Hi, This is summary on the work I did for Debian LTS and ELTS in February 2025. Thanks to Freexian and sponsors for making this possible [0].
Debian LTS ========== * Investigated sqlite3 for CVE-2025-43967. Conclusion was that Bullseye is not affected; marked as such in the security tracker. * Investigated libsndfile for CVE-2025-52194, and eventually postponed the fix for Bullseye. Rationale in dcdd57c26 commit message. * Investigated for CVE-2022-33065 and CVE-2024-50612, for which fixes were pending in Bookworm p-u. Joined the relevant Debian team, created LTS branch, enabled CI, backported fixed, tested fixed, and eventually released DLA-4287-1. Debian ELTS =========== * After investigation, marked Buster and Stretch not-affected by CVE-2025-43967/sqlite3. See also related LTS work. Tooling ======= Fixed src:autopkgtest bug that caused some autopkgtest-build-* to configure archive.debian.org as the mirror for Bullseye, instead of using the official Debian mirrors while on LTS support. See [1]. Cheers, Paride [0] https://www.freexian.com/lts/debian/#sponsors [1] https://salsa.debian.org/ci-team/autopkgtest/-/merge_requests/594
