Your message dated Thu, 16 Oct 2025 20:32:57 +0000
with message-id <[email protected]>
and subject line Bug#1109838: fixed in libhtp 1:0.5.50-1+deb13u1
has caused the Debian Bug report #1109838,
regarding libhtp: CVE-2025-53537
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109838: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109838
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libhtp
Version: 1:0.5.50-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libhtp.
CVE-2025-53537[0]:
| LibHTP is a security-aware parser for the HTTP protocol and its
| related bits and pieces. In versions 0.5.50 and below, there is a
| traffic-induced memory leak that can starve the process of memory,
| leading to loss of visibility. To workaround this issue, set
| `suricata.yaml app-layer.protocols.http.libhtp.default-config.lzma-
| enabled` to false. This issue is fixed in version 0.5.51.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53537
https://www.cve.org/CVERecord?id=CVE-2025-53537
[1] https://github.com/OISF/libhtp/security/advisories/GHSA-v3qq-h8mh-vph7
[2]
https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libhtp
Source-Version: 1:0.5.50-1+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libhtp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated libhtp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Sep 2025 15:03:54 +0300
Source: libhtp
Architecture: source
Version: 1:0.5.50-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Sascha Steinbiss <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1109838
Changes:
libhtp (1:0.5.50-1+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-53537: memory leak with LZMA (Closes: #1109838)
Checksums-Sha1:
91596620962dec17e4a202adf2914e33c6683847 1938 libhtp_0.5.50-1+deb13u1.dsc
ee7803e49bc16799145d2b962152938d064d058d 7152
libhtp_0.5.50-1+deb13u1.debian.tar.xz
Checksums-Sha256:
4239a2f368cf341a71f094b09bb29b9968770f85dfd8df5f642ab564e9558ba0 1938
libhtp_0.5.50-1+deb13u1.dsc
e87f581edb6271264be5fdccf15a80c00ad7e91fb42689755d6c1603899bd20b 7152
libhtp_0.5.50-1+deb13u1.debian.tar.xz
Files:
b8c83ac17cdefe150fb0d9e34e5df051 1938 libs optional libhtp_0.5.50-1+deb13u1.dsc
58df1ccc1ca2d733a5297e30a360e180 7152 libs optional
libhtp_0.5.50-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmjcLRUACgkQiNJCh6LY
mLEryg/9Esk4+lTl+lfxO6N4TYo7GQL2Y7/AN2/raYTlm1DcW6bUxzBvHiA1qUYv
dgrq4ASxW0VnYmddx1VrzcQpr68QPsOZzG6npEvIGmG510NuE+T+IGX7eFw06Epu
cAV4t3mdld5TOzN7EPHyEa/n8mROGBwmkK9FdQxBSxy20h25r4Jf0CV39a/e14Id
yidspqSnOE8EQ3+0lRQP+Bk4XHWzxjZnIWJw0IiQymWt8OcdlhL9MCdpodt50zeE
vCTtflulT2pC4xoqtvELIZBQGGLPBVYgEupXQjMbgxwZY/vXaYLKp5i7B/zBhpCL
seqxiZfAlCkPoiMM1HvtBI6YUgozwLRoY7/jvpj6AuPjFE0fWcddsv9K0kp7twt3
ySWLnz0ybFUIdUTcPjXvz0GQKyMmBDZ3fp7swNm6E8AHQDXMgB7Fhjn7/srhoqlr
53XzLfmpCHcIxGgberUlXWNS3rV79okkSXXVMflYIW6zbUnvY7RVTGgmrnl/u1DR
wCkJ+j9r4aL2GsQ7I1C8zIHgP6ulPNGpEVD/ebneC1jvahkyEO7Q0+ORrTZSmJHN
oHvk+k3cxoZ+0kF7GZF02OOKC40NzOQY3imvKYAanrv7PDleRXg5T4XYnt2M3thr
9AlydtCLPb1z+byDTDWe/7P2kyrDIP8C3+81CsAwKwLbaPkla7g=
=AhnO
-----END PGP SIGNATURE-----
pgpsJVn9rwcqG.pgp
Description: PGP signature
--- End Message ---
