I've worked during December 2025 on the below listed packages, for
Freexian LTS/ELTS

Many thanks to Freexian and sponsors for providing this 
opportunity!

LTS:
===


* cbor2: Marked CVE-2025-64076 as not-affected for bullseye and
  bookworm in commit [8055fe6]. Contacted security team with trixie's
  finding and its severity reduced to unimportant in [ed67434].

* kodi: Fixed CVE-2023-23082 CVE-2023-30207 and released DLA-4423-1[1]

* xrdp: Due to test test_ssl_calls.c failing in mipsel arch, the OSPU
  prepared months before have not entered the archive. Looking at the
  test failure.

* binwalk: Fixed CVE-2022-4510 and released DLA-4410-1[2].

* osslcode: Backported the bookworm version to bullseye
  (2.5-4~deb11u1) to fix CVE-2023-36377. Released DLA-4426-1[3]

* lemonldap-ng: Tried backporting CVE-2024-52948. Pinged maintainer
  for help.

* php-dompdf: Marked CVE-2023-50268 as not affected for bullseye.
  Fixed CVE-2021-3838 CVE-2022-2400. Backported the autopkgtests from
  buster to bullseye and adjusted config. Released DLA-4427-1[4].

  Also prepared OSPU fixing the CVE-2021-3838 for
  bookworm. Bug#1124537
  
* libstb: Started working on the 27 pending CVEs.

* epiphany-browser: Two open CVEs, CVE-2023-26081 and
  CVE-2025-3839.Currently looking at CVE-2023-26081.


ELTS:
====
This month I couldn't work on any packages for ELTS.

[1] - https://lists.debian.org/debian-lts-announce/2025/12/msg00034.html
[2] - https://lists.debian.org/debian-lts-announce/2025/12/msg00022.html
[3] - https://lists.debian.org/debian-lts-announce/2025/12/msg00037.html
[4] - https://lists.debian.org/debian-lts-announce/2025/12/msg00038.html
bug#: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124537