Hi,
On 30/07/2025 02:17, Daniel Leidert wrote:
On Wed, 2025-07-30 at 05:21 +0530, Utkarsh Gupta wrote:
Whilst on front desk this week, I am noticing 23 packages that are of
the status:
"Issues fixed in buster and bookworm but not in bullseye".
In my opinion, this is problematic as those who will be upgrading from
buster -> bullseye will see it as a regression, as they'll now be
vulnerable once again.
That basically is the same reason why we fix issues fixed in Bullseye
in Bookworm. So, to me it makes absolute sense.
Do you have a list of these packages?
TL;DR: there are many more urgent CVEs to fix.
This is from bin/lts-cve-triage.py, with the new report called: "Issues
fixed in buster and bookworm but not in bullseye [caution: new report]".
(Note: the "[caution: new report]", this is from this month's Sprint.)
Here's what I wrote in
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/11#note_629554:
-----
Testing !222 as FD, I added 3 packages to dla-needed.txt today:
dla: add exempi
dla: add modsecurity-crs
dla: add batik
These had 24/7/6 CVEs to sync respectively, from a past buster-lts DLA.
However all the other (numerous) results are mostly us being a bit
zealous in ELTS, and bookworm getting an upstream fix through unstable
before its release. We might want to restrict to specific bookworm
updates. I have an heuristic for this in another lts-cve-triage report
that looks for +debXXuXX in the version number.
I also expect this kind of situation to be less frequent as we're now
more active and thorough in SPUs.
-----
So, most of the remaining 23 packages, especially as it's only 1-2 CVEs
for each package, and especially when they are not sponsored, are very
low-priority.
Cheers!
Sylvain
