Free software activities in September 2025

Here is my monthly update covering what I have been doing in the free software world during September 2025 (previous month).

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Submitted a number of patches to fix specific reproducibility issues, including ones g2o, golang-forgejo-forgejo-levelqueue, llama.cpp, octave-optics, openrgb, python-mcstasscript & rocm-docs-core.

• Kept isdebianreproducibleyet.com up to date. [...]

• Drafted, published and publicised our monthly report for August 2025.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Updated the main Reproducible Builds website and documentation.

I also made the following changes to diffoscope, including preparing and uploading versions, 303, 304 and 305 to Debian:

• Improvements:

  • Use sed(1) backreferences when generating debian/tests/control to avoid duplicating ourselves. […]
  • Move from a mono-utils dependency to versioned mono-devel | mono-utils dependency, taking care to maintain the [!riscv64] architecture restriction. […]
  • Use sed over awk to avoid mangling dependency lines containing = (equals) symbols such as version restrictions. […]

• Bug fixes:

  • Fix a test after the upload of systemd-ukify version 258~rc3. […]
  • Ensure that Java class files are named .class on the filesystem before passing them to javap(1). […]
  • Do not run jsondiff on files over 100KiB as the algorithm runs in O(n^2) time. […]
  • Don't check for PyPDF version 3 specifically; check for >= 3. […]

• Misc:

  • Update copyright years. […][…]

Debian

• lastpass-cli (1.6.1-4) — Fix compatibility with CMake 4.0. (#1113094)

• libfiu (1.2-4) — Apply an upstream patch to fix a build failure under GCC version 15. (#1097184)

• python-django:

  • 5.2.6-1 — New upstream security release.
  • 4.2.24-1 — New upstream security release.
  • 6.0~alpha1-1 — New upstream beta release.

• Filed a bug against the ms-gsl package as it contained an invalid date line in the debian/changelog file. (#1113809)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged python-future (CVE-2025-50817).

• Worked on preparing packages for embargoed Django and Redis to be released in early October.

• Issued DLA 4301-1 as it was discovered that there was a potential SQL injection attack in Django, the popular Python-based web development framework. Specifically, the FilteredRelation class was vulnerable to an SQL injection through its use of column aliases. This could have been exploited using a suitably crafted dictionary that was controlled by an attacker, either with dictionary expansion via the **kwargs passed to QuerySet.annotate() or by using QuerySet.alias() directly.

• Issued ELA-1517-1 because a potential HTTP Request Smuggling vulnerability was discovered in python-eventlet, a concurrent networking library for Python. This issue was caused by the improper handling of HTTP trailer sections. This vulnerability could have permitted attackers to bypass front-end security controls, launch targeted attacks against active site users and/or poison web caches. This problem has been addressed by dropping trailers, a potentially breaking change if a backend behind the eventlet.wsgi proxy requires such trailers.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.