Freexian Collaborators: Monthly report about Debian Long Term Support, May 2026 (by Santiago Ruano Rincón)
The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for May.
Activity summary
During the month of May, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).
The team released 56 DLAs fixing 877 CVEs.
May was a much busier month than usual, especially due to the disclosed vulnerabilities on linux regarding Local Privilege Escalation (LPE), that included public proof-of-concept (PoC) exploits. These reports of course impacted Debian as a whole, and the situation warrants a special mention to the Kernel Team, especially Ben Hutching and Salvatore Bonaccorso, who faced the pace and released linux packages on a weekly basis. On the LTS side, the Front Desk team also triaged a significant flow of high severity CVEs.
It is also important to note that Debian 12 (“bookworm”) will be handed over to the LTS Team on June 11th. If you benefit from Debian, especially during the full 5-year lifecycle, please consider subscribing as a sponsor of Debian LTS: https://www.freexian.com/lts/debian/.
Moreover, Debian 11 (“bullseye”) will reach the end of the Debian LTS period on August 31st. After that, Freexian will continue the security support under the Extended LTS offer.
The team published several notable updates:
- As mentioned above, several exploitable LPE vulnerabilities in linux were published during May. Ben released the following DLAs for the Debian LTS versions:
- DLA 4560-1 for linux (5.10)
- DLA 4561-1 for linux-6.1
- DLA 4572-1 for linux (5.10)
- DLA 4574-1 for linux-6.1
- DLA 4587-1 for linux (5.10)
- DLA 4588-1 for linux-6.1
- DLA 4606-1 for linux (5.10)
- DLA 4607-1 for linux-6.1
- exim update (DLA-4580-1), prepared by Thorsten, to address a vulnerability that may result in remote code execution.
- gnutls28 update (DLA-4595-1) by Guilhem Moulin, fixes several vulnerabilities that may result in execution of arbitrary code, information leak, authentication bypass, among other impacts.
- krb5 updates released as DLA-4603-1, fixing two vulnerabilities that may yield to a denial of service. Updated prepared by Emmanuel Arias
- lemonldap-ng (DLA-4602-1), released by Abhijith PA, fixing multiple vulnerabilities
- Two imagemagick updates (DLA-4559-1 and DLA-4609-1), prepared by Bastien Roucariès, fixing several vulnerabilities
- openjdk-11 and openjdk-17 updates (DLA-4566-1 and DLA-4565-1), both prepared by Emilio, to fix seven vulnerabilities.
- php7.4 update (DLA-4586-1) to fix six vulnerabilities that could result in remote code execution, information disclosure or denial of service. Update prepared by Guilhem Moulin.
- python3.9 update (DLA-4583-1), prepared by Arnaud Rebillout, addressing multiple vulnerabilities.
Contributions from outside the LTS Team:
We are greatly thankful for the contributions from people outside the LTS Team:
- Colin Watson prepared an OpenSSH update, that was released by Santiago as DLA-4584-1.
- Thomas Goirand handled a keystone update, whose advisory was done by Santiago and released as DLA-4611-1.
- Christopher Obbard kindly prepared a sentry-python update, released as DLA-4612-1.
- Christoph Goehre made two thunderbird updates (DLA-4562-1 and DLA-4582-1). As is customary, Emilio released the advisories.
The LTS Team has also contributed with updates to the latest Debian releases:
- Andreas proposed a firewalld update for bookworm to fix a local issue that may result in bypass control rules.
- Andreas proposed atril updates for trixie and bookworm.
- Arnaud did a python3.11 upload for bookworm.
- Arnaud proposed libarchive updates for trixie and bookworm.
- Arnaud completed the systemd update for bookworm.
- Bastien completed the uploads of gpsd for bookworm. He also did an upload of apache2 for bookworm.
- Emmanuel uploaded updates of libexif for trixie and bookworm
- Jochen Sprickerhof prepared pyjwt update for trixie and bookworm, released as DSA-6259-1.
- Lukas Märdian prepared trixie and bookworm updates for nghttp2, released as DSA-6266-1.
- Markus prepared updates of tomcat11 and tomcat10, released as DSA-6329-1 (for trixie) and DSA-6328-1 (for trixie and bookworm), respectively.
- Continuing the work to replace the unmaintained p7zip fork with 7zip, Sylvain prepared trixie and bookworm updates of 7zip.
- Thorsten completed the uploads of zvbi, taglib and libuev to bookworm and did an upload of libcoap3 for wtrixie.
- Tobi prepared libpng1.6 updates for trixie and bookworm, released as DSA-6263-1.
Moreover, thanks to our partnership with Catalyst, it has been possible to extend the support for Samba 4.17, the version shipped with Debian 12. In May, several vulnerabilities were disclosed, and their patches were prepared by Catalyst. For Debian 12, the update was prepared by the Samba maintainer and released as DSA-6297-1.
Individual Debian LTS contributor reports
- Abhijith PA
- Andreas Henriksson
- Andrej Shadura
- Arnaud Rebillout
- Bastien Roucariès
- Ben Hutchings
- Carlos Henrique Lima Melara
- Chris Lamb
- Daniel Leidert
- Emmanuel Arias
- Emilio Pozuelo Monfort
- Guilhem Moulin
- Jochen Sprickerhof
- Lee Garrett
- Lucas Kanashiro
- Lukas Märdian
- Markus Koschany
- Santiago Ruano Rincón
- Sylvain Beucler
- Thorsten Alteholz
- Tobias Frost
Thanks to our sponsors
Sponsors that joined recently are in bold.
- Platinum sponsors:
- Toshiba Corporation (for 128 months)
- Civil Infrastructure Platform (CIP) (for 96 months)
- VyOS Inc (for 61 months)
- Gold sponsors:
- F. Hoffmann-La Roche AG (for 139 months)
- CONET Deutschland GmbH (for 122 months)
- University of Oxford (for 78 months)
- EDF SA (for 50 months)
- Dataport AöR (for 25 months)
- CERN (for 23 months)
- Silver sponsors:
- Domeneshop AS (for 143 months)
- Nantes Métropole (for 137 months)
- Akamai - Linode (for 133 months)
- Univention GmbH (for 129 months)
- Université Jean Monnet de St Etienne (for 129 months)
- Ribbon Communications, Inc. (for 123 months)
- Exonet B.V. (for 113 months)
- Leibniz Rechenzentrum (for 107 months)
- Ministère de l’Europe et des Affaires Étrangères (for 91 months)
- Dinahosting SL (for 78 months)
- Upsun Formerly Platform.sh (for 72 months)
- Moxa Inc. (for 66 months)
- sipgate GmbH (for 64 months)
- OVH US LLC (for 62 months)
- Tilburg University (for 62 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 53 months)
- THINline s.r.o. (for 26 months)
- Copenhagen Airports A/S (for 20 months)
- Conseil Départemental de l’Isère (for 6 months)
- Bronze sponsors:
- Seznam.cz, a.s. (for 144 months)
- Evolix (for 143 months)
- Linuxhotel GmbH (for 141 months)
- Intevation GmbH (for 140 months)
- Daevel SARL (for 139 months)
- Megaspace Internet Services GmbH (for 138 months)
- Greenbone AG (for 137 months)
- NUMLOG (for 137 months)
- WinGo AG (for 136 months)
- Entr’ouvert (for 128 months)
- Adfinis AG (for 125 months)
- Plat’Home (for 122 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 120 months)
- Tesorion (for 120 months)
- Bearstech (for 111 months)
- LiHAS (for 111 months)
- Catalyst IT Ltd (for 106 months)
- Demarcq SAS (for 100 months)
- Université Grenoble Alpes (for 86 months)
- TouchWeb SAS (for 78 months)
- SPiN AG (for 75 months)
- CoreFiling (for 71 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 62 months)
- Tem Innovations GmbH (for 57 months)
- WordFinder.pro (for 57 months)
- CNRS DT INSU Résif (for 56 months)
- Soliton Systems K.K. (for 51 months)
- Alter Way (for 48 months)
- SOBIS Software GmbH (for 23 months)
- Tuxera Inc. (for 15 months)
- OPM-OP AS (for 6 months)