My Debian Activities in October 2025

Debian LTS

This was my hundred-thirty-sixth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. During my allocated time I uploaded or worked on:

• [DLA 4316-1] open-vm-tools security update to fix one CVE related to a local privilege escalation.
• [DLA 4329-1] libfcgi security update to fix one CVE related to a heap-based buffer overflow via crafted nameLen or valueLen values in data to the IPC socket.
• [DLA 4337-1] svgpp security update to fix one CVE related to a nullpointer reference.
• [DLA 4336-1] sysstat security update to fix two CVEs related to a size_t overflow and a multiplication integer overflow.
• [DLA 4343-1] raptor2 security update to fix two CVEs related to a heap-based buffer over-read and an integer underflow.
• [DLA 4349-1] request-tracker4 security update to fix one CVE related to CSV injection via ticket values with special characters. The patch was prepared by Andrew Ruthven
• [DLA 4353-1] xorg-server security update to fix three CVES related to privilege escalation.

I also attended the monthly LTS/ELTS meeting.

Debian ELTS

This month was the eighty-seventh ELTS month. During my allocated time I uploaded or worked on:

• [ELA-1538-1] libfcgi security update to fix one CVE in Buster and Stretch, related to a heap-based buffer overflow via crafted nameLen or valueLen values in data to the IPC socket.
• [ELA-1551-1] raptor2 security update to fix two CVES in Buster and Stretch, related to a heap-based buffer over-read and an integer underflow.
• [ELA-1555-1] request-tracker4 security update to fix one CVE in Buster, related to CSV injection via ticket values with special characters. The patch was prepared by Andrew Ruthven.
• [ELA-1561-1] xorg-server security update to fix three CVEs in Buster and Stretch, related to privilege escalation.

I also attended the monthly LTS/ELTS meeting.

Debian Printing

This month I uploaded a new upstream version or a bugfix version of:

• … cups to unstable.
• … brlaser to unstable.
• … ifhp to unstable.

This work is generously funded by Freexian!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

• … virtualgps to unstable.
• … libapogee to unstable.
• … indi-starbook-ten to unstable.
• … indi-weewx-json to unstable.
• … astap to unstable.
• … astap-cli to unstable.
• … udm to unstable.
• … indi-pentax to unstable.
• … boinor to unstable.

Debian IoT

Unfortunately I didn’t found any time to work on this topic.

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

• … smstools to unstable.
• … osmocom-dahdi-linux to unstable.
• … osmo-fl2k to unstable.
• … osmo-tetra to unstable.

misc

This month I uploaded a new upstream version or a bugfix version of:

• … arpalert to unstable.
• … sockstat to unstable.
• … gypsy to unstable.
• … usb-modeswitch to unstable.
• … force-ip-protocol to unstable.
• … libbtbb to unstable (NMU).
• … otpw to unstable.
• … ubertooth to unstable (NMU).
• … apcupsd to unstable.
• … kdrill to unstable (NMU).
• … nuspell to unstable.
• … chktex to unstable.
• … harminv to unstable.

On my fight against outdated RFPs, I closed 31 of them in October. I could even close one RFP by uploading the new package gypsy. Meanwhile only 3373 are still open, so don’t hesitate to help closing one or another.

FTP master

This month I accepted 420 and rejected 45 packages. The overall number of packages that got accepted was 423.

I would like to remind everybody that in case you don’t agree with the removal of a package, please set the moreinfo tag on this bug. This is the only reliable way to prevent processing of that RM-bug. Well, there is a second way, of course you could also achieve this by closing the bug.