My Debian Activities in June 2026

Debian LTS/ELTS

This was my hundred-forty-fourth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

  • [DLA 4615-1] exim4 security update to fix one CVE related to information disclosure in combination with proxies.
  • [DLA 4616-1] haveged security update to fix one CVE related to local root privilege escalation.
  • [DLA 4618-1] gsasl security update to fix one CVE related to denial of service.
  • [DLA 4631-1] asterisk security update to fix 13 CVEs related to buffer under- or overflows, either on heap or on stack. Some are related to use-after-free or wrong processing of invalid or untrusted certificates.
  • [ELA-1747-1] gimp security update to fix three CVEs in Buster related to denial of service or execution of arbitrary code if malformed PSP, JPEG 2000 or PSD files are opened.
  • [ELA-1748-1] gimp security update to fix two CVEs in Stretch related to denial of service or execution of arbitrary code if malformed PSP or PSD files are opened.
  • [ELA-1749-1] exim4 security update to fix one CVEs in Buster and Stretch related to information disclosure in combination with proxies.
  • [ELA-1750-1] gsasl security update to fix one CVEs in Buster and Stretch related to denial of service.

Besides fixing all CVEs of asterisk in Bullseye, I started to look at asterisk in other releases as well. Rather surprisingly asterisk is only part of Unstable and Bullseye. All other releases don’t include any version of asterisk at all. So first things first, besides some security related RC bugs, asterisk did not migrate due to RC-bugs in dahdi-linux. As I maintain osmocom-dahdi-linux (which supports less/other hardware), I looked at the open issues and after some rounds I could upload a new upstream version, fixed some bugs and resolved issues with piuparts. dahdi-linux meanwhile migrated to testing, job done!
As a next step I looked at the open CVEs. Some of them had been already fixed in previous uploads but had not been marked accordingly. So I fixed all remaining ones and sent a debdiff to the maintainer. Unfortunately there was some kind of overlap in our work and he ignored my debdiff but uploaded a new upstream version. Anyway, job done as well, no open security issues anymore. The only thing that hinders asterisk from migrating to testing is the reproducible build. So if anybody has some spare time …

Other things I worked on were the regression update of rsync. Some of the elven new patches need to be backported, but I am confidentially to finish this month. I already reviewed the rsync– uploads of Sylvain to Buster and Stretch, so I don’t expect any big hurdles here. I am also making progress to find the correct patches for hplip and cups.

Debian Printing

This month I uploaded a new upstream versions:

  • hplip to unstable to fix some bugs.

This work is generously funded by Freexian!

Debian Lomiri

This month new upstream versions of dozens of lomiri packages have been released and I uploaded lots of them to Debian. After they migrate to testing, I am also going to sync them to the Ubuntu PPA.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

  • indi-pentax to unstable. This is a package in contrib without autobuild and needed a new upload for the libraw transistion.
  • c-munipack to unstable.
  • supernovas to unstable (sponsored upload).

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

misc

This month I uploaded a new upstream version or a bugfix version of:

  • visam to unstable. There had been an RC bug due to two binaries with the same name but different functionality. Yes, it is in the policy but … (my mother forbade me to elaborate more on this)
  • mailio to unstable.

Leave a Reply