During the month of August 2025 and on behalf of Freexian, I worked on the
following:
unbound
-------
Uploaded 1.13.1-1+deb11u5 and issued DLA-4280-1.
https://lists.debian.org/msgid-search/?m=aKtrEjhOdTCKSMe_@debian.org
* CVE-2024-33655: DNSBomb vulnerability (Denial of Service
vulnerability via specially timed DNS queries and answers).
* CVE-2025-5994: Rebirthday vulnerability (cache poisoning
vulnerability).
* Backported upstream's follow-up changes for CVE-2024-43167 (NULL
pointer dereference) and CVE-2024-43168 (heap-buffer overflow).
* Improved autopkgtests.
Submitted 1.17.1-2+deb12u3 to the security team for review with fixes
for CVE-2024-33655, CVE-2025-5994 and
* CVE-2024-8508: Denial of service vulnerability when processing
malicious upstreams responses with very large RRsets.
* CVE-2024-43167: NULL pointer dereference flaw in ub_ctx_set_fwd().
* CVE-2024-43168: Heap-buffer overflow in cfg_mark_ports().
* Added upstream patch to update IP addresses for b.root-servers.net
in builtin root hints.
Uploaded unbound=1.9.0-2+deb10u6 and issued ELA-1503-1
https://www.freexian.com/lts/extended/updates/ela-1503-1-unbound/
with fixes for CVE-2024-33655, CVE-2025-5994 and
* CVE-2019-25031: Configuration injection in
create_unbound_ad_servers.sh upon a successful man-in-the-middle
attack against a cleartext HTTP session.
* CVE-2019-25032: Integer overflow in the regional allocator via
regional_alloc.
* CVE-2019-25033: Integer overflow in the regional allocator via the
ALIGN_UP macro.
* CVE-2019-25034: Integer overflow in sldns_str2wire_dname_buf_origin,
leading to an out-of-bounds write.
* CVE-2019-25035: Out-of-bounds write in sldns_bget_token_par.
* CVE-2019-25036: Assertion failure and denial of service in
synth_cname.
* CVE-2019-25037: Assertion failure and denial of service in
dname_pkt_copy via an invalid packet.
* CVE-2019-25038: Integer overflow in a size calculation in
dnscrypt/dnscrypt.c.
* CVE-2019-25039: Integer overflow in a size calculation in
respip/respip.c.
* CVE-2019-25040: Infinite loop via a compressed name in
dname_pkt_copy.
* CVE-2019-25041: Assertion failure via a compressed name in
dname_pkt_copy.
* CVE-2019-25042: Out-of-bounds write via a compressed name in
rdata_copy.
* Applied code fix for CVE-2019-18934: Shell code execution after
receiving a specially crafted answer. This issue can only be
triggered if unbound was compiled with `--enable-ipsecmod` support,
and ipsecmod is enabled and used in the configuration. Note: Debian
binary packages are not built with `--enable-ipsecmod`, and are
therefore unaffected, but the patch is useful for users building
their own packages.
* Backported upstream's follow-up changes for CVE-2024-43167 (NULL
pointer dereference).
* Improved autopkgtests.
Uploaded unbound1.9=1.9.0-2+deb10u2~deb9u6 and issued ELA-1504-1
https://www.freexian.com/lts/extended/updates/ela-1504-1-unbound1.9/
with fixes for CVE-2024-33655, CVE-2025-5994 and CVE-2019-18934.
luajit
------
Uploaded 2.1.0~beta3+dfsg-5.3+deb11u1 and issued DLA-4283-1.
https://lists.debian.org/msgid-search/?m=aKzcTP3E1j43xhdr@debian.org
* CVE-2019-19391: debug.getinfo() has a type confusion issue that
leads to arbitrary memory write or read operations, because certain
cases involving valid stack levels and `>` options are mishandled.
* CVE-2020-15890: Out-of-bounds read because __gc handler frame
traversal is mishandled.
* CVE-2020-24372: Out-of-bounds read in lj_err_run() in lj_err.c.
* CVE-2024-25176: Stack-buffer-overflow in lj_strfmt_wfnum() in
lj_strfmt_num.c.
* CVE-2024-25177: Unsinking of IR_FSTORE for NULL metatable, which
leads to Denial of Service.
* CVE-2024-25178: Out-of-bounds read in the stack-overflow handler in
lj_state.c.
* Added upstream fixes for lua_yield() from C hook.
* Backported DEP-8 tests from bookworm.
Uploaded 2.1.0~beta3+dfsg-5.1+deb10u1 and issued ELA-1507-1
https://www.freexian.com/lts/extended/updates/ela-1507-1-luajit/
with the above fixes.
Filed bookworm-pu bug #1112074 with fixes for CVE-2024-25176,
CVE-2024-25177 and CVE-2024-25178.
https://bugs.debian.org/1112074
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature