During the month of May 2025 and on behalf of Freexian, I worked on the
following:
vips
----
Uploaded 8.7.4-1+deb10u2 (buster) and issued ELA-1421-1.
https://www.freexian.com/lts/extended/updates/ela-1421-1-vips/
* CVE-2021-27847: Potential DoS due to division by zero issues.
dropbear
--------
Uploaded 2020.81-3+deb11u3 and issued DLA-4169-1.
https://lists.debian.org/msgid-search/?m=aCjxatb2lzOjuKRq@debian.org
* CVE-2025-47203: dbclient allows command injection via an untrusted
hostname argument, because a shell is used.
Also, uploaded 2018.76-5+deb10u3 (buster) and issued ELA-1423-1 for the
aforementioned vulnerability.
https://www.freexian.com/lts/extended/updates/ela-1423-1-dropbear/
libraw
------
Uploaded 0.19.2-2+deb10u5 (buster) and 0.17.2-6+deb9u6 (stretch), and
issued ELA-1424-1.
https://www.freexian.com/lts/extended/updates/ela-1424-1-libraw/
* CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag
parser. (This issue did not affect 0.17.2-6+deb9u5 and earlier
versions.)
* CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing,
related to large w0 or w1 values or the frac and mult calculations.
* CVE-2025-43963: phase_one_correct() allows out-of-buffer access
because split_col and split_row values are not checked in 0x041f tag
processing.
* CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not
enforce minimum w0 and w1 values.
Also, prepare a debdiff for bookworm-pu, submit it to the maintainer
review and file -pu bug #1106358.
symfony
-------
Uploaded 4.4.19+dfsg-2+deb11u7 and issued DLA-4200-1.
https://lists.debian.org/msgid-search/?m=aDtZ_k__PZgeBxDE@debian.org
* CVE-2024-50343: Input ending with `\n` could bypass Validators.
* CVE-2024-50345: Open redirect via browser-sanitized URLs.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature