Hi, I am funded by Freexian SARL and thus reporting about my work in September 2023. In previous months I worked on other topics than LTS. I no longer include funding aspects here to avoid duplication with the Freexian funding blog, so this is just about LTS/ELTS.
In September, I uploaded python2.7 to bullseye, buster, stretch and jessie. Please see ELA-950-1 and DLA 3575-1 for details. The update fixes six to seven CVEs of which three to deficiencies in url parsing. Porting the change to heapq (CVE-2022-48560) to ELTS releases required reviewing and merging reference counted sections of the surrounding code. In order to properly test these changes, I fixed the existing autopkgtests and was able to declassify the distutils test as failing. At the time of this writing, the upload to bullseye still is in proposed-updates and not yet installed by default. I deferred the email vulnerability (CVE-2023-27043), because upstream has not yet decided on a solution. Helmut