# March 2026

During this month, I have worked on the following tasks for Debian LTS and ELTS.
This was my first month as LTS/ELTS contributor, including technical onboarding
and initial setup of workflows.
Thanks to Freexian and sponsors for making this possible [0].

## Asterisk

- Investigated CVE-2026-23738, CVE-2026-23739, CVE-2026-23740 & CVE-2026-23741
  * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438
  * Research if it's possible to harden CVE-2026-23740 by using systemd's
    PrivateTmp= hardening
    + No, as "ast_coredumper" is not run as part of the asterisk.service scope.
- Backported upstream patches from "certified-20.9" to v16.28.0 (bullseye/LTS)
  * https://github.com/asterisk/asterisk/compare/certified-20.7-cert8...certified-20.7-cert9
  * https://salsa.debian.org/lts-team/packages/asterisk/-/merge_requests/1
- Testing and validation of patches inside a bullseye container, incl. a written
  test plan (in MR) and passing autopkgtests via Debusine workflow.
  * https://debusine.debian.net/debian/developers/work-request/531530/
- Cherry-picked patches for buster ELTS (using the same upstream version)
  * https://salsa.debian.org/lts-team/packages/asterisk/-/merge_requests/2
  * https://debusine.freexian.com/freexian/elts-staging/work-request/149783/
  * Stopped work on this after understanding there are no users for asterisk
    in ELTS as per ela-needed.txt
- Patches reviewed by @apo, thanks!
- Published as DLA-4515-1

## Misc
- Initial technical onboarding/setup of LTS/ELTS repositories.
- Spent some time experimenting with Debusine to utilize it for LTS/ELTS work.
- Attended the monthly LTS/ELTS team meeting.

Cheers,
  Lukas

[0] https://www.freexian.com/lts/debian/#sponsors