LTS and ELTS report May 2026
============================

Debian LTS
==========

1. samba:
   I have been working on several embargoed security problems for samba
   including CVE-2026-2340, CVE-2026-3012, CVE-2026-3238, CVE-2026-4408 and
   CVE-2026-4480. Patches were only provided for the current stable and
   long-term supported releases of samba which did not include 4.13 or older
   versions. We are currently reviewing and testing the patches for bullseye.

2. jackson-core:
   Issued DLA-4623-1 for jackson-core in bullseye fixing two CVE which included
   regression fixies (build failure) for jackson-databind and related
   jackson-dataformat-* packages. Similarly I issued DSA-6336-1 for bookworm
   and trixie.

3. tomcat:
   Another batch of CVE was reported in May and I incorporated the patches into
   the latest security update released as DLA-4619-1 for bullseye fixing 16 CVE
   in tomcat9, DSA-6328-1 fixing 16 CVE in tomcat10 for bookworm and trixie and
   DSA-6329-1 fixing 17 CVE in tomcat11 for trixie.  The tomcat9 security
   update for bullseye also required a newer upstream version of tomcat-native
   in order to align the behavior in tomcat9 and tomcat-native again.

Debian ELTS
===========

1. tomcat9:
   After some testing I found that tomcat-native version 1.3.7 works fine with
   the latest security update of tomcat9 in buster which is the reason
   I decided to upgrade to 9.0.118 in buster.

2. samba:
   I started by backporting the bullseye patch to buster and run preliminary
   tests to ensure no regressions were introduced. We will wait a few more days
   after the security release for bullseye before we upload to buster, just in
   case we missed something and then repeat these steps for stretch.