Posted on

My Debian Activities in May 2026

Debian LTS/ELTS

This was my hundred-forty-third month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

  • [DLA 4580-1] exim4 security update to fix one CVE related to remote code execution.
  • [DLA 4591-1] rsync security update to fix five CVEs related to local root privilege escalation.
  • [#1134340] trixie-pu bug for libcoap3 to fix two CVEs in Trixie; the debdiff was confirmed and the upload was accepted to the proposed update queue.
  • [#1126167] bookworm-pu upload of zvbi has been flagged for acceptance
  • [#1126273] bookworm-pu upload of taglib has been flagged for acceptance
  • [#1126370] bookworm-pu upload of libuev has been flagged for acceptance
  • [hplip] upload to sid to fix two CVEs.

This was a rather strange month. The details about the embargoed exim4 issue arrived only after I already went to bed and the embargo lift was 18 hours later. Luckily Stretch was not really affected and the uploads for Bullseye and Buster went out on time.

Something similar happened with the embargoed issue of rsync. The info arrived at 8:00 in the morning and the embargo lift was on 2:00 next morning. From an Europeans point of view, the Australians do have strange time zones. But there is more to this than that. Upstream sent more than 50(!) patches for these five CVEs that needed a backport to Bullseye. As things turned out, there is a regression in the upload to Unstable and investigations are ongoing whether this regression is also available in the backported patches for Trixie, Bookworm and Bullseye. So rsync-updates for Buster and Stretch is in the works, but I am afraid they need some more time.

All good things come by threes. Two critical CVEs of hplip appeared and a new upstream version was released by HP. HP is no longer interested in working with distributions and over time more than 80 patches have been accumulated that need a rebase for a new upstream version. For that reason I avoid this package as much as I can, but two critical CVEs did apply some kind of pressure on the maintainer. So I finally managed to do this update and the latest version of hplip is now in Debian. Nevertheless, this feels good :-). Anyway, it is not over yet. HP does not have a public repository nor do they publish patches for these CVEs. So I am still searching for the correct fixes to backport them to Bullseye, Buster and Stretch. The other distributions have the same problem and a silver lining appears on the horizon.

I also prepared an update of gimp for Buster and Stretch, but due to an accident I only managed to release the corresponing ELA in June. The accident was also the reason for only half a week of FD. Thanks to Daniel who took over.

Debian Printing

This month I uploaded a new upstream versions:

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

misc

This month I uploaded a new upstream version or a bugfix version of:

I also got rid of gypsy, which no longer makes sense to maintain in Debian, as gpsd is way better.

Posted on

My Debian Activities in April 2026

Debian LTS/ELTS

This was my hundred-forty-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

  • [DLA 4530-1] gst-plugins-bad1.0 security update to fix two CVEs related to denial of service or execution of arbitrary code if a malformed media file is opened.
  • [DLA 4544-1] ntfs-3g to fix one CVE related to local root privilege escalation.
  • [DLA 4545-1] packagekit security update to fix one CVE related to local privilege escalation.
  • [DLA 4547-1] gimp security update to fix three CVEs related to denial of service or execution of arbitrary code if a malformed PSP, JPEG 2000 or PSD file is opened.
  • [ELA-1682-1] gst-plugins-bad1.0 security update to fix two CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
  • [ELA-1689-1] ntfs-3g security update to fix one CVE in Buster and Stretch related to local root privilege escalation..
  • [ELA-1693-1] pakagekit security update to fix one CVE in Buster and Stretch related to local privilege escalation.
  • [#1126167] bookworm-pu upload of zvbi
  • [#1126273] bookworm-pu upload of taglib
  • [#1126370] bookworm-pu upload of libuev
  • [libcoap3] upload to sid to fix two CVEs related to out-of-bounds read and stacked based buffer overflow.
  • [#1134340] trixie-pu bug for libcoap3 to fix two CVEs in Trixie.
  • [cups] upload to sid to fix six CVEs.

I also did a week of front desk duties and started to work on backports of the cups CVEs.

Debian Printing

This month I uploaded a new upstream versions:

Unfortunately the first upload of cups introduces a regression and another upload was needed to take care of a crash. The patch for one CVE also broke a test script, which is used by lots of printing packages in Debian. As a result some autopkgtest runs failed. This could be fixed as well and the only remaining issue that needs some more investigation is related to cups-pdf.

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform.

I also started working on two new packages: lomiri-radio-app and lomiri-fretboardtrainer-app

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

Marcos Talau joined the Debian IoT group, welcome aboard.

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

misc

This month I uploaded a new upstream version or a bugfix version of:

Posted on

My Debian Activities in March 2026

Debian LTS/ELTS

This was my hundred-forty-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

  • [DLA 4500-1] gimp security update to fix four CVEs related to denial of service or execution of arbitrary code.
  • [DLA 4503-1] evolution-data-server to fix one CVE related to a missing canonicalization of a file path.
  • [DLA 4512-1] strongswan security update to fix one CVE related to a denial of service.
  • [ELA-1656-1] gimp security update to fix four CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
  • [ELA-1660-1] evolution-data-server security update to fix one CVE in Buster and Stretch related to a missing canonicalization of a file path.
  • [ELA-1665-1] strongswan security update to fix one CVE in Buster related to a denial of service.
  • [ELA-1666-1] libvpx security update to fix one CVE in Buster and Stretch related to a denial of service or potentially execution of arbitrary code.

I also worked on the check-advisories script and proposed a fix for cases where issues would be assigned to the coordinator instead of the person who forgot doing something. I also did some work for a kernel update and packages snapd and ldx on security-master and attended the monthly LTS/ELTS meeting. Last but not least I started to work on gst-plugins-bad1.0

Debian Printing

This month I uploaded a new upstream versions:

Several packages take care of group lpadmin in their maintainer scripts. With the upload of version 260.1-1 of systemd there is now a central package (systemd | systemd-standalone-sysusers | systemd-sysusers) that takes care of this. Other dependencies like adduser can now be dropped.

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform. I am also able to upload Debian packages to the corresponding Ubuntu PPA now. A small bug had to be fixed in the python script to allow the initial configuration in Launchpad.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

  • libplayerone to experimental. For a list of other packages please see below.

I also uploaded lots of indi-drivers (libplayerone, libsbig, libricohcamerasdk, indi-asi, indi-eqmod, indi-fishcamp, indi-inovaplx, indi-pentax, indi-playerone, indi-sbig, indi-mi, libahp-xc, indi-aagcloudwatcher, indi-aok, indi-apogee, libapogee3, indi-nightscape, libasi, libinovasdk, libmicam, indi-avalon, indi-beefocus, indi-bresserexos2, indi-dsi, indi-ffmv, indi-fli, indi-gige, info-gphoto, indi-gpsd, indi-gpsnmea, indi-limesdr, indi-maxdomeii, indi-mgen, indi-rtklib, indi-shelyak, indi-starbook, indi-starbookten, indi-talon6, indi-weewx-json, indi-webcam, indi-orion-ssg3, indi-armadillo-playtypus ) to experimental to make progress with the indi-transition. No problems with those drivers appeared and the next step would be the upload of indi version 2.x to unstable. I hope this will happen soon, as new drivers are already waiting in the pipeline. There have been also four packages, that migrated to the official indi package and are no longer needed as 3rdparty drivers (indi-astrolink4, indi-astromechfoc, indi-dreamfocuser, indi-spectracyber).

While working on these packages, I thought about testing them. Unfortunately I don’t have enough hardware to really check out every package, so I can upload most of them only as is. In case anybody is interested in a better testing coverage and me being able to provide upstream patches, I would be very glad about hardware donations.

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

misc

This month I uploaded a new upstream version or a bugfix version of:

I also sponsored the upload of Matomo. Thanks a lot to William for preparing the package.

Posted on

My Debian Activities in February 2026

Debian LTS/ELTS

This was my hundred-fortieth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

  • [DLA 4474-1] rlottie security update to fix three CVEs related to boundary checks.
  • [DLA 4477-1] munge security update to fix one CVE related to a buffer overflow.
  • [DLA 4483-1] gimp security update to fix four CVEs related to arbitrary code execution.
  • [DLA 4487-1] gegl security update to fix two CVEs related to heap-based buffer overflow.
  • [DLA 4489-1] libvpx security update to fix one CVE related to a buffer overflow.
  • [ELA-1649-1] gimp security update to fix three CVEs in Buster and Stretch related to arbitrary code execution.
  • [ELA-1650-1] gegl security update to fix two CVEs in Buster and Stretch related to heap-based buffer overflow.

Some CVEs could be marked as not-affected for one or all LTS/ELTS-releases. I also worked on package evolution-data-server and attended the monthly LTS/ELTS meeting.

Debian Printing

This month I uploaded a new upstream versions:

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to worked on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

  • c-munipack to unstable. This package now contains a version without GTK support. Upstream is working on a port to GTK3 but seems to need some more time to finish this.
  • libasi to unstable.
  • libdfu-ahp to unstable.
  • libfishcamp to unstable.
  • libinovasdk to unstable.
  • libmicam to unstable.
  • siril to unstable (sponsored upload).

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

Unfortunately development of openoverlayrouter finally stopped, so I had to remove this package from the archive.

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

misc

This month I uploaded a new upstream version or a bugfix version of:

I also sponsored the upload of some Matomo dependencies. Thanks a lot to William for preparing the packages

Posted on

My Debian Activities in January 2026

Debian LTS/ELTS

This was my hundred-thirty-ninth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian (as the LTS- and ELTS-teams have been merged now, there is only one paragraph left for both activities).

During my allocated time I uploaded or worked on:

  • [DLA 4449-1] zvbi security update to fix five CVEs related to uninitialized pointers and integer overflows.
  • [DLA 4450-1] taglib security update to fix one CVE related to a segmentation violation.
  • [DLA 4451-1] shapelib security update to fix one CVE related to a double free.
  • [DLA 4454-1] libuev security update to fix one CVE related to a buffer overrun.
  • [ELA-1620-1] zvbi security update to fix five CVEs in Buster and Stretch related to uninitialized pointers and integer overflows.
  • [ELA-1621-1] taglib security update to fix one CVE in Buster and Stretch related to a segmentation violation.
  • [#1126167] bookworm-pu bug for zvbi to fix five CVEs in Bookworm.
  • [#1126273] bookworm-pu bug for taglib to fix one CVE in Bookworm.
  • [#1126370] bookworm-pu bug for libuev to fix one CVE in Bookworm.

I also attended the monthly LTS/ELTS meeting. While working on updates, I stumbled upon packages, whose CVEs have been postponed for a long time and their CVSS score was rather high. I wonder whether one should pay more attention to postponed issues, otherwise one could have already marked them as ignored.

Debian Printing

Unfortunately I didn’t found any time to work on this topic.

Debian Lomiri

This month I worked on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

Debian IoT

Unfortunately I didn’t found any time to work on this topic.

Debian Mobcom

Unfortunately I didn’t found any time to work on this topic.

misc

This month I uploaded a new upstream version or a bugfix version of:

Unfortunately this month I was distracted from my normal Debian work by other unpleasant things, so that the paragraphs above are mostly empty. I now have to think about how many of my spare time I am able to dedicate to Debian in the future.

Posted on

European Vulnerabilities DataBase – a blessing or a curse?

After the funding crisis at MITRE in the beginning of 2025, the European Union Agency for Cybersecurity (ENISA, European Network and Information Security Agency) started the European Vulnerability Database (EUVD).

Since then some articles have been published that let this database appear in a unfavourable light, to put it charitably. An example of such article was already published  in May 2025 in the blog of Vulncheck. Of course there is bias in this article as the author works for some kind of competitor with its own vulnerability database.

First of all it is good to have such a database in Europe to become more and more independent of things hosted in the US. But you are not able to directly add your own research of vulnerabilities to EUVD. Therefore you need an account at CIRAS (Cybersecurity Incident Reporting and Analysis System), which is also operated by ENISA. Obtaining such an account is not really an easy task. Lots of links on the website show a 404. Anyway, for whatever reason in 2025 only about 1100 issues have been reported via CIRAS, so compared with the MITRE CVE database, this is nothing at all.

One point of criticism was some inconsistent information about CVEs in the EUVD.
On the website, using Search by ID with CVE-2024-, CVE-2024-* or CVE-2024-.* results in an error The introduced ID does not exist..
Maybe my expectations to be able to use modern things like regex, are pitched too high.
One can also Search by text and CVE-2024- gives 30991 entries. The correct number of such CVEs can be obtained from cve.org and is 38912. So even some months after the negative report, there is no improvement. The website UI still does not show all vulnerabilities.

The current API of EUVD also allows to retrieve single EUVD-ID-entries.
Using this method, on can obtain about 38969 EUVD-ID-entries, that contain CVE-2024-* in their dataset. The mentioned constrains in the Vulncheck blog  are still present, so downloading lots of data this way is not really fun. Yes, there are about 1700 EUVDs in 2025 that were published later and that also contain CVE-2024, I considered this. The Debian Security tracker contains 38920 entries for CVE-2024. So the small difference between all those numbers might be related to rejected CVEs that are not correctly processed. Anyway, these results show that at least all information related to CVEs are available in EUVD but have to be found.

For whatever reason, the total number of EUVD-2024-* is above 55000. What are these issues unrelated to a CVE?
For example EUVD-2024-0027 is associated with PYSEC-2024-55, which is a problem related to the ecosystem (some malicious code was uploaded). This seems to be fine.
Another bunch of EUVD issues without an associated CVE are related to npm where malicious packages have been uploaded. So more or less another ecosystem with problems.

Here a small excursion offers itself: In case of Debian packages it is totally fine to only look at cve.org to catch all vulnerabilities of the packages. The exception of the rule are packages whose watch-file does not point to the repository of the software but to any kind of repository of a language ecosystems like for pypi and npm. For those packages the corresponding PYSEC needs to be investigated. What would have happened when version 0.5 of gratient (EUVD-2024-0076)  would have been uploaded to Debian?

Back to EUVD entries without a corresponding CVE. Unfortunately there is also EUVD-2024-11941 in the database. There is not much information available about this issue, only another ID: MAL-2024-11737 is mentioned. It points to osv.dev, a Google project to collect all vulnerabilities. Rather similar to EUVD, but run by Google. The entry at Google shows a bit more information and gives credit to ReversingLabs as “finder”. Those company makes “AI-Driven Binary Analysis to Identify Malicious Components”.
Anyway the issue is in PyPI package urlcon, so lets see what PyPI is telling us about this software. Ok, nice, there are five packages that have the string “urlcon” in their name, but no package urlcon is available.
Unfortunately I couldn’t find any other information about this issue on ReversingLabs website. But all in all I found about 7000 submissions of ReversingLabs with an ID MAL-2024-*.
I looked at some of them and didn’t found one that refers to an existing PyPI or npm package. From my point of view it looks like EUVD has been polluted by lots of artificially generated entries. Of course not only EUVD is affected. As all other services like osv.dev, Vulners.com, OSSF and whatever else, just automatically collect data without verifying them and sync with each other, from my point of view all these databases are just useless.

 

As a result I would state that the idea of EUVD is nice but as they collect everything without verification, the database is only one among others without any unique selling point. Especially as the competition has a way better UI.




I also found another glitch totally unrelated to the above in CVE-2024-45568: In a product made by Qualcom, the CVSS score from NVD is 7.8, which makes it a high score. The vector is:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The same issue evaluated by Qualcom, results in a vector of: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.  The CVSS score will be 6.7, which makes it a medium issue.

Shamed be he who thinks evil of it.

Posted on

My Debian Activities in December 2025

Debian LTS/ELTS

This was my hundred-thirty-eighth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. (As the LTS- and ELTS-teams have been merged now, there is only one paragraph left for both activities.)

During my allocated time I uploaded or worked on:

  • [cups] upload to unstable to fix an issue with the latest security upload
  • [libcoap3] uploaded to unstable to fix ten CVEs
  • [gcal] check whether security bug reports are really security bug reports (no, they are not and no CVEs have been issued yet)
  • [#1124284] trixie-pu for libcoap3 to fix ten CVEs in Trixie.
  • [#1121342] trixie-pu bug; debdiff has been approved and libcupsfilters uploaded.
  • [#1121391] trixie-pu bug; debdiff has been approved and cups-filter uploaded.
  • [#1121392] bookworm-pu bug; debdiff has been approved and cups-filter uploaded.
  • [#1121433] trixie-pu bug; debdiff has been approved and rlottie uploaded.
  • [#1121437] bookworm-pu bug; debdiff has been approved and rlottie uploaded.
  • [#1124284] trixie-pu bug; debdiff has been approved and libcoap3 uploaded.

I also tried to backport the libcoap3-patches to Bookworm, but I am afraid the changes would be too intrusive.

When I stumbled upon a comment for 7zip about “finding the patches might be a hard”, I couldn’t believe it. Well, Daniel was right and I didn’t find any.

Furthermore I worked on suricata, marked some CVEs as not-affected or ignored, and added some new patches. Unfortunately my allocated time was spent before I could do a new upload.

I also attended the monthly LTS/ELTS meeting.

Last but not least I injected some packages for uploads to security-master.

Debian Printing

This month I uploaded a new upstream version or a bugfix version of:

  • cups to unstable.

This work is generously funded by Freexian!

Debian Lomiri

I started to contribute to Lomiri packages, which are part of the Debian UBports Team. As a first step I took care of failing CI pipelines and tried to fix them. A next step would be to package some new Applications.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

Debian Mobcom

Unfortunately I didn’t found any time to work on this topic.

misc

This month I uploaded a new upstream version or a bugfix version of:

Last but not least, I wish (almost) everbody a Happy New Year and hope that you are able to stick to your New Year’s resolutions.

Posted on

My Debian Activities in November 2025

Debian LTS/ELTS

This was my hundred-thirty-seventh month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian and my eighty-eighth ELTS month. As the LTS- and ELTS-teams have been merged now, there is only one paragraph left for both activities.

During my allocated time I uploaded or worked on:

  • [DLA 4381-1] net-snmp security update to fix two CVEs related to denial of service.
  • [DLA 4382-1] libsdl2 security update to fix one CVE related to a memory leak and a denial of service.
  • [DLA 4380-1] cups-filters security update to fix three CVEs related to out of bounds read or writes or a heap buffer overflow.
  • [ELA-1586-1] cups-filters security update to fix three CVEs in Buster and Stretch, related to out of bounds read or writes or a heap buffer overflow.
  • [libcupsfilters] upload to unstable to fix two CVEs
  • [cups-filters] upload to unstable to fix three CVEs
  • [cups] upload to unstable to fix two CVEs
  • [rlottie] upload to unstable to finally fix three CVEs
  • [rplay] upload to unstable to finally fix one CVE
  • [#1121342] trixie-pu bug for libcupsfilters to fix two CVEs in Trixie.
  • [#1121391] trixie-pu bug for cups-filter to fix three CVEs in Trixie.
  • [#1121392] bookworm-pu bug for cups-filter to fix three CVEs in Bookworm.
  • [#112433] trixie-pu bug for rlottie to finally fix three CVEs in Trixie.
  • [#112437] bookworm-pu bug for rlottie to finally fix three CVEs in Bookworm.

I also attended the monthly LTS/ELTS meeting and did a week of LTS/ELTS frontdesk duties. I also stumbled upon a bug in python3-paramiko, where the parsing of include statements in the ssh_config does not work. Rather annoying but already fixed in the newest version, that only needs to find its way to my old VM.

Debian Printing

This month I uploaded a new upstream version or a bugfix version of:

I also uploaded cups to Trixie, to fix bug #1109471 related to a configuration problem with the admin panel.

This work is generously funded by Freexian!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

  • siril to unstable (sponsored upload).
  • supernovas to unstable (sponsored upload).

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

misc

This month I uploaded a new upstream version or a bugfix version of:

On my fight against outdated RFPs, I closed 30 of them in November.

I started with about 3500 open RFP bugs. and after working six months on this project, I have closed 183 bugs. Of course new bugs appeared, so the overall number of bugs is only down to about 3360.

Though I view this as a successful project, I also have to admit that it is a bit boring to work on this daily. Therefore I close this diary again and will add the closed RFP bugs to my bug logbook now. I also try to close some of these bugs by really uploading some software, probably one package per month.

FTP master

This month I accepted 236 and rejected 16 packages. The overall number of packages that got accepted was 247.

Posted on

My Debian Activities in October 2025

Debian LTS

This was my hundred-thirty-sixth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. During my allocated time I uploaded or worked on:

  • [DLA 4316-1] open-vm-tools security update to fix one CVE related to a local privilege escalation.
  • [DLA 4329-1] libfcgi security update to fix one CVE related to a heap-based buffer overflow via crafted nameLen or valueLen values in data to the IPC socket.
  • [DLA 4337-1] svgpp security update to fix one CVE related to a nullpointer reference.
  • [DLA 4336-1] sysstat security update to fix two CVEs related to a size_t overflow and a multiplication integer overflow.
  • [DLA 4343-1] raptor2 security update to fix two CVEs related to a heap-based buffer over-read and an integer underflow.
  • [DLA 4349-1] request-tracker4 security update to fix one CVE related to CSV injection via ticket values with special characters. The patch was prepared by Andrew Ruthven
  • [DLA 4353-1] xorg-server security update to fix three CVES related to privilege escalation.

I also attended the monthly LTS/ELTS meeting.

Debian ELTS

This month was the eighty-seventh ELTS month. During my allocated time I uploaded or worked on:

  • [ELA-1538-1] libfcgi security update to fix one CVE in Buster and Stretch, related to a heap-based buffer overflow via crafted nameLen or valueLen values in data to the IPC socket.
  • [ELA-1551-1] raptor2 security update to fix two CVES in Buster and Stretch, related to a heap-based buffer over-read and an integer underflow.
  • [ELA-1555-1] request-tracker4 security update to fix one CVE in Buster, related to CSV injection via ticket values with special characters. The patch was prepared by Andrew Ruthven.
  • [ELA-1561-1] xorg-server security update to fix three CVEs in Buster and Stretch, related to privilege escalation.

I also attended the monthly LTS/ELTS meeting.

Debian Printing

This month I uploaded a new upstream version or a bugfix version of:

This work is generously funded by Freexian!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

Debian IoT

Unfortunately I didn’t found any time to work on this topic.

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

misc

This month I uploaded a new upstream version or a bugfix version of:

On my fight against outdated RFPs, I closed 31 of them in October. I could even close one RFP by uploading the new package gypsy. Meanwhile only 3373 are still open, so don’t hesitate to help closing one or another.

FTP master

This month I accepted 420 and rejected 45 packages. The overall number of packages that got accepted was 423.

I would like to remind everybody that in case you don’t agree with the removal of a package, please set the moreinfo tag on this bug. This is the only reliable way to prevent processing of that RM-bug. Well, there is a second way, of course you could also achieve this by closing the bug.

Posted on

My Debian Activities in September 2025

Debian LTS

This was my hundred-thirty-fifth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. During my allocated time I uploaded or worked on:

  • [DLA 4168-2] openafs regression update to fix an incomplete patch in the previous upload.
  • [DSA 5998-1] cups security update to fix two CVEs related to a authentication bypass and a denial of service.
  • [DLA 4298-1] cups security update to fix two CVEs related to a authentication bypass and a denial of service.
  • [DLA 4304-1] cjson security update to fix one CVE related to an out-of-bounds memory access.
  • [DLA 4307-1] jq security update to fix one CVE related to a heap buffer overflow.
  • [DLA 4308-1] corosync security update to fix one CVE related to a stack-based buffer overflow.

An upload of spim was not needed, as the corresponding CVE could be marked as ignored. I also started to work on an open-vm-tools and attended the monthly LTS/ELTS meeting.

Debian ELTS

This month was the eighty-sixth ELTS month. During my allocated time I uploaded or worked on:

  • [ELA-1512-1] cups security update to fix two CVEs in Buster and Stretch, related to a authentication bypass and a denial of service.
  • [ELA-1520-1] jq security update to fix one CVE in Buster and Stretch, related to a heap buffer overflow.
  • [ELA-1524-1] corosync security update to fix one CVE in Buster and Stretch, related to a stack-based buffer overflow.
  • [ELA-1527-1] mplayer security update to fix ten CVEs in Stretch, distributed all over the code.

The CVEs for open-vm-tools could be marked as not-affeceted as the corresponding plugin was not yet available. I also attended the monthly LTS/ELTS meeting.

Debian Printing

This month I uploaded a new upstream version or a bugfix version of:

  • ink to unstable to fix a gcc15 issue.
  • pnm2ppa to unstable to fix a gcc15 issue.
  • rlpr to unstable to fix a gcc15 issue.

This work is generously funded by Freexian!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

  • radlib to unstable, Joachim Zobel prepared a patch for a name collision of a binary.
  • pyicloud to unstable.

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

misc

The main topic of this month has been gcc15 and cmake4, so my upload rate was extra high. This month I uploaded a new upstream version or a bugfix version of:

  • readsb to unstable.
  • gcal to unstable. This was my first upload of a release where I am upstream as well.
  • libcds to unstable to fix a cmake4 issue.
  • pkcs11-proxy to unstable to fix cmake4 issue.
  • force-ip-protocol to unstable to fix a gcc15 issue.
  • httperf to unstable to fix a gcc15 issue.
  • otpw to unstable to fix a gcc15 issue.
  • rplay to unstable to fix a gcc15 issue.
  • uucp to unstable to fix a gcc15 issue.
  • spim to unstable to fix a gcc15 issue.
  • usb-modeswitch to unstable to fix a gcc15 issue.
  • gnucobol3 to unstable to fix a gcc15 issue.
  • gnucobol4 to unstable to fix a gcc15 issue.

I wonder what MBF will happen next, I guess the /var/lock-issue will be a good candidate.

On my fight against outdated RFPs, I closed 30 of them in September. Meanwhile only 3397 are still open, so don’t hesitate to help closing one or another.

FTP master

This month I accepted 294 and rejected 28 packages. The overall number of packages that got accepted was 294.