March 2026
During this month, I have worked on the following tasks for Debian LTS and ELTS.
This was my first month as LTS/ELTS contributor, including technical onboarding
and initial setup of workflows.
Thanks to Freexian and sponsors for making this possible [0].
Asterisk
- Investigated CVE-2026-23738, CVE-2026-23739, CVE-2026-23740 & CVE-2026-23741
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438
- Research if it’s possible to harden CVE-2026-23740 by using systemd’s PrivateTmp= hardening
- No, as “ast_coredumper” is not run as part of the asterisk.service scope.
- Backported upstream patches from “certified-20.9” to v16.28.0 (bullseye/LTS)
- https://github.com/asterisk/asterisk/compare/certified-20.7-cert8…certified-20.7-cert9
- https://salsa.debian.org/lts-team/packages/asterisk/-/merge_requests/1
- Testing and validation of patches inside a bullseye container, incl. a written test plan (in MR) and passing autopkgtests via Debusine workflow.
- https://debusine.debian.net/debian/developers/work-request/531530/
- Cherry-picked patches for buster ELTS (using the same upstream version)
- https://salsa.debian.org/lts-team/packages/asterisk/-/merge_requests/2
- https://debusine.freexian.com/freexian/elts-staging/work-request/149783/
- Stopped work on this after understanding there are no users for asterisk in ELTS as per ela-needed.txt
- Patches reviewed by @apo, thanks!
- Published as DLA-4515-1
Misc
- Initial technical onboarding/setup of LTS/ELTS repositories.
- Spent some time experimenting with Debusine to utilize it for LTS/ELTS work.
- Attended the monthly LTS/ELTS team meeting.
Cheers,
Lukas