Bug#1123925: direwolf: CVE-2025-34457 CVE-2025-34458

[Salvatore Bonaccorso <carnil@debian.org>]

i Dave,

On Mon, Dec 29, 2025 at 04:17:43PM +0000, hibby wrote:
> On Wednesday, 24 December 2025 20:29:44 Greenwich Mean Time Salvatore 
> Bonaccorso wrote:
> > Hi,
> > 
> > On Wed, Dec 24, 2025 at 05:55:27PM +0000, hibby wrote:
> > > On Wednesday, 24 December 2025 06:29:11 Greenwich Mean Time Salvatore
> >
> > those do not need a DSA but miht be fixed with the upcoming point
> > releases (a prerequisite for that is though that the fix is first in
> > unstable). Once that has happened, can you prepare fixes via the
> > upcoming point releases? I would agree they are not urgent to be
> > handled.
> >
> 
> Having looked in more detail today, I have determined that CVE-2025-34458 does 
> not apply to <  v1.8 of the package, so no stable/oldstable update will be 
> required for that. The vulnerability was introduced with new functionality 
> that was only shipped in the 1.8 release - How do I update the security 
> tracker to reflect this?

Ok you are right, it looks that it was introduced with 1.8-beta1. I
have updated the tracker.

> I have created the patch for CVE-2025-34457 and will ship that in the next day 
> or so [1]
> 
> [1] https://salsa.debian.org/debian-hamradio-team/direwolf/-/commits/debian/
> trixie 

Thank you!

Regars,
Salvatore