Source: iputils
Version: 3:20240905-3
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for iputils.
CVE-2025-48964 [1] [2]:
| While the CVE-2025-47268 patch added important validation for timestamp
| calculations, it doesn't account for a specific scenario where the original
| timestamp in the ICMP payload is zeroed.
NOTE: PoC is publicly available (it's also available for related CVE-2025-47268.
Therefore it'd be great if Debian got update iputils to 20250605, which contains
both fixes.
Upstream fix: afa3639 ("ping: Fix moving average rtt calculation") [3]
Kind regards,
Petr
[1] https://github.com/iputils/iputils/security/advisories/GHSA-25fr-jw29-74f9
[2] https://www.cve.org/CVERecord?id=CVE-2025-48964
[3]
https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c
