Debian (E)LTS report for July 2025

To: debian-lts@lists.debian.org
Subject: Debian (E)LTS report for July 2025
From: Guilhem Moulin <guilhem@debian.org>
Date: Fri, 1 Aug 2025 01:03:45 +0200
Message-id: <[🔎] sazU+rBjQKKEZrDt@debian.org>
Mail-followup-to: debian-lts@lists.debian.org

During the month of July 2025 and on behalf of Freexian, I worked on the
following:

libxml2
-------

Uploaded 2.9.10+dfsg-6.7+deb11u8 and issued DLA-4251-1.
https://lists.debian.org/msgid-search/?m=aIUoEGFxtd7kyvAd@debian.org

  * CVE-2024-34459:  Heap buffer overflow with `xmllint --htmlout`.
  * CVE-2025-6021: Integer overflow issue in xmlBuildQName.
  * CVE-2025-6170: Potential buffer overflows in the interactive shell.
  * CVE-2025-49794: Use-after-free issue in xmlSchematronReportOutput.
  * CVE-2025-49796: Type confusion issue in xmlSchematronReportOutput.

Uploaded 2.9.4+dfsg1-7+deb10u12 (buster) and 2.9.4+dfsg1-2.2+deb9u14
(stretch), and issued ELA-1487-1.
https://www.freexian.com/lts/extended/updates/ela-1487-1-libxml2/

Also, filed s-pu bug #1109947 for the latter 4 CVEs, uploaded an NMU to
unstable for CVE-2025-6170.

mediawiki
---------

Uploaded 1:1.35.13-1+deb11u4 and issued DLA-4249-1.
https://lists.debian.org/msgid-search/?m=aIFF_jbTZdWUkLyB@debian.org
Patches were backported from upstream's 1.39.12 and 1.39.13 release.  As
often the case with MediaWiki, the bulk of the work was checking for
reproducers and regressions.

  * CVE-2025-3469: XSS-via-i18n vulnerabilities during web page generation.
  * CVE-2025-6590: Complete content leak of private wikis due to PasswordReset
    Wikitext injection in error message.
  * CVE-2025-6591: HTML injection in API action=feedcontributions output from
    i18n message.
  * CVE-2025-6593: "{{SITENAME}} registered email address has been changed"
    email sent to unverified email addresses.
  * CVE-2025-6594: XSS in Special:ApiSandbox (User interaction required).
  * CVE-2025-6595: Stored XSS through system messages in MultimediaViewer.
  * CVE-2025-6597: MediaWiki should not consider autocreation as login for the
    purposes of security reauthentication.
  * CVE-2025-6926: SUL3 local login should not count for security
    reauthentication.
  * CVE-2025-32072: HTML injection vulenerability in feed output from i18n
    message.
  * CVE-2025-32696: Restriction bypass vulnerability.
  * CVE-2025-32698: Improper enforcing of suppression restrictions in
    LogPager.php.
  * CVE-2025-32699: Potential javascript injection attack enabled by Unicode
    normalization in Action API.

php
---

Uploaded php7.4=7.4.33-1+deb11u9 and issued DLA-4254-1.
https://lists.debian.org/msgid-search/?m=aIZVcl2GOC7IGXKB@debian.org

  * CVE-2025-1220: Insufficient validation for hostnames containing \0.
  * CVE-2025-1735: pgsql extension does not check for errors during escaping.
  * CVE-2025-6491: NULL pointer dereference in PHP SOAP extension via large
    XML namespace prefix.

Uploaded php7.3=7.3.31-1~deb10u11 and php7.0=7.0.33-0+deb9u22 issued for these
same vulnerabilities, and issued ELA-1488-1 and ELA-1489-1.
https://www.freexian.com/lts/extended/updates/ela-1488-1-php7.3/
https://www.freexian.com/lts/extended/updates/ela-1489-1-php7.0/


Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: Enable KGB notifications on #debian-lts for MRs and issues on debian-lts repositories
Previous by thread: Re: help with autopkgtest for buster
Index(es):
- Date
- Thread