During the month of March 2026 and on behalf of Freexian, I worked on the following:
mapserver --------- Uploaded 7.6.2-1+deb11u1 and issued DLA-4506-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2021-32062: Failure to properly enforce the MS_MAP_NO_PATH and MS_MAP_PATTERN restrictions that are intended to control the locations from which a mapfile may be loaded. * CVE-2025-59431: Boolean-based SQL injection via XML Filter Query directive `PropertyName`. Also, uploaded 7.2.2-1+deb10u1 (buster) and 7.0.4-2+deb9u1 (stretch), and issued ELA-1661-1 for the above vulnerabilities. https://www.freexian.com/lts/extended/updates/ela-1661-1-mapserver/ The backport work to older suites was non-trivial due to massive upstream code change, partial rewrite from C to C++, and poor test coverage. Also, filed os-pu bug #1131735 with a debdiff fixing the above vulnerabilities. roundcube --------- Uploaded 1.4.15+dfsg.1-1+deb11u8 and issued DLA-4517-1. https://lists.debian.org/msgid-search/[email protected] * Server-side request forgery (SSRF) vulnerability via stylesheet links to a local network hosts. * IMAP injection and CSRF bypass vulnerability in the email search logic. * One could change password without providing the old one in some situations. * The HTML sanitizer didn't sanitize image sources in SVG `<animate>` attributes. * The HTML sanitizer didn't sanitize `<body background="…">` attributes. * The CSS sanitizer didn't convert `position: fixed` `position: absolute` when `!important` was used. * The HTML sanitizer doesn't sanitize image sources in SVG `<animate>` attributes via fill/filter/stroke. * Cross-site scripting (XSS) vulnerability in the HTML attachment preview. I requested CVE IDs for the above, but AFAICT none has been assigned yet. The upstream fix for the first vulnerability (SSRF) introduces a new dependency which is not not in Debian yet, so I wrote a custom fix and in doing so discovered that the upstream fix was incomplete. The issue was reported and acknowledged upstream. libxml-parser-perl ------------------ Backported patches for CVE-2006-10002 and CVE-2006-10003 and prepared updates for bullseye, buster and stretch, but didn't issue the DLA or ELAs yet. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
