Free software activities in January 2026

Here is my monthly update covering what I have been doing in the free software world during January 2026 (previous month):

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Identified that the GNU D compiler handles SOURCE_DATE_EPOCH differently from GCC with respect to timezones. I filed this bug in Debian as #1126512 with a prototype patch, and it was then forwarded upstream and fixed by Iain Buclaw.

• Kept isdebianreproducibleyet.com up to date. [...]

• Used the reproducibility testing framework to spot that metpy does not ship some files if tests are skipped. (#1126091)

• I submitted 8 patches to fix specific reproducibility issues in grabix, hovercraft, libimage-librsvg-perl, lomiri-location-service, seer, sqlalchemy-i18n, tea-cli & xarray-safe-rcm.

• I also submitted a patch to fix a reproducibility-related toolchain issue within Python's argparse-manpage. (#1126092)

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for December 2025.

diffoscope

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 310 and 311 to Debian:

• Fix test compatibility with u-boot-tools version 2026-01. [...]
• Drop the implied Rules-Requires-Root: no entry in debian/control. [...]
• Bump Standards-Version to 4.7.3. [...]
• Reference the Debian ocaml package instead of ocaml-nox. (#1125094)
• Apply a patch by Jelle van der Waa to adjust a test fixture match new lines. [...]
• Also the drop implied Priority: optional from debian/control. [...]

Debian

• redis (8.4.0-1) — New upstream release.

• python-django (6.0.1-1) — New upstream bugfix release.

Debian LTS

This month I have worked 30 hours on Debian Long Term Support (LTS) and on its sister Extended LTS (ELTS) project.

• Investigated and triaged curl (CVE-2025-14524), guix (CVE-2025-46415, CVE-2025-46416, CVE-2025-52991, CVE-2025-52992, CVE-2025-52993 & CVE-2025-59378), libtasn1-6 (CVE-2025-13151), lmdb (CVE-2026-22185), python-aiohttp(CVE-2025-69223, CVE-2025-69224, CVE-2025-69225, CVE-2025-69226, CVE-2025-69227, CVE-2025-69228, CVE-2025-69229 & CVE-2025-69230), python-django (CVE-2024-41990, CVE-2024-38875, etc.) and python-urllib3 (CVE-2026-21441).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 4374-2 for pdfminer. It was previously discovered that there was a potential arbitrary code execution in pdfminer, a tool for extracting information from PDF documents. A malicious, zipped pickle file might have contained code that might have been executed when the PDF was processed. Although a fix for this was released in pdfminer (via DLA 4374-1), upstream subsequently determined that this mitigation was insufficient and a more comprehensive mitigation that replaces the pickle-based mechanism entirely was applied and released instead.

• Issued DLA 4458-1 because multiple vulnerabilities were discovered in Django, the Python-based web development framework. This addressed the following CVEs:

  • CVE-2024-39614: Fix a potential denial-of-service in django.utils.translation.get_supported_language_variant. This method was subject to a potential DoS attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant is now parsed up to a maximum length of 500 characters.

  • CVE-2024-45231: Potential user email enumeration via response status on password reset. Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger.

  • CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list(). QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

  • CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize and AdminURLFieldWidget. The |urlize and |urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

  • CVE-2024-39329: Avoid a username enumeration vulnerability through timing difference for users with unusable password. The authenticate method of django.contrib.auth.backends.ModelBackend method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.

  • CVE-2024-41989: Memory exhaustion in django.utils.numberformat. The |floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

  • CVE-2024-39330: Address a potential directory-traversal in django.core.files.storage.Storage.save. Derived classes of this method's base class which override generate_filename without replicating the file path validations existing in the parent class allowed for potential directory-traversal via certain inputs when calling save().

  In addition, the fix for CVE-2025-6069 in the python3.9 source package (released as part of a suite of updates in DLA 4445-1) that modified the html.parser.HTMLParser class in such a way that changed the behaviour of Django's strip_tags() method in some edge cases that were tested by Django's testsuite. As a result of this regression, update the testsuite for the new expected results.

• Issued ELA-1627-1 for Django, comprising of two uploads: for stretch (1:1.10.7-2+deb9u29) and buster (1:1.11.29-1+deb10u18). This fixed the following issues:

  • CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+.

  • CVE-2024-27351: Fix a potential regular expression denial-of-service ("ReDoS") attack in django.utils.text.Truncator.words. This method (with html=True) and the truncatewords_html template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string. This is, in part, a follow up to CVE-2019-14232 and CVE-2023-43665.

  • CVE-2024-39614: Fix a potential denial-of-service in django.utils.translation.get_supported_language_variant. This method was subject to a potential DoS attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant is now parsed up to a maximum length of 500 characters.

  • CVE-2024-45231: Potential user email enumeration via response status on password reset. Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger.

• Liased with the Debian Stable Release Managers (SRMs) and the Debian Security Team for a Django update for Debian trixie, fixing six total CVEs. This was uploaded as 3:4.2.27-1+deb13u1. (#1126461)

• Finally, I also liased with the security team regarding Django update for a long-overdue update Debian bookworm, fixing twenty-two (!) total CVEs. This required tracking down a regression in the django-storages packages. (#1079454)

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.