Bug#1124474: marked as done (messagelib: CVE-2025-69412)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 02 Jan 2026 19:52:09 +0000
with message-id <E1vblBx-0000000HOBB-1UpJ@fasolo.debian.org>
and subject line Bug#1124474: fixed in messagelib 4:25.08.3-3
has caused the Debian Bug report #1124474,
regarding messagelib: CVE-2025-69412
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1124474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124474
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: messagelib: CVE-2025-69412
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 01 Jan 2026 18:27:49 +0100
• Message-id: <[🔎] 176728846901.501971.2946297974519032254.reportbug@eldamar.lan>

Source: messagelib
Version: 4:25.08.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for messagelib.

CVE-2025-69412[0]:
| KDE messagelib before 25.11.90 ignores SSL errors for
| threatMatches:find in the Google Safe Browsing Lookup API (aka
| phishing API), which might allow spoofing of threat data. NOTE: this
| Lookup API is not contacted in the messagelib default configuration.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-69412
    https://www.cve.org/CVERecord?id=CVE-2025-69412
[1] https://github.com/KDE/messagelib/commit/01adef0482bb3d5c817433db5208620c84a992b3

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1124474-close@bugs.debian.org
• Subject: Bug#1124474: fixed in messagelib 4:25.08.3-3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 02 Jan 2026 19:52:09 +0000
• Message-id: <E1vblBx-0000000HOBB-1UpJ@fasolo.debian.org>
• Reply-to: Patrick Franz <deltaone@debian.org>

Source: messagelib
Source-Version: 4:25.08.3-3
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
messagelib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1124474@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated messagelib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 02 Jan 2026 20:29:04 +0100
Source: messagelib
Architecture: source
Version: 4:25.08.3-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1124474
Changes:
 messagelib (4:25.08.3-3) unstable; urgency=medium
 .
   [ Patrick Franz ]
   * Backport patch to fix CVE-2025-69412 (Closes: #1124474).
   * Bump Standards-Version to 4.7.3 (no changes needed).
Checksums-Sha1:
 c67d0dbcd915be0163cbb32cebec173e3f7d42fd 4605 messagelib_25.08.3-3.dsc
 e4429be45faed10731e4d06b79c0532158038131 24340 messagelib_25.08.3-3.debian.tar.xz
 d09c5cf174b0585594b6134b0f1c5a79793d2c47 10905 messagelib_25.08.3-3_source.buildinfo
Checksums-Sha256:
 be3b810971e4ed8f81929df91ce6e75bca4ae22fcc5985ce8a59ab6f4a9b5a7a 4605 messagelib_25.08.3-3.dsc
 47c3feafcbb43fcc2c1c89924561bfd997eccb2ce278786149431e775e8453fd 24340 messagelib_25.08.3-3.debian.tar.xz
 0fe67b54d6e6b967fe07b09b16049bfb98059fdc3a80c51b474f1ea3765936ca 10905 messagelib_25.08.3-3_source.buildinfo
Files:
 fe84eb06dd33c90025dfb5b313f6af6d 4605 libs optional messagelib_25.08.3-3.dsc
 ac62425213aad7bd4af8d904abef899f 24340 libs optional messagelib_25.08.3-3.debian.tar.xz
 de14d731a2a4bda8c01aa447e299f186 10905 libs optional messagelib_25.08.3-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmlYHJAACgkQnp96YDB3
/lb4Jg/7BWH5x35nmj/ufIxmvZXtcQIHCBgM1F6Xr/GHJb+k8m9/TPGUtN6F5mcS
wn5V7xj6At/LlnlX+HGWiIJr5gI9fNi+UhNfVTBid8f98C94ArVeQPhRDJ1Mgbqz
j847sHBLibKApURaokU0L77fkEUZM8ZaZw5pwT4e34jg35Vc/koAUaGCd52iVHUL
NJsQiAXlfknII8zkPZ/CUOi5OGgLYTxla+Y6D1hRJqX6/mAXn27//4NR031+STxt
FKpfE0Ie/XB7g97AXTYs0ho7d3iBRNjjp98DbeCW0mdbowTkl7YBivsnS2RZCoEs
OMs+UlvgUj6OK2016ADOnrZlsn+YLq1tal49PuOfKMOgMNpzieqBeshHw5kbDf0u
l6fyIb88PZcAc3NLzTr4nSmap0lfhX286FiSExyMoYQS21kU1sYqT8jriG8Lf+On
JtDY3ndC/IrS2dR8UTzSeMtQzecPaCM5/+h7cN7nRZpcjw0rAIch269+72A6BB6f
oiYCVI0IJ57oTZGh3q13yZILRuX67WlMrQ3Fj3lEWAksrsej30m0n2liNg2ThD+H
RmGvAB3NttUB1M2wazLuWo8kxrxBhKYlyqQJUZr39dFmNaQwDQzlY5zZBlWAgcsF
a6PWaF4IFV+CvR8XUdpi3Sh7Q/NZS1h3POJhyEjWm/sOsXkIrOI=
=30tR
-----END PGP SIGNATURE-----

Attachment: pgpLK9qYlwfJY.pgp
Description: PGP signature

--- End Message ---