{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreiatksumjkme22kbmrepvsngzqvscrqudfdqn2djortix2eaglwzju",
"uri": "at://did:plc:46ti67tc37qcmwp2vaynk6fq/app.bsky.feed.post/3mkkqrgrefyf2"
},
"path": "/blog/debian-lts-report-2026-03/",
"publishedAt": "2026-04-28T14:02:33.703Z",
"site": "https://www.freexian.com",
"tags": [
"https://www.freexian.com/lts/debian/)",
"Debian LTS",
"24 DLAs",
"Lukas Märdian",
"Emmanuel Arias",
"Debian 12 (“bookworm”)",
"Debian 13 (“trixie”)",
"Debian unstable",
"DLA 4502-1",
"DLA 4515-1",
"DLA 4500-1",
"DLA-4514-1",
"DLA-4516-1",
"DLA 4497-1",
"DLA 4521-1",
"DLA 4498-1",
"DLA 4499-1",
"DLA 4505-1",
"DLA 4512-1",
"DLA 4517-1",
"DLA 4511-1",
"trixie",
"bookworm",
"unstable",
"DSA 6160-1",
"DSA-6189-1",
"DSA-6180-1",
"Andreas Henriksson",
"Arnaud Rebillout",
"Bastien Roucariès",
"Ben Hutchings",
"Carlos Henrique Lima Melara",
"Chris Lamb",
"Daniel Leidert",
"Emilio Pozuelo Monfort",
"Guilhem Moulin",
"Jochen Sprickerhof",
"Lee Garrett",
"Lucas Kanashiro",
"Markus Koschany",
"Santiago Ruano Rincón",
"Sylvain Beucler",
"Thorsten Alteholz",
"Tobias Frost",
"Utkarsh Gupta",
"Toshiba Corporation",
"Civil Infrastructure Platform (CIP)",
"VyOS Inc",
"F. Hoffmann-La Roche AG",
"CONET Deutschland GmbH",
"University of Oxford",
"EDF SA",
"Dataport AöR",
"CERN",
"Domeneshop AS",
"Nantes Métropole",
"Akamai - Linode",
"Univention GmbH",
"Université Jean Monnet de St Etienne",
"Ribbon Communications, Inc.",
"Exonet B.V.",
"Leibniz Rechenzentrum",
"Ministère de l’Europe et des Affaires Étrangères",
"Dinahosting SL",
"Upsun Formerly Platform.sh",
"Moxa Inc.",
"Deveryware",
"sipgate GmbH",
"OVH US LLC",
"Tilburg University",
"GSI Helmholtzzentrum für Schwerionenforschung GmbH",
"THINline s.r.o.",
"Copenhagen Airports A/S",
"Conseil Départemental de l’Isère",
"Seznam.cz, a.s.",
"Evolix",
"Linuxhotel GmbH",
"Intevation GmbH",
"Daevel SARL",
"Megaspace Internet Services GmbH",
"Greenbone AG",
"NUMLOG",
"WinGo AG",
"Entr’ouvert",
"Adfinis AG",
"Plat’Home",
"Laboratoire LEGI - UMR 5519 / CNRS",
"Tesorion",
"Bearstech",
"LiHAS",
"Catalyst IT Ltd",
"Demarcq SAS",
"Université Grenoble Alpes",
"TouchWeb SAS",
"SPiN AG",
"CoreFiling",
"Observatoire des Sciences de l’Univers de Grenoble",
"Tem Innovations GmbH",
"WordFinder.pro",
"CNRS DT INSU Résif",
"Soliton Systems K.K.",
"Alter Way",
"SOBIS Software GmbH",
"Tuxera Inc.",
"OPM-OP AS"
],
"textContent": "The Debian LTS Team, funded by [Freexian’s Debian LTS offering] (https://www.freexian.com/lts/debian/), is pleased to report its activities for March.\n\n### Activity summary\n\nDuring the month of March, 20 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).\n\nThe team released 24 DLAs fixing 250 CVEs.\n\nWe also welcomed two new members: Lukas Märdian and Emmanuel Arias to the team, who actually started to contribute to the LTS project several months ago.\n\nThe team continued preparing security updates in its usual rhythm. Beyond the\nupdates targeting Debian 11 (“bullseye”), which is the current release under LTS,\nthe team also proposed updates for more recent releases (Debian 12 (“bookworm”)\nand Debian 13 (“trixie”)), including Debian unstable. We highlight several notable security updates here below.\n\n * ansible (DLA 4502-1), prepared by Lee Garret in collaboration with Jochen, fixing a vulnerability that allows attackers to bypass unsafe content protections\n * asterisk (DLA 4515-1), prepared by Lukas Märdian, fixing four CVEs that include possible privilege escalations.\n * gimp (DLA 4500-1), prepared by Thorsen, fixing four CVEs related to denial of service or execution of arbitrary code.\n * gst-plugins-base1.0 and gst-plugins-ugly1.0 (DLA-4514-1, DLA-4516-1, respectively), both prepared by Utkarsh, addressing vulnerabilities that may yield to arbitrary code execution.\n * imagemagick, released by Bastien Roucariès (DLA 4497-1) fixing multiple vulnerabilities that could lead to information leaks, bypass of security policies, denial of service or arbitrary code execution.\n * libpng1.6 (DLA 4521-1), prepared by Tobias Frost, fixing an arbitrary code execution vulnerability\n * linux: Ben Hutching released DLA 4498-1 and DLA 4499-1 for linux 5.10 and linux 6.1, respectively. Those updates especially address the “CrackArmor” flaw.\n * ruby-rack (DLA 4505-1), prepared by Utkarsh Gupta , addressing two vulnerabilities\n * strongswan (DLA 4512-1), prepared by Thorsten Alteholz, fixing a Denial of Service vulnerability\n * roundcube (DLA 4517-1) prepared by Guilhem Moulin, who discovered that one of the fixes provided by upstream was incomplete.\n\n\n\nContributions from outside the LTS Team:\n\nAs usual, the thunderbird update, released as DLA 4511-1, was prepared by its maintainer Christoph Goehre. Thanks a lot for his continuous contributions.\n\nThe LTS Team has also contributed with updates to the latest Debian releases:\n\nAndreas Henriksson completed the uploads of glib2.0 for both trixie and bookworm\nArnaud Rebillout: python-cryptography for trixie\nArnaud and Bastien worked together to prepare a ca-certificates-java release for unstable\nBastien completed the upload of gpsd for trixie that was proposed in January.\nBastien uploaded a regression update of apache2 for trixie\nBastien prepared a zabbix point update for trixie\nBastien in collaboration with Markus released netty updates for trixie and bookworm DSA 6160-1\nDaniel Leidert proposed python-tornado releases for both trixie and bookworm.\nDaniel also prepared a python-authlib update for trixie\nGuilhem prepared a mapserver update for bookworm.\nLucas Kanashiro proposed merge requests to fix three CVEs in erlang for both trixie and bookworm\nSylvain Beucler continued the work to replace p7zip with 7zip in the different supported releases, and proposed a point update for bookworm\nTobias prepared trixie and bookworm security updates, released as DSA-6189-1\nUtkarsh prepared trixie and bookworm security update for ruby-rack, released as DSA-6180-1\n\n### Individual Debian LTS contributor reports\n\n * Andreas Henriksson\n * Andrej Shadura\n * Arnaud Rebillout\n * Bastien Roucariès\n * Ben Hutchings\n * Carlos Henrique Lima Melara\n * Chris Lamb\n * Daniel Leidert\n * Emilio Pozuelo Monfort\n * Guilhem Moulin\n * Jochen Sprickerhof\n * Lee Garrett\n * Lucas Kanashiro\n * Lukas Märdian\n * Markus Koschany\n * Santiago Ruano Rincón\n * Sylvain Beucler\n * Thorsten Alteholz\n * Tobias Frost\n * Utkarsh Gupta\n\n\n\n### Thanks to our sponsors\n\nSponsors that joined recently are in bold.\n\n * Platinum sponsors:\n * Toshiba Corporation (for 126 months)\n * Civil Infrastructure Platform (CIP) (for 94 months)\n * VyOS Inc (for 59 months)\n * Gold sponsors:\n * F. Hoffmann-La Roche AG (for 137 months)\n * CONET Deutschland GmbH (for 120 months)\n * University of Oxford (for 77 months)\n * EDF SA (for 48 months)\n * Dataport AöR (for 23 months)\n * CERN (for 21 months)\n * Silver sponsors:\n * Domeneshop AS (for 141 months)\n * Nantes Métropole (for 135 months)\n * Akamai - Linode (for 131 months)\n * Univention GmbH (for 127 months)\n * Université Jean Monnet de St Etienne (for 127 months)\n * Ribbon Communications, Inc. (for 121 months)\n * Exonet B.V. (for 111 months)\n * Leibniz Rechenzentrum (for 105 months)\n * Ministère de l’Europe et des Affaires Étrangères (for 89 months)\n * Dinahosting SL (for 76 months)\n * Upsun Formerly Platform.sh (for 71 months)\n * Moxa Inc. (for 65 months)\n * Deveryware (for 64 months)\n * sipgate GmbH (for 62 months)\n * OVH US LLC (for 60 months)\n * Tilburg University (for 60 months)\n * GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 52 months)\n * THINline s.r.o. (for 24 months)\n * Copenhagen Airports A/S (for 18 months)\n * Conseil Départemental de l’Isère (for 4 months)\n * Bronze sponsors:\n * Seznam.cz, a.s. (for 142 months)\n * Evolix (for 141 months)\n * Linuxhotel GmbH (for 139 months)\n * Intevation GmbH (for 138 months)\n * Daevel SARL (for 137 months)\n * Megaspace Internet Services GmbH (for 136 months)\n * Greenbone AG (for 135 months)\n * NUMLOG (for 135 months)\n * WinGo AG (for 134 months)\n * Entr’ouvert (for 126 months)\n * Adfinis AG (for 123 months)\n * Plat’Home (for 120 months)\n * Laboratoire LEGI - UMR 5519 / CNRS (for 118 months)\n * Tesorion (for 118 months)\n * Bearstech (for 110 months)\n * LiHAS (for 110 months)\n * Catalyst IT Ltd (for 104 months)\n * Demarcq SAS (for 98 months)\n * Université Grenoble Alpes (for 84 months)\n * TouchWeb SAS (for 76 months)\n * SPiN AG (for 73 months)\n * CoreFiling (for 69 months)\n * Observatoire des Sciences de l’Univers de Grenoble (for 61 months)\n * Tem Innovations GmbH (for 55 months)\n * WordFinder.pro (for 55 months)\n * CNRS DT INSU Résif (for 54 months)\n * Soliton Systems K.K. (for 49 months)\n * Alter Way (for 47 months)\n * SOBIS Software GmbH (for 21 months)\n * Tuxera Inc. (for 13 months)\n * OPM-OP AS (for 4 months)\n\n",
"title": "Freexian Collaborators: Monthly report about Debian Long Term Support, March 2026 (by Santiago Ruano Rincón)",
"updatedAt": "2026-04-24T00:00:00.000Z"
}