentially
   broken web apps.

Debian ELTS
===========

1. tomcat8/9:
   The older versions of tomcat8 and tomcat9 in buster and stretch are affected
   by the same problems as in bullseye. I am not convinced a new upstream
   version of tomcat-native is strictly necessary though because the patch for
   CVE-2026-34500 fixes a corner case which does not seem serious enough to
   warrant the introduction of a new tomcat-native upstream release at this
   point. The risk for potential regressions is higher and I tend to ignore
   this particular problem.