On Sun, Aug 10, 2025 at 09:12:24PM -0400, Roberto C. Sánchez wrote: > On Wed, Jul 30, 2025 at 09:14:22AM +0200, Sylvain Beucler wrote: > > > > So, most of the remaining 23 packages, especially as it's only 1-2 CVEs for > > each package, and especially when they are not sponsored, are very > > low-priority. > > > (Apologies for the late reply.) > > I concur. Let's not get carried away adding loads of packages to the > queue. If there are legitimately high priority CVEs (which for this > group of packages there aren't), then that's another thing.
A starting point would be to stop regressing on that in bookworm. There is also a certain gap between Freexian touting its contributions to non-LTS stable releases, and frequent failure at the simple task of also submitting DLA updates to bookworm. I went manually through all bullseye DLAs, and these are the ones I found that currently need work for bookworm: [DLA 3858-1] ruby2.7 security update [DLA 3865-1] frr security update [DLA 3886-1] nodejs security update (in dsa-needed, DSA worked on since February) [DLA 3893-1] expat security update [DLA 3909-1] zabbix security update (in dsa-needed) [DLA 3926-1] perl security update [DLA 3928-1] ffmpeg security update [DLA 3952-1] unbound security update [DLA 3978-1] editorconfig-core security update [DLA 3984-1] zabbix security update (in dsa-needed) [DLA 3997-1] php-laravel-framework security update (in dsa-needed) [DLA 4006-1] python-django security update (in dsa-needed, DSA worked on since December) [DLA 4018-1] ruby2.7 security update [DLA 4019-1] busybox security update [DLA 4027-1] sympa security update (in dsa-needed) [DLA 4029-1] frr security update [DLA 4030-1] python-django security update (in dsa-needed, DSA worked on since December) [DLA 4032-1] iperf3 security update [DLA 4039-1] ffmpeg security update [DLA 4041-1] python-aiohttp security update [DLA 4046-1] ark security update (in dsa-needed) [DLA 4049-1] rust-openssl security update [DLA 4053-1] freerdp2 security update [DLA 4056-1] golang-glog security update [DLA 4067-1] nodejs security update (in dsa-needed, DSA worked on since February) [DLA 4073-1] ffmpeg security update [DLA 4082-1] ruby2.7 security update [DLA 4083-1] squid security update [DLA 4084-1] libmodbus security update [DLA 4086-1] python-django security update (in dsa-needed, DSA worked on since December) [DLA 4103-1] suricata security update [DLA 4113-1] php-horde-imp security update [DLA 4115-1] ruby-saml security update (in dsa-needed, DSA worked on since March) [DLA 4131-1] zabbix security update (in dsa-needed) [DLA 4140-1] libsoup2.4 security update [DLA 4145-1] expat security update [DLA 4149-1] nagvis security update [DLA 4150-1] u-boot security update [DLA 4151-1] golang-github-gorilla-csrf security update [DLA 4153-1] containerd security update [DLA 4166-1] xrdp security update [DLA 4180-1] pgbouncer security update [DLA 4182-1] syslog-ng security update [DLA 4186-1] php-twig security update [DLA 4190-1] mydumper security update [DLA 4197-1] python-flask-cors security update [DLA 4204-1] twitter-bootstrap3 security update [DLA 4210-1] python-django security update (in dsa-needed, DSA worked on since December) [DLA 4215-1] ublock-origin security update [DLA 4222-1] activemq security update [DLA 4227-1] dcmtk security update [DLA 4233-1] nagvis security update [DLA 4238-1] sslh security update [DLA 4245-1] libcommons-fileupload-java security update [DLA 4246-1] libowasp-esapi-java security update [DLA 4262-1] libcommons-lang-java security update [DLA 4263-1] ruby-graphql security update [DLA 4270-1] apache2 security update [DLA 4274-1] mbedtls security update (in dsa-needed) As said this list was compiled manually, feel free to ask if any item looks incorrect. I was checking the status in the security tracker, it is possible that the bookworm information in the tracker is incorrect (as was the case for two of my DLAs). @Roberto, Santiago: There are ~ 3 days left for getting anything into bookworm before 2026. @Sylvain: https://security-tracker.debian.org/tracker/CVE-2025-30349 [bookworm] - php-horde-imp <ignored> (Horde in Bookworm is broken due to PHP 8 issues and will be removed in the next point release) Do you know what happened to that removal? @Sylvain: Packages on my list that are missing in the lts-cve-triage.py output (and no issue created) but should be there: apache2: pu request is a mess with multiple people proposing multiple debdiffs (#1109084). expat: Maintainer update blocked due to something we might have previously solved in ELTS (#1102752). golang-github-gorilla-csrf: In dla-needed due to binNMU issues in LTS. libsoup2.4: In dla-needed for additional CVEs. mydumper: No action after receiving instructions from SRM in May (#1106790). nagvis: dla-needed says: NOTE: 20250629: PU is ready and will be tested before sending the PU request php-laravel-framework: Package is in dla-needed for a new CVE. python-aiohttp: [bookworm] - python-aiohttp <ignored> (Minor issue) The problem here is the "ignored" tagging in bookworm, which might make a generic fix impossible. python-flask-cors: SRM ACK in July but upload missing (#1108508). ruby2.7: Needs checking renamed-packages.lts A pu request in #1103854 does not seem to fix all CVEs that were fixed in DLAs. ruby-saml: In dla-needed for a new CVE. squid: In dla-needed for additional CVEs. suricata: In dla-needed for additional CVEs. twitter-bootstrap3: SRM ACK in June but upload missing (#1107088). u-boot: In dla-needed for additional CVEs. ublock-origin: SRM ACK in June but upload missing (#1107607). It might be useful to also check whether a version >= the one listed as fixing a CVE in next-oldstable-point-update.txt is in oldstable-new and/or oldstable-proposed-updates: $ rmadison -a source -s oldstable-proposed-updates,oldstable-new node-tmp node-tmp | 0.2.2+dfsg+~0.2.3-1.1~deb12u1 | oldstable-proposed-updates | source $ rmadison -a source -s oldstable-proposed-updates,oldstable-new firebird3.0 firebird3.0 | 3.0.11.33637.ds4-2+deb12u1 | oldstable-new | source $ Whether a pu request is missing/submitted/moreinfo requires querying the BTS (in lts-cve-triage.py or manually). Packages can be in dla-needed for many reasons, the bookworm-pu request (or DSA) should have been prepared and submitted at the same time as the DLA. > Regards, > > -Roberto cu Adrian
