During the month of March 2025 and on behalf of Freexian, I worked on the
following:
php
---
Uploaded 7.4.33-1+deb11u8 and issued DLA-4088-1.
https://lists.debian.org/msgid-search/?m=Z9vxYqGI-RvpkeE4@debian.org
* CVE-2025-1217: Header parser of `http` stream wrapper does not
handle folded headers.
* CVE-2025-1219: libxml streams use wrong `content-type` header when
requesting a redirected resource.
* CVE-2025-1734: Streams HTTP wrapper does not fail for headers with
invalid name and no colon.
* CVE-2025-1736: Stream HTTP wrapper header check might omit basic
authentication header.
* CVE-2025-1861: Stream HTTP wrapper truncate redirect location to
1024 bytes.
* GHSA-wg4p-4hqh-c3g9: Possible out of bounds read when
XML_OPTION_SKIP_TAGSTART is set.
Also, prepared 7.3.31-1~deb10u10 and 7.0.33-0+deb9u21 respectively for
buster ELTS and stretch ELTS. Backporting work is still ongoing for
jessie (php5) and no ELA has been issued yet.
gnutls28
--------
Uploaded 3.6.7-4+deb10u13 (buster), 3.5.8-5+deb9u8 (stretch) and
3.3.30-0+deb8u3 (jessie), and issued ELA-1352-1 for
* CVE-2024-12243: Potential DoS while parsing a certificate containing
numerous names or name constraints.
(The LTS part of the work was done in February with DLA-4063-1.)
https://www.freexian.com/lts/extended/updates/ela-1352-1-gnutls28/
sqlparse
--------
Uploaded 0.2.4-1+deb10u2 (buster), 0.2.2-1+deb9u2 (stretch) and
0.1.13-2+deb8u1 (jessie), and issued ELA-1341-1 for
* CVE-2024-4340: Parsing of heavily nested list leads to Denial of
Service.
(The LTS part of the work was done last December with DLA-4000-1.)
https://www.freexian.com/lts/extended/updates/ela-1341-1-sqlparse/
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature