During the month of June 2025 and on behalf of Freexian, I worked on the following: roundcube --------- Uploaded 1.4.15+dfsg.1-1+deb11u5 and issued DLA-4211-1. https://lists.debian.org/msgid-search/?m=aEZCD1sdbdR5TdMl@debian.org * CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization. Also, uploaded 1.3.17+dfsg.1-1~deb10u8 (buster) and issued ELA-1462-1 for the aforementioned vulnerability. https://www.freexian.com/lts/extended/updates/ela-1462-1-roundcube/ symfony ------- Uploaded 3.4.22+dfsg-2+deb10u4 (buster) and issued ELA-1471-1 https://www.freexian.com/lts/extended/updates/ela-1471-1-symfony/ * CVE-2024-50343: Incorrect response from Validator when input ends with ‘\n’. * CVE-2024-50345: Open redirect via browser-sanitized URLs. * Fix failing and flaky unit tests. libxml2 ------- Backported upstream fix for CVE-2025-6021 (stack-based buffer overflow). Other known vulnerabilities have not yet been fixed upstream, so I didn't upload to (E)LTS. mediawiki --------- Backported and tested upstream fixes for: * CVE-2025-3469: XSS-via-i18n vulnerabilities during web page generation. * CVE-2025-32072: HTML injection vulenerability in feed output from i18n message. * CVE-2025-32696: Restriction bypass vulnerability. * CVE-2025-32698: Improper enforcing of suppression restrictions in LogPager.php. * CVE-2025-32699: Potential javascript injection attack enabled by Unicode normalization in Action API. Started a discussion with the package maintainer and the security team regarding the remaining issue (CVE-2025-32697), which is blocking the upload to LTS for now. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
Attachment:
signature.asc
Description: PGP signature