Here is my monthly update covering what I have been doing in the free software world during September 2025 (previous month).
Debian
-
lastpass-cli
(1.6.1-4
) — Fix compatibility with CMake 4.0. (#1113094) -
libfiu
(1.2-4
) — Apply an upstream patch to fix a build failure under GCC version 15. (#1097184) -
5.2.6-1
— New upstream security release.4.2.24-1
— New upstream security release.6.0~alpha1-1
— New upstream beta release.
-
Filed a bug against the
ms-gsl
package as it contained an invalid date line in thedebian/changelog
file. (#1113809)
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
python-future
(CVE-2025-50817). -
Worked on preparing packages for embargoed Django and Redis to be released in early October.
-
Issued DLA 4301-1 as it was discovered that there was a potential SQL injection attack in Django, the popular Python-based web development framework. Specifically, the
FilteredRelation
class was vulnerable to an SQL injection through its use of column aliases. This could have been exploited using a suitably crafted dictionary that was controlled by an attacker, either with dictionary expansion via the**kwargs
passed toQuerySet.annotate()
or by usingQuerySet.alias()
directly. -
Issued ELA-1517-1 because a potential HTTP Request Smuggling vulnerability was discovered in
python-eventlet
, a concurrent networking library for Python. This issue was caused by the improper handling of HTTP trailer sections. This vulnerability could have permitted attackers to bypass front-end security controls, launch targeted attacks against active site users and/or poison web caches. This problem has been addressed by dropping trailers, a potentially breaking change if a backend behind theeventlet.wsgi
proxy requires such trailers.
You can find out more about the Debian LTS project via the following video: