Here is my monthly update covering what I have been doing in the free software world during September 2025 (previous month).
Debian
-
lastpass-cli(1.6.1-4) — Fix compatibility with CMake 4.0. (#1113094) -
libfiu(1.2-4) — Apply an upstream patch to fix a build failure under GCC version 15. (#1097184) -
5.2.6-1— New upstream security release.4.2.24-1— New upstream security release.6.0~alpha1-1— New upstream beta release.
-
Filed a bug against the
ms-gslpackage as it contained an invalid date line in thedebian/changelogfile. (#1113809)
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
python-future(CVE-2025-50817). -
Worked on preparing packages for embargoed Django and Redis to be released in early October.
-
Issued DLA 4301-1 as it was discovered that there was a potential SQL injection attack in Django, the popular Python-based web development framework. Specifically, the
FilteredRelationclass was vulnerable to an SQL injection through its use of column aliases. This could have been exploited using a suitably crafted dictionary that was controlled by an attacker, either with dictionary expansion via the**kwargspassed toQuerySet.annotate()or by usingQuerySet.alias()directly. -
Issued ELA-1517-1 because a potential HTTP Request Smuggling vulnerability was discovered in
python-eventlet, a concurrent networking library for Python. This issue was caused by the improper handling of HTTP trailer sections. This vulnerability could have permitted attackers to bypass front-end security controls, launch targeted attacks against active site users and/or poison web caches. This problem has been addressed by dropping trailers, a potentially breaking change if a backend behind theeventlet.wsgiproxy requires such trailers.
You can find out more about the Debian LTS project via the following video: