[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1123925: direwolf: CVE-2025-34457 CVE-2025-34458

Hi,

On Wed, Dec 24, 2025 at 05:55:27PM +0000, hibby wrote:
> On Wednesday, 24 December 2025 06:29:11 Greenwich Mean Time Salvatore 
> Bonaccorso wrote:
> > Source: direwolf
> > Version: 1.8.1+dfsg-1
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team
> > <team@security.debian.org>
> > 
> > Hi,
> > 
> Hello!
> 
> > The following vulnerabilities were published for direwolf.
> > 
> > CVE-2025-34457[0]:
> 
> > CVE-2025-34458[1]:
> 
> Thanks for this! It's reasonably niche software, so I guess we don't need to 
> move too quickly, but I've done some work and want to know more about next 
> steps / good practice. 
> 
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > 
> Hello - I have cherrypicked the fixes and uploaded to unstable as version 
> 1.8.1+dfsg- and mentioned the ids [1].
> 
> > Please adjust the affected versions in the BTS as needed.
> 
> The fixes should cover prior versions - is it worth me tagging the version in 
> stable as affected and preparing an upload for the security queue?

those do not need a DSA but miht be fixed with the upcoming point
releases (a prerequisite for that is though that the fix is first in
unstable). Once that has happened, can you prepare fixes via the
upcoming point releases? I would agree they are not urgent to be
handled.

Regards,
Salvatore
Reply to: