[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian (E)LTS report for June 2025



During the month of June 2025 and on behalf of Freexian, I worked on the
following:

roundcube
---------

Uploaded 1.4.15+dfsg.1-1+deb11u5 and issued DLA-4211-1.
https://lists.debian.org/msgid-search/?m=aEZCD1sdbdR5TdMl@debian.org

  * CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization.

Also, uploaded 1.3.17+dfsg.1-1~deb10u8 (buster) and issued ELA-1462-1
for the aforementioned vulnerability.
https://www.freexian.com/lts/extended/updates/ela-1462-1-roundcube/

symfony
-------

Uploaded 3.4.22+dfsg-2+deb10u4 (buster) and issued ELA-1471-1
https://www.freexian.com/lts/extended/updates/ela-1471-1-symfony/

  * CVE-2024-50343: Incorrect response from Validator when input ends
    with ‘\n’.
  * CVE-2024-50345: Open redirect via browser-sanitized URLs.
  * Fix failing and flaky unit tests.

libxml2
-------

Backported upstream fix for CVE-2025-6021 (stack-based buffer overflow).
Other known vulnerabilities have not yet been fixed upstream, so I
didn't upload to (E)LTS.

mediawiki
---------

Backported and tested upstream fixes for:

  * CVE-2025-3469: XSS-via-i18n vulnerabilities during web page
    generation.
  * CVE-2025-32072: HTML injection vulenerability in feed output from
    i18n message.
  * CVE-2025-32696: Restriction bypass vulnerability.
  * CVE-2025-32698: Improper enforcing of suppression restrictions in
    LogPager.php.
  * CVE-2025-32699: Potential javascript injection attack enabled by
    Unicode normalization in Action API.

Started a discussion with the package maintainer and the security team
regarding the remaining issue (CVE-2025-32697), which is blocking the
upload to LTS for now.

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature


Reply to: