Fix for CVE-2025-50681 should be now on mentors.debian.net: [2025-12-28 13:04:35] $ dput mentors igmpproxy_0.3-2_source.changes Checking signature on .changes gpg: /home/pali/unstable-debian/home/pali/igmpproxy_0.3-2_source.changes: Valid signature from 2B2766A3CF54ADD9 Checking signature on .dsc gpg: /home/pali/unstable-debian/home/pali/igmpproxy_0.3-2.dsc: Valid signature from 2B2766A3CF54ADD9 Uploading to mentors (via https to mentors.debian.net): Uploading igmpproxy_0.3-2.dsc: done. Uploading igmpproxy_0.3-2.debian.tar.xz: done. Uploading igmpproxy_0.3-2_source.buildinfo: done. Uploading igmpproxy_0.3-2_source.changes: done. Successfully uploaded packages.
On Sunday 28 December 2025 12:25:40 Pali Rohár wrote: > Hello, Thank you for contacting me. I did not know that there some > reported vulnerability as nobody contacted me before you. > > I will prepare update of debian package with the fix. > > On Saturday 20 December 2025 21:11:54 Salvatore Bonaccorso wrote: > > Source: igmpproxy > > Version: 0.3-1 > > Severity: important > > Tags: security upstream > > Forwarded: https://github.com/pali/igmpproxy/issues/97 > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for igmpproxy. > > > > CVE-2025-50681[0]: > > | igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause > > | a denial of service (application crash) via a crafted IGMPv3 > > | membership report packet with a malicious source address. Due to > > | insufficient validation in the `recv_igmp()` function in > > | src/igmpproxy.c, an invalid group record type can trigger a NULL > > | pointer dereference when logging the address using `inet_fmtsrc()`. > > | This vulnerability can be exploited by sending malformed multicast > > | traffic to a host running igmpproxy, leading to a crash. igmpproxy > > | is used in various embedded networking environments and consumer- > > | grade IoT devices (such as home routers and media gateways) to > > | handle multicast traffic for IPTV and other streaming services. > > | Affected devices that rely on unpatched versions of igmpproxy may be > > | vulnerable to remote denial-of-service attacks across a LAN . > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-50681 > > https://www.cve.org/CVERecord?id=CVE-2025-50681 > > [1] https://github.com/pali/igmpproxy/issues/97 > > [2] > > https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab7687984484c > > > > Regards, > > Salvatore
