During the month of April 2025 and on behalf of Freexian, I worked on the
following:
php
---
Uploaded 7.3.31-1~deb10u10, 7.0.33-0+deb9u21 and 5.6.40+dfsg-0+deb8u23
respectively for buster ELTS, stretch ELTS and jessie ELTS, and issued
ELA-138[3-5]-1.
https://www.freexian.com/lts/extended/updates/ela-1383-1-php7.3/
https://www.freexian.com/lts/extended/updates/ela-1384-1-php7.0/
https://www.freexian.com/lts/extended/updates/ela-1385-1-php5/
* CVE-2025-1217: Header parser of `http` stream wrapper does not
handle folded headers.
* CVE-2025-1219: libxml streams use wrong `content-type` header when
requesting a redirected resource.
* CVE-2025-1734: Streams HTTP wrapper does not fail for headers with
invalid name and no colon.
* CVE-2025-1736: Stream HTTP wrapper header check might omit basic
authentication header.
* CVE-2025-1861: Stream HTTP wrapper truncate redirect location to
1024 bytes.
* GHSA-wg4p-4hqh-c3g9: Possible out of bounds read when
XML_OPTION_SKIP_TAGSTART is set [buster and stretch only].
[The backport work for PHP7.x was done during the month of March but
wasn't fully tested back then.]
fig2dev
-------
Uploaded 1:3.2.8-3+deb11u3 and issued DLA-4147-1.
https://lists.debian.org/msgid-search/?m=aBJ0TyXa86IeqA7R@debian.org
* CVE-2025-46397: Stack overflow vulnerability in bezier_spline().
* CVE-2025-46398: Stack overflow vulnerability in read_objects().
* CVE-2025-46399: Segmentation fault issue in genge_itp_spline().
* CVE-2025-46400: Segmentation fault issue in read_arcobject().
vips
----
Uploaded 8.10.5-2+deb11u1 and issued DLA-4148-1.
https://lists.debian.org/msgid-search/?m=aBKCF8zRct5HT7_7@debian.org
* CVE-2025-29769: Potential heap-based buffer overflow when attempting
to convert multiband TIFF input to HEIF output.
Also, prepare a fix for Bookworm and submit a debdiff to the security
team for review.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature