Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] User: [email protected] Usertags: pu
Hi, rust-sequoia-openpgp/2.0.0-2 in trixie is affected by CVE-2025-67897 "DOS (crash) via special crafted encrypted message" which is also tracked as Debian Bug #1122582 and which is fixed by https://gitlab.com/sequoia-pgp/sequoia/-/commit/b59886e5e7bdf7169ed330f309a6633d131776e5 In #1122582 we agreed with the security team that this should be fixed via a point release, so I'm filing this bug to aid that. After uploading rust-sequoia-openpgp the following source packages need binNMUs in trixie: rust-sequoia-sqv rust-sequoia-sq rust-sequoia-octopus-librnp rust-sequoia-keystore-server rust-sequoia-git rust-sequoia-chameleon-gnupg rust-sequoia-sop [ Reason ] as said, CVE-2025-67897 [ Impact ] as said, DOS (crash) via special crafted encrypted message. [ Tests ] Upstream has fixed this a month ago and since two weeks the fix has been in unstable and thus in forky since a week. rust-sequoia-openpgp has autopkgtests as well. [ Risks ] always, but nothing really obvious here. [ Checklist ] [ ] *all* changes are documented in the d/changelog [ ] I reviewed all changes and I approve them [ ] attach debdiff against the package in (old)stable those 3 not yet, as we will still need to discuss in the rust team, how + where (+if?) to store such upload in git, as for recreating the fixed package its easiest and best to just traditionally prepare a patched package which derivates from the usual rust team workflows... besides that, creating the actual package and meeting the above criteria is easy :) [x] the issue is verified as fixed in unstable [ Changes ] (Explain *all* the changes) -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ A scientist told me the real story is the unfolding of climate change. And a doctor told me the real story is the ongoing pandemic. And an activist told me the real story is the rise of fascism. And a historian told me the real story is that these are all the same story.
signature.asc
Description: PGP signature
