Free software activities in August 2025

Here is my monthly update covering what I have been doing in the free software world during August 2025 (previous month).

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted a number of patches to fix specific reproducibility issues such as, for example, this one in neon27.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for July 2025.

• Updated the main Reproducible Builds website and documentation, writing and publishing a news entry for the upcoming summit […] and to add some assets used at FOSSY, such as the badges and the paper handouts. […].

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions, 303, 304 and 305 to Debian:

• Improvements:

  • Use sed(1) backreferences when generating debian/tests/control to avoid duplicating ourselves. […]
  • Move from a mono-utils dependency to versioned mono-devel | mono-utils dependency, taking care to maintain the [!riscv64] architecture restriction. […]
  • Use sed over awk to avoid mangling dependency lines containing = (equals) symbols such as version restrictions. […]

• Bug fixes:

  • Fix a test after the upload of systemd-ukify version 258~rc3. […]
  • Ensure that Java class files are named .class on the filesystem before passing them to javap(1). […]
  • Do not run jsondiff on files over 100KiB as the algorithm runs in O(n^2) time. […]
  • Don't check for PyPDF version 3 specifically; check for >= 3. […]

• Misc:

  • Update copyright years. […][…]

Debian

• bfs (4.1-1) — New upstream version.

• docbook-to-man (2.0.0-49) — Fix an issue when building with --shuffle=reverse. (#1105271)

• memcached (1.6.39-1) — New upstream verison.

• python-django (5.2.5-1) — New upstream version.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: apache2 (CVE-2024-42516, CVE-2024-43204, CVE-2024-47252, CVE-2025-23048, CVE-2025-49630, CVE-2025-49812 & CVE-2025-53020), lemonldap-ng (CVE-2024-52948), libcatalyst-authentication-credential-http-perl (CVE-2025-40920), mupdf, netty (CVE-2025-55163) & tcpreplay (CVE-2025-9019)

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• I also released an update for Redis in Debian bookworm on behalf of the Debian security team, addressing CVE-2025-48367, CVE-2025-32023 and CVE-2025-48367.

• Although the underlying update was prepared by Christoph Berg, I issued DLA 4273-1 addressing three issues that were discovered in the PostgreSQL database management system.

• Issued DLA 4278-1 as it was discovered that there was a potential use-after-free vulnerability in mupdf, a lightweight PDF viewer. This could have allowed remote attackers to cause a denial of service attack when opening a maliciously crafted PDF file.

• Issued DLA 4260-1 because Stefan Buehler discovered a flaw in sope, an Objective-C framework. This vulnerability could have resulted in a denial-of-service attack that was exploitable through a specially crafted POST request. Special thanks to the Debian sope maintainer for their assistance. (CVE-2025-53603)

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.