During the month of June 2025 and on behalf of Freexian, I worked on the
following:
roundcube
---------
Uploaded 1.4.15+dfsg.1-1+deb11u5 and issued DLA-4211-1.
https://lists.debian.org/msgid-search/?m=aEZCD1sdbdR5TdMl@debian.org
* CVE-2025-49113: Post-Auth RCE via PHP Object Deserialization.
Also, uploaded 1.3.17+dfsg.1-1~deb10u8 (buster) and issued ELA-1462-1
for the aforementioned vulnerability.
https://www.freexian.com/lts/extended/updates/ela-1462-1-roundcube/
symfony
-------
Uploaded 3.4.22+dfsg-2+deb10u4 (buster) and issued ELA-1471-1
https://www.freexian.com/lts/extended/updates/ela-1471-1-symfony/
* CVE-2024-50343: Incorrect response from Validator when input ends
with ‘\n’.
* CVE-2024-50345: Open redirect via browser-sanitized URLs.
* Fix failing and flaky unit tests.
libxml2
-------
Backported upstream fix for CVE-2025-6021 (stack-based buffer overflow).
Other known vulnerabilities have not yet been fixed upstream, so I
didn't upload to (E)LTS.
mediawiki
---------
Backported and tested upstream fixes for:
* CVE-2025-3469: XSS-via-i18n vulnerabilities during web page
generation.
* CVE-2025-32072: HTML injection vulenerability in feed output from
i18n message.
* CVE-2025-32696: Restriction bypass vulnerability.
* CVE-2025-32698: Improper enforcing of suppression restrictions in
LogPager.php.
* CVE-2025-32699: Potential javascript injection attack enabled by
Unicode normalization in Action API.
Started a discussion with the package maintainer and the security team
regarding the remaining issue (CVE-2025-32697), which is blocking the
upload to LTS for now.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature