During the month of February 2026 and on behalf of Freexian, I worked on the following:
containerd ---------- Uploaded 1.4.13~ds1-1~deb11u6 and issued DLA-4467-1: <https://lists.debian.org/debian-lts-announce/2026/02/msg00006.html> * CVE-2024-25621: Overly broad default permission vulnerability. * CVE-2025-64329: Bug in the CRI Attach implementation. I also reached out to the Debian Release team in order to upload those fixes in Debian oldstable (bookworm), I'm still waiting for feedback. glib2.0 ------- A number of low severity issues where found in glib. Andreas Henriksson took care of those for Debian stable, oldstable and LTS (bullseye). As part of my onboarding, I reached out to Andreas and asked if I could handle the ELTS uploads (buster, stretch), to which he agreed. Backporting the patches was trivial, thus I uploaded the following versions, and published the following ELA: - <https://www.freexian.com/lts/extended/updates/ela-1652-1-glib2.0/> - stretch: 2.50.3-2+deb9u9 - buster: 2.58.3-2+deb10u10 runc ---- I tried to move forward the discussion regarding the runc package. There is an ongoing discussion about how to address the latest batch of CVEs that were reported for runc, at <https://bugs.debian.org/1120140>. Backporting the patches doesn't seem to be a realistic option. More generally, the discussion is about how to provide support for this package in Debian stable and older releases. The maintainer of the runc package did a first assessment and proposed different options for Debian. I tried one of the approaches: to build new versions of runc against older Debian releases. My conclusion is that if we go this way, we shouldn't try to use the Build-Depends from the Debian archive, but we should use the vendor tree from src:runc instead. That could go in a different source package, and this is the approach followed by Ubuntu. ca-certificates --------------- Backporting ca-certificates to older Debian releases (ELTS) proved challenging, and also includes updates in other related packages: ca-certificates-java and gcc-6 (for stretch). I worked with Bastien Roucaries on this topic, tested a bunch of scenarios, and uncovered new issues in the process. We're still working on that. Thanks ------ Thanks to our sponsors for making this possible, and to Freexian for handling the offering: <https://www.freexian.com/lts/debian/#sponsors>. -- Arnaud
