The Debian LTS Team, funded by Freexian s Debian LTS offering, is pleased to report its activities for October.

Activity summary During the month of October, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below). The team released 37 DLAs fixing 893 CVEs. The team has continued in its usual rhythm, preparing and uploading security updates targeting LTS and ELTS, as well as helping with updates to oldstable, stable, testing, and unstable. Additionally, the team received several contributions of LTS uploads from Debian Developers outside the standing LTS Team. Notable security updates:

• https-everywhere, prepared by Markus Koschany, deals with a problem created by ownership of the https-rulesets.org domain passing to a malware operator
• openjdk-17 and openjdk-11, prepared by Emilio Pozuelo Monfort, fixes XML external entity and certificate validation vulnerabilities
• intel-microcode, prepared by Tobias Frost, fixes a variety of privilege escalation and denial of service vulnerabilities

Notable non-security updates:

• distro-info-data, prepared by Stefano Rivera, updates information concerning current and upcoming Debian and Ubuntu releases

Contributions from outside the LTS Team:

• Lukas M rdian, a Debian Developer, provided an update of log4cxx
• Andrew Ruthven, one of the request-tracker4 maintainers, provided an update of request-tracker4
• Christoph Goehre, co-maintainer of thunderbird, provided an update of thunderbird

Beyond the typical LTS updates, the team also helped the Debian community more broadly:

• Guilhem Moulin prepared oldstable/stable updates of libxml2, and an unstable update of libxml2.9
• Bastien Roucari s prepared oldstable/stable updates of imagemagick
• Daniel Leidert prepared an oldstable update of python-authlib, oldstable update of libcommons-lang-java and stable update of libcommons-lang3-java
• Utkarsh Gupta prepared oldstable/stable/testing/unstable updates of ruby-rack

The LTS Team is grateful for the opportunity to contribute to making LTS a high quality for sponsors and users. We are also particularly grateful for the collaboration from others outside the time; their contributions are important to the success of the LTS effort.

Individual Debian LTS contributor reports

• Abhijith PA
• Andreas Henriksson
• Andrej Shadura
• Bastien Roucari s
• Ben Hutchings
• Carlos Henrique Lima Melara
• Chris Lamb
• Daniel Leidert
• Emilio Pozuelo Monfort
• Guilhem Moulin
• Jochen Sprickerhof
• Lucas Kanashiro
• Markus Koschany
• Paride Legovini
• Roberto C. S nchez
• Santiago Ruano Rinc n
• Stefano Rivera
• Sylvain Beucler
• Thorsten Alteholz
• Tobias Frost
• Utkarsh Gupta

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 121 months)
  • Civil Infrastructure Platform (CIP) (for 89 months)
  • VyOS Inc (for 54 months)
• Gold sponsors:
  • F. Hoffmann-La Roche AG (for 132 months)
  • Babiel GmbH (for 115 months)
  • Plat Home (for 115 months)
  • University of Oxford (for 72 months)
  • Deveryware (for 59 months)
  • EDF SA (for 43 months)
  • Dataport A R (for 19 months)
  • CERN (for 16 months)
• Silver sponsors:
  • Domeneshop AS (for 136 months)
  • Nantes M tropole (for 130 months)
  • Akamai - Linode (for 126 months)
  • Univention GmbH (for 122 months)
  • Universit Jean Monnet de St Etienne (for 122 months)
  • Ribbon Communications, Inc. (for 116 months)
  • Exonet B.V. (for 106 months)
  • Leibniz Rechenzentrum (for 100 months)
  • Minist re de l Europe et des Affaires trang res (for 84 months)
  • Cloudways by DigitalOcean (for 73 months)
  • Dinahosting SL (for 71 months)
  • Upsun Formerly Platform.sh (for 66 months)
  • Moxa Inc. (for 60 months)
  • sipgate GmbH (for 57 months)
  • OVH US LLC (for 55 months)
  • Tilburg University (for 55 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 47 months)
  • THINline s.r.o. (for 20 months)
  • Copenhagen Airports A/S (for 13 months)
• Bronze sponsors:
  • Evolix (for 137 months)
  • Seznam.cz, a.s. (for 137 months)
  • Linuxhotel GmbH (for 134 months)
  • Intevation GmbH (for 133 months)
  • Daevel SARL (for 132 months)
  • Megaspace Internet Services GmbH (for 131 months)
  • Greenbone AG (for 130 months)
  • NUMLOG (for 130 months)
  • WinGo AG (for 130 months)
  • Entr ouvert (for 121 months)
  • Adfinis AG (for 119 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 113 months)
  • Tesorion (for 113 months)
  • Bearstech (for 105 months)
  • LiHAS (for 105 months)
  • Catalyst IT Ltd (for 99 months)
  • Demarcq SAS (for 93 months)
  • Universit Grenoble Alpes (for 80 months)
  • TouchWeb SAS (for 72 months)
  • SPiN AG (for 68 months)
  • CoreFiling (for 64 months)
  • Institut des sciences cognitives Marc Jeannerod (for 59 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 56 months)
  • Tem Innovations GmbH (for 51 months)
  • WordFinder.pro (for 50 months)
  • CNRS DT INSU R sif (for 49 months)
  • Soliton Systems K.K. (for 44 months)
  • Alter Way (for 42 months)
  • Institut Camille Jordan (for 32 months)
  • SOBIS Software GmbH (for 16 months)
  • Tuxera Inc. (for 8 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In September, 20 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 10.0h (out of 10.0h assigned and 4.0h from previous period), thus carrying over 4.0h to the next month.
• Andreas Henriksson did 1.0h (out of 0.0h assigned and 20.0h from previous period), thus carrying over 19.0h to the next month.
• Bastien Roucari s did 20.0h (out of 20.0h assigned).
• Ben Hutchings did 20.0h (out of 21.0h assigned), thus carrying over 1.0h to the next month.
• Carlos Henrique Lima Melara did 10.0h (out of 12.0h assigned), thus carrying over 2.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 21.0h (out of 21.0h assigned).
• Emilio Pozuelo Monfort did 39.75h (out of 40.0h assigned), thus carrying over 0.25h to the next month.
• Guilhem Moulin did 15.0h (out of 15.0h assigned).
• Jochen Sprickerhof did 12.0h (out of 9.25h assigned and 11.75h from previous period), thus carrying over 9.0h to the next month.
• Lee Garrett did 13.5h (out of 21.0h assigned), thus carrying over 7.5h to the next month.
• Lucas Kanashiro did 8.0h (out of 20.0h assigned), thus carrying over 12.0h to the next month.
• Markus Koschany did 15.0h (out of 3.25h assigned and 17.75h from previous period), thus carrying over 6.0h to the next month.
• Paride Legovini did 6.0h (out of 8.0h assigned), thus carrying over 2.0h to the next month.
• Roberto C. S nchez did 7.25h (out of 7.75h assigned and 13.25h from previous period), thus carrying over 13.75h to the next month.
• Santiago Ruano Rinc n did 13.25h (out of 13.5h assigned and 1.5h from previous period), thus carrying over 1.75h to the next month.
• Sylvain Beucler did 17.0h (out of 7.75h assigned and 13.25h from previous period), thus carrying over 4.0h to the next month.
• Thorsten Alteholz did 21.0h (out of 21.0h assigned).
• Tobias Frost did 5.0h (out of 0.0h assigned and 8.0h from previous period), thus carrying over 3.0h to the next month.
• Utkarsh Gupta did 16.5h (out of 14.25h assigned and 6.75h from previous period), thus carrying over 4.5h to the next month.

Evolution of the situation In September, we released 38 DLAs.

• Notable security updates:
  • modsecurity-apache prepared by Adrian Bunk, fixes a cross-site scripting vulnerability
  • cups, prepared by Thorsten Alteholz, fixes authentication bypass and denial of service vulnerabilities
  • jetty9, prepared by Adrian Bunk, fixes the MadeYouReset vulnerability (a recent, well-known denial of service vulnerability)
  • python-django, prepared by Chris Lamb, fixes a SQL injection vulnerability
  • firefox-esr and thunderbird, prepared by Emilio Pozuelo Monfort, were updated from the 128.x ESR series to the 140.x ESR series, fixing a number of vulnerabilities as well
• Notable non-security updates:
  • wireless-regdb prepared by Ben Hutchings, updates information reflecting changes to radio regulations in many countries

There was one package update contributed by a Debian Developer outside of the LTS Team: an update of node-tar-fs, prepared by Xavier Guimard (a member of the Node packaging team). Finally, LTS Team members also contributed updates of the following packages:

• libxslt (to stable and oldstable), prepared by Guilhem Moulin, to address a regression introduced in a previous security update
• libphp-adodb (to stable and oldstable), prepared by Abhijith PA
• cups (to stable and oldstable), prepared by Thorsten Alteholz
• u-boot (to oldstable), prepared by Daniel Leidert and Jochen Sprickerhof
• libcommongs-lang3-java (to stable and oldstable), prepared by Daniel Leidert
• python-internetarchive (to oldstable), prepared by Daniel Leidert

One other notable contribution by a member of the LTS Team is that Sylvain Beucler proposed a fix upstream for CVE-2025-2760 in gimp2. Upstream no longer supports gimp2, but it is still present in Debian LTS, and so proposing this fix upstream is of benefit to other distros which may still be supporting the older gimp2 packages.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 120 months)
  • Civil Infrastructure Platform (CIP) (for 88 months)
  • VyOS Inc (for 52 months)
• Gold sponsors:
  • F. Hoffmann-La Roche AG (for 130 months)
  • Akamai - Linode (for 124 months)
  • Babiel GmbH (for 114 months)
  • Plat Home (for 113 months)
  • University of Oxford (for 70 months)
  • Deveryware (for 57 months)
  • EDF SA (for 42 months)
  • Dataport A R (for 17 months)
  • CERN (for 15 months)
• Silver sponsors:
  • Domeneshop AS (for 135 months)
  • Nantes M tropole (for 129 months)
  • Univention GmbH (for 121 months)
  • Universit Jean Monnet de St Etienne (for 121 months)
  • Ribbon Communications, Inc. (for 115 months)
  • Exonet B.V. (for 105 months)
  • Leibniz Rechenzentrum (for 99 months)
  • Minist re de l Europe et des Affaires trang res (for 83 months)
  • Cloudways by DigitalOcean (for 72 months)
  • Dinahosting SL (for 70 months)
  • Platform.sh SAS (for 64 months)
  • Moxa Inc. (for 58 months)
  • sipgate GmbH (for 56 months)
  • OVH US LLC (for 54 months)
  • Tilburg University (for 54 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 45 months)
  • THINline s.r.o. (for 18 months)
  • Copenhagen Airports A/S (for 12 months)
• Bronze sponsors:
  • Evolix (for 135 months)
  • Seznam.cz, a.s. (for 135 months)
  • Intevation GmbH (for 132 months)
  • Linuxhotel GmbH (for 132 months)
  • Daevel SARL (for 131 months)
  • Megaspace Internet Services GmbH (for 130 months)
  • Greenbone AG (for 129 months)
  • NUMLOG (for 129 months)
  • WinGo AG (for 128 months)
  • Entr ouvert (for 120 months)
  • Adfinis AG (for 117 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 112 months)
  • Tesorion (for 112 months)
  • Bearstech (for 103 months)
  • LiHAS (for 103 months)
  • Catalyst IT Ltd (for 98 months)
  • Demarcq SAS (for 92 months)
  • Universit Grenoble Alpes (for 78 months)
  • TouchWeb SAS (for 70 months)
  • SPiN AG (for 67 months)
  • CoreFiling (for 63 months)
  • Institut des sciences cognitives Marc Jeannerod (for 58 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 54 months)
  • Tem Innovations GmbH (for 49 months)
  • WordFinder.pro (for 48 months)
  • CNRS DT INSU R sif (for 47 months)
  • Soliton Systems K.K. (for 42 months)
  • Alter Way (for 40 months)
  • Institut Camille Jordan (for 30 months)
  • SOBIS Software GmbH (for 15 months)
  • Tuxera Inc. (for 6 months)

Like each month, have a look at the work funded by Freexian s Debian LTS offering.

Debian LTS contributors In August, 21 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 10.0h (out of 0.0h assigned and 14.0h from previous period), thus carrying over 4.0h to the next month.
• Andrej Shadura did 12.0h (out of 9.0h assigned and 3.0h from previous period).
• Bastien Roucari s did 20.0h (out of 19.75h assigned and 0.25h from previous period).
• Ben Hutchings did 22.75h (out of 16.5h assigned and 6.25h from previous period).
• Carlos Henrique Lima Melara did 10.0h (out of 10.0h assigned).
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 23.25h (out of 23.25h assigned).
• Emilio Pozuelo Monfort did 23.25h (out of 23.25h assigned).
• Guilhem Moulin did 15.0h (out of 15.0h assigned).
• Jochen Sprickerhof did 11.0h (out of 6.0h assigned and 16.75h from previous period), thus carrying over 11.75h to the next month.
• Lee Garrett did 16.25h (out of 0.0h assigned and 16.25h from previous period).
• Lucas Kanashiro did 20.0h (out of 1.25h assigned and 18.75h from previous period).
• Markus Koschany did 5.0h (out of 13.0h assigned and 9.75h from previous period), thus carrying over 17.75h to the next month.
• Paride Legovini did 8.0h (out of 0.0h assigned and 8.0h from previous period).
• Roberto C. S nchez did 7.5h (out of 11.75h assigned and 11.0h from previous period), thus carrying over 15.25h to the next month.
• Santiago Ruano Rinc n did 13.5h (out of 7.25h assigned and 7.75h from previous period), thus carrying over 1.5h to the next month.
• Stefano Rivera did 0.5h (out of 0.0h assigned and 3.0h from previous period), thus carrying over 2.5h to the next month.
• Sylvain Beucler did 10.0h (out of 23.25h assigned), thus carrying over 13.25h to the next month.
• Thorsten Alteholz did 22.75h (out of 22.75h assigned).
• Tobias Frost did 4.0h (out of 0.0h assigned and 12.0h from previous period), thus carrying over 8.0h to the next month.
• Utkarsh Gupta did 16.0h (out of 22.75h assigned), thus carrying over 6.75h to the next month.

Evolution of the situation In August, we released 27 DLAs. The month of August marked the release of Debian 13 (codename trixie ). This is worth noting because it brought with it the return of the customary fast development pace of Debian unstable, which included several contributions from LTS Team members. More on that below. Of the many security updates which were published (and a few non-security updates as well), some notable ones are highlighted here.

• Notable security updates:
  • gnutls28 prepared by Adrian Bunk, fixes several potential denial of service vulnerabilities
  • apache2, prepared by Bastien Roucari s, fixes several vulnerabilities including a potential denial of service and SSL/TLS-related access control
  • mbedtls (original update, regression update) prepared by Andrej Shadura, fixes several potential denial of service and information disclosure vulnerabilities
  • openjdk-17, prepared by Emilio Pozuelo Monfort, fixes several vulnerabilities which could result in denial of service, information disclosure or weakened TLS connections
• Notable non-security updates:
  • distro-info-data, prepared by Stefano Rivera, adds information concerning future Debian and Ubuntu releases
  • ca-certificates-java, prepared by Bastien Roucari s, fixes some bugs which could disrupt future updates

The LTS Team continues to welcome the collaboration of maintainers from across the Debian community. The contributions of maintainers from outside the LTS Team include: postgresql-13 (Christoph Berg), sope (Jordi Mallach), thunderbird (Carsten Schoenert), and iperf3 (Roberto Lumbreras). Finally, LTS Team members also contributed updates of the following packages:

• redis (to stable), prepared by Chris Lamb
• firebird3.0 (to oldstable and stable), prepared by Adrian Bunk
• node-tmp (to oldstable, stable, and unstable), prepared by Adrian Bunk
• openjpeg2 (to oldstable, stable, and unstable), prepared by Adrian Bunk
• apache2 (to oldstable), prepared by Bastien Roucari s
• unbound (to oldstable), prepared by Guilhem Moulin
• luajit (to oldstable), prepared by Guilhem Moulin
• golang-github-gin-contrib-cors (to oldstable and stable), prepared by Thorsten Alteholz
• libcoap3 (to stable), prepared by Thorsten Alteholz
• libcommons-lang-java and libcommons-lang3-java (both to unstable), prepared by Daniel Leidert
• python-flask-cors (to oldstable), prepared by Daniel Leidert

The LTS Team would especially like to thank our many longtime friends and sponsors for their support and collaboration.

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 119 months)
  • Civil Infrastructure Platform (CIP) (for 87 months)
  • VyOS Inc (for 51 months)
• Gold sponsors:
  • F. Hoffmann-La Roche AG (for 129 months)
  • Akamai - Linode (for 123 months)
  • Babiel GmbH (for 113 months)
  • Plat Home (for 112 months)
  • University of Oxford (for 69 months)
  • Deveryware (for 56 months)
  • EDF SA (for 41 months)
  • Dataport A R (for 16 months)
  • CERN (for 14 months)
• Silver sponsors:
  • Domeneshop AS (for 134 months)
  • Nantes M tropole (for 128 months)
  • Univention GmbH (for 120 months)
  • Universit Jean Monnet de St Etienne (for 120 months)
  • Ribbon Communications, Inc. (for 114 months)
  • Exonet B.V. (for 103 months)
  • Leibniz Rechenzentrum (for 98 months)
  • Minist re de l Europe et des Affaires trang res (for 81 months)
  • Cloudways by DigitalOcean (for 71 months)
  • Dinahosting SL (for 69 months)
  • Platform.sh SAS (for 63 months)
  • Moxa Inc. (for 57 months)
  • sipgate GmbH (for 55 months)
  • OVH US LLC (for 53 months)
  • Tilburg University (for 53 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 44 months)
  • THINline s.r.o. (for 17 months)
  • Copenhagen Airports A/S (for 11 months)
• Bronze sponsors:
  • Evolix (for 134 months)
  • Seznam.cz, a.s. (for 134 months)
  • Intevation GmbH (for 131 months)
  • Linuxhotel GmbH (for 131 months)
  • Daevel SARL (for 130 months)
  • Megaspace Internet Services GmbH (for 129 months)
  • Greenbone AG (for 128 months)
  • NUMLOG (for 128 months)
  • WinGo AG (for 127 months)
  • Entr ouvert (for 118 months)
  • Adfinis AG (for 116 months)
  • Tesorion (for 111 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 110 months)
  • Bearstech (for 102 months)
  • LiHAS (for 102 months)
  • Catalyst IT Ltd (for 97 months)
  • Demarcq SAS (for 91 months)
  • Universit Grenoble Alpes (for 77 months)
  • TouchWeb SAS (for 69 months)
  • SPiN AG (for 66 months)
  • CoreFiling (for 62 months)
  • Institut des sciences cognitives Marc Jeannerod (for 57 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 53 months)
  • Tem Innovations GmbH (for 48 months)
  • WordFinder.pro (for 47 months)
  • CNRS DT INSU R sif (for 46 months)
  • Soliton Systems K.K. (for 41 months)
  • Alter Way (for 39 months)
  • Institut Camille Jordan (for 29 months)
  • SOBIS Software GmbH (for 14 months)
  • Tuxera Inc. (for 5 months)

Today marks the 90th day of me joining Canonical to work on Ubuntu full-time! So since it s been a while already, this blog post is long due. :)

The News

I joined Canonical, this February, to work on Ubuntu full-time! \o/
Those who know, they know that this is really very exciting for me because Canonical has been a dream company for me, for real (more about this below!). And hey, this is my first job, ever, so all the more reason to be psyched about, isn t it? ^_^ P.S. Keep reading and we ll meet my squad really sooon!

The Story Being an undergrad student (batch 2017-2021), I ve been slightly worried during my last two semesters, naturally, thinking about how s it all gonna pan out and what will I be doing, et al, because I ve been seeing all my friends and batchmates getting placed in companies or going for masters or at least having some sort of plans for their future and I, on the other hand, was hopelessly clueless. :D Well, to be fair, I did Google Summer of Code twice, in 2019 and 2020, became a Debian Developer in 2019, been a part of GCI and Outreachy, contributed to over dozens of open-source projects, et al, et al. So I wasn t all completely hopeless but for sure was completely clueless , heh. And for full disclosure, I was only slightly panicking because firstly, I did get placed in several companies and secondly, I didn t really need a job immediately since I was already getting paid to work on Debian stuff by Freexian, which was good enough. :)
(and honestly, Freexian has my whole heart! - more on that later sometime.) But that s not the point. I was still confused and worried and my mom & dad, more so than anyone. Ugh. We were all figuring out and she asked me places that I was interested to work in. And whilst I wasn t clear about things I wanted to do (and still am!) but I was (very) clear about this and so I told her about Canonical and also did tell her that it s a bit too ambitious for me to think about it now so I ll probably apply after some experience or something. and as they say, the world works in mysterious ways and well, it did for me! So back during the Ruby sprints (Feb 20), Kanashiro, the guy ( ), mentioned that his team was hiring and has a vacant position but I won t be eligible since I was still in my junior year. It was since then I ve been actively praying for Cronus, the god of time, to wave his magic wand and align it in such a way that the next opening should be somewhere near my graduation. And guess what? IT HAPPENED! 9 months later, in November 20, Kanashiro told me his team is hiring yet again and that I could apply this time! Without much (since there was some ) delay, I applied and started asking all sorts of questions to Kanashiro. No words are enough for him, he literally helped me throughout the process; from referring me to answering all sorts of doubts I had! And roughly after 2 months of interviewing, et al, my ambitious dream did come true and I finalyyyy signed my contract! \o/
(the interview process and what went on during those 10 weeks is a story for later ;))

The Server Team! \o This position, which I didn t mention earlier, was for the Server Team which is a team of 15 people, working to make Ubuntu server the best! And as I tweeted sometime back, the team is absolutely lovely, super kind, and consists of the best of teammates one could possibly ask for! Here s a quick sneak peek into our weekly team meeting. Thanks to Rafael for taking such a lovely picture. And yes, the cat Luna is a part of our squad! And oh, did I mention that we re completely remote and distributed?
FUN FACT: Our team covers all the TZs, that is, at any point of time (during weekdays), you ll find someone or the other from the team around! \o/ Anyway, our squad, managed by Rick is divided into two halves: Squeaky Wheels and Table Flip. Cool names, right?
Squeaky Wheels does the distro side of stuff and consists of Christian, Andreas, Rafael, Robie, Bryce, Sergio, Kanashiro, Athos, and now myself as well! And OTOH, Table Flip consists of Dan, Chad, Paride, Lucas, James, and Grant. Even though I interact w/ Squeaky Wheels more (basically daily), each of my teammates is absolutely lovely and equally awesome! Whilst I ll talk more about things here in the upcoming months, this is it for now! If there s anything, in particular, you d like to know more about, let me know! And lastly, here s us vibing our way through, making Ubuntu server better, cause that s how we roll!

---

Until next time.
:wq for today.

The following contributors got their Debian Developer accounts in the last two months:

• Paride Legovini (paride)
• Ana Custura (acute)
• Felix Lechner (lechner)

The following contributors were added as Debian Maintainers in the last two months:

• Sven Geuer
• H vard Flaget Aasen

Congratulations!