Here is my monthly update covering what I have been doing in the free software world during August 2025 (previous month).
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
Submitted a number of patches to fix specific reproducibility issues such as, for example, this one in
neon27
. -
Categorised a large number of packages and issues in the Reproducible Builds
notes.git
repository. -
Drafted, published and publicised our monthly report for July 2025.
- Updated the main Reproducible Builds website and documentation, writing and publishing a news entry for the upcoming summit […] and to add some assets used at FOSSY, such as the badges and the paper handouts. […].
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions, 303
, 304
and 305
to Debian:
-
Improvements:
- Use
sed(1)
backreferences when generatingdebian/tests/control
to avoid duplicating ourselves. […] - Move from a
mono-utils
dependency to versionedmono-devel | mono-utils
dependency, taking care to maintain the[!riscv64]
architecture restriction. […] - Use
sed
overawk
to avoid mangling dependency lines containing=
(equals) symbols such as version restrictions. […]
- Use
-
Bug fixes:
- Fix a test after the upload of
systemd-ukify
version258~rc3
. […] - Ensure that Java class files are named
.class
on the filesystem before passing them tojavap(1)
. […] - Do not run
jsondiff
on files over 100KiB as the algorithm runs in O(n^2) time. […] - Don't check for PyPDF version 3 specifically; check for
>=
3. […]
- Fix a test after the upload of
-
Misc:
Debian
-
bfs
(4.1-1
) — New upstream version. -
docbook-to-man
(2.0.0-49
) — Fix an issue when building with--shuffle=reverse
. (#1105271) -
memcached
(1.6.39-1
) — New upstream verison. -
python-django
(5.2.5-1
) — New upstream version.
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged:
apache2
(CVE-2024-42516
,CVE-2024-43204
,CVE-2024-47252
,CVE-2025-23048
,CVE-2025-49630
,CVE-2025-49812
&CVE-2025-53020
),lemonldap-ng
(CVE-2024-52948
),libcatalyst-authentication-credential-http-perl
(CVE-2025-40920
),mupdf
,netty
(CVE-2025-55163
) &tcpreplay
(CVE-2025-9019
) -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
I also released an update for Redis in Debian bookworm on behalf of the Debian security team, addressing
CVE-2025-48367
,CVE-2025-32023
andCVE-2025-48367
. -
Although the underlying update was prepared by Christoph Berg, I issued DLA 4273-1 addressing three issues that were discovered in the PostgreSQL database management system.
-
Issued DLA 4278-1 as it was discovered that there was a potential use-after-free vulnerability in mupdf, a lightweight PDF viewer. This could have allowed remote attackers to cause a denial of service attack when opening a maliciously crafted PDF file.
-
Issued DLA 4260-1 because Stefan Buehler discovered a flaw in sope, an Objective-C framework. This vulnerability could have resulted in a denial-of-service attack that was exploitable through a specially crafted POST request. Special thanks to the Debian
sope
maintainer for their assistance. (CVE-2025-53603
)
You can find out more about the Debian LTS project via the following video: