Thorsten Alteholz: My Debian Activities in April 2026

Debian LTS/ELTS

This was my hundred-forty-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

• [DLA 4530-1] gst-plugins-bad1.0 security update to fix two CVEs related to denial of service or execution of arbitrary code if a malformed media file is opened.
• [DLA 4544-1] ntfs-3g to fix one CVE related to local root privilege escalation.
• [DLA 4545-1] packagekit security update to fix one CVE related to local privilege escalation.
• [DLA 4547-1] gimp security update to fix three CVEs related to denial of service or execution of arbitrary code if a malformed PSP, JPEG 2000 or PSD file is opened.
• [ELA-1682-1] gst-plugins-bad1.0 security update to fix two CVEs in Buster and Stretch related to denial of service or execution of arbitrary code.
• [ELA-1689-1] ntfs-3g security update to fix one CVE in Buster and Stretch related to local root privilege escalation..
• [ELA-1693-1] pakagekit security update to fix one CVE in Buster and Stretch related to local privilege escalation.
• [#1126167] bookworm-pu upload of zvbi
• [#1126273] bookworm-pu upload of taglib
• [#1126370] bookworm-pu upload of libuev
• [libcoap3] upload to sid to fix two CVEs related to out-of-bounds read and stacked based buffer overflow.
• [#1134340] trixie-pu bug for libcoap3 to fix two CVEs in Trixie.
• [cups] upload to sid to fix six CVEs.

I also did a week of front desk duties and started to work on backports of the cups CVEs.

Debian Printing

This month I uploaded a new upstream versions:

• … foo2zjs to unstable.
• … cups to unstable.

Unfortunately the first upload of cups introduces a regression and another upload was needed to take care of a crash. The patch for one CVE also broke a test script, which is used by lots of printing packages in Debian. As a result some autopkgtest runs failed. This could be fixed as well and the only remaining issue that needs some more investigation is related to cups-pdf.

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform.

I also started working on two new packages: lomiri-radio-app and lomiri-fretboardtrainer-app

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

• … indi-apogee to experimental.
• … indi-nexdome to experimental.
• … libahp-xc to unstable.

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

• … libcoap3 to unstable.

Marcos Talau joined the Debian IoT group, welcome aboard.

Debian Mobcom

This month I uploaded a new upstream version or a bugfix version of:

• … osmo-iuh to unstable.

misc

This month I uploaded a new upstream version or a bugfix version of:

• … bottlerocket to unstable.
• … cd5 to unstable.
• … usb-modeswitch-data to unstable.
• … libpicohttpparser to unstable (sponsored upload for Joachim Zobel.