Debian (E)LTS report for October 2025

To: debian-lts@lists.debian.org
Subject: Debian (E)LTS report for October 2025
From: Guilhem Moulin <guilhem@debian.org>
Date: Sat, 1 Nov 2025 11:24:52 +0100
Message-id: <[🔎] jjEoLaw70Kslkkkh@debian.org>
Mail-followup-to: debian-lts@lists.debian.org

During the month of October 2025 and on behalf of Freexian, I worked on the
following:

mediawiki
---------

Uploaded 1:1.35.13-1+deb11u5 and issued DLA-4355-1.
https://lists.debian.org/msgid-search/?m=aQRtGZltkzlNyMs_@debian.org

* CVE-2025-11173 (OATHAuth extension): Reauthentication for enabling 2FA can be
bypassed by submitting a form in Special:OATHManage.
* CVE-2025-11261: Stored i18n XSS vulnerability in mw.language.listToText.
* CVE-2025-61635 (ConfirmEdit extension): Missing rate limiting in
ApiFancyCaptchaReload.
* CVE-2025-61638 (Parsoid): Validation bypass for `data-` attributes.
* CVE-2025-61639: Log entries which are hidden from the creation of the entry
may be disclosed to the public recent change entry.
* CVE-2025-61640: Stored i18n XSS vulnerability in Special:RecentChangesLinked.
* CVE-2025-61641: DDoS vulnerability in QueryAllPages API in miser mode.
* CVE-2025-61643: Suppressed recent changes may be disclosed to the public
RCFeeds.
* CVE-2025-61646: Public Watchlist/RecentChanges pages may disclose hidden
usernames when an individual editor makes consecutive revisions on a single
page, and only some are marked as hidden username.
* CVE-2025-61653 (TextExtracts extension): Information disclosure vulnerability
in the extracts API action endpoint due to missing read permission check.
* CVE-2025-61655 (VisualEditor extension): Stored i18n XSS vulnerability in
`lastModifiedAt` system messages.
* CVE-2025-61656 (VisualEditor extension): Missing attribute validation for
attributes unwrapped from `data-ve-attributes`.

libxml2
-------

Uploaded 2.9.4+dfsg1-7+deb10u13 (buster) and 2.9.4+dfsg1-2.2+deb9u15 (stretch) and
issued ELA-1542-1.
https://www.freexian.com/lts/extended/updates/ela-1542-1-libxml2/

* CVE-2025-9714: Stack overflow via crafted expressions due to
uncontrolled recursion.
* CVE-2025-7425: Heap-use-after-free in xmlFreeID() caused by `atype`
corruption. While the vulnerability was reported against libxslt,
the XSLT 1.0 processing library, it is now mitigated in libxml2.

Filed trixie-pu bug #1117843 and bookworm-pu bug #1117844 with a fix for
CVE-2025-9714 and an improved mitigation patch for CVE-2025-7425.
https://bugs.debian.org/1117843
https://bugs.debian.org/1117844

Uploaded libxml2.9=2.12.7+dfsg+really2.9.14-2.3 to sid with a fix for
CVE-2025-9714 and a mitigation patch for CVE-2025-7425.
https://tracker.debian.org/news/1678900/accepted-libxml29-2127dfsgreally2914-23-source-into-unstable/
(libxml2.9 is a sid-only package which is never meant to transition to testing.
It is needed for a soname transition but will be removed once no package depends
on it anymore, see #1112209.)

libxslt
-------

Backport and test fixes to LTS and ELTS suites for

* CVE-2025-10911: Type confusion issue in exsltFuncResultComp().
* CVE-2025-11731: Use-after-free with key data stored cross-RVT.

but didn't upload yet as the suggested fix for CVE-2025-10911 as not yet been
merged upstream.

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply to:

Next by Date: E?LTS report
Next by thread: E?LTS report
Index(es):
- Date
- Thread