Hi Christoph, You are fast :)
On Tue, Sep 23, 2025 at 08:28:07PM +0200, Christoph Berg wrote: > Re: Salvatore Bonaccorso > > The following vulnerability was published for libscram-java. > > Hi Salvatore, > > I just uploaded 3.2-1 to unstable with the fix. libpgjava will need a > (sourceful) rebuild once that package is installed. > > A branch with just the fix can be found at > https://salsa.debian.org/java-team/libscram-java/-/tree/cve-2025-59432?ref_type=heads > (I have no plans yet to upload that anywhere, do you want me to do that?) FWIW, I do not think we need a DSA for it. If you might include fixes in the upcoming point releases and have time for it that would be enough I would say. Will that work for you? > > FYI, while building the fix on apt.postgresql.org I noticed that the > current libscram-java does not compile anymore on bullseye and jammy, > in case anyone wants to try that. Ok! I guess it will be relevant for LTS team then if they decide to issue a DLA. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
