Your message dated Thu, 08 Jan 2026 09:06:35 +0000
with message-id <[email protected]>
and subject line Bug#1122583: fixed in miniflux 2.2.16-1
has caused the Debian Bug report #1122583,
regarding miniflux: CVE-2025-67713
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122583
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: miniflux
Version: 2.2.13-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for miniflux.
CVE-2025-67713[0]:
| Miniflux 2 is an open source feed reader. Versions 2.2.14 and below
| treat redirect_url as safe when url.Parse(...).IsAbs() is false,
| enabling phishing flows after login. Protocol-relative URLs like
| //ikotaslabs.com have an empty scheme and pass that check, allowing
| post-login redirects to attacker-controlled sites. This issue is
| fixed in version 2.2.15.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-67713
https://www.cve.org/CVERecord?id=CVE-2025-67713
[1] https://github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9
[2]
https://github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: miniflux
Source-Version: 2.2.16-1
Done: Maytham Alsudany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
miniflux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Maytham Alsudany <[email protected]> (supplier of updated miniflux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 08 Jan 2026 15:58:09 +0800
Source: miniflux
Architecture: source
Version: 2.2.16-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Maytham Alsudany <[email protected]>
Closes: 1122583
Changes:
miniflux (2.2.16-1) unstable; urgency=medium
.
* New upstream version 2.2.16
* Includes fix for CVE-2025-67713 (Closes: #1122583)
* Remove admin account creation prompt in favour of doing so manually
* Bump Standards-Version to 4.7.3
Checksums-Sha1:
84a3204464560c580d7e4446a70050bccf9d5e1f 2615 miniflux_2.2.16-1.dsc
eb39f6f5cfe34d35255cb73ca10c0a6b745f4b67 890245 miniflux_2.2.16.orig.tar.gz
619e6ae46a78f67eea8abd7741da3f3cbf65a661 6876 miniflux_2.2.16-1.debian.tar.xz
1c5b0574131262276954f72cfdc74a40479b47a2 9953 miniflux_2.2.16-1_amd64.buildinfo
Checksums-Sha256:
197f4345e26c87c42c7a26c64b5058168dddb997e36cc1729c80be4891615428 2615
miniflux_2.2.16-1.dsc
b6d015c3c73368425ac8e01fb67c98ae3e998a962a268cd956f57b1c8b023e17 890245
miniflux_2.2.16.orig.tar.gz
78f3e5938de196bb13dd96ea25c71d1e14c9573eb03a2787d61fe304fc853a48 6876
miniflux_2.2.16-1.debian.tar.xz
45aff3cdee26cd54d84d448ed152ce052d7208e75b581d64e2147517fe84c442 9953
miniflux_2.2.16-1_amd64.buildinfo
Files:
6a3d23757329ab56a1a8c466c4e741cd 2615 web optional miniflux_2.2.16-1.dsc
a96a2c272ee652304a1b05a12f0cbfe7 890245 web optional
miniflux_2.2.16.orig.tar.gz
2f38c8abbba750c1cbfb35cd40f302ff 6876 web optional
miniflux_2.2.16-1.debian.tar.xz
35721017276fb497695aeba8c93b63bc 9953 web optional
miniflux_2.2.16-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEESl/RzRFQh8wD3DXB1ZeJcgbF8H8FAmlfcCoACgkQ1ZeJcgbF
8H9lQRAAqcMt7GDYkiFOfi6IEbvK7ZoXnLNYS8Ev/eeUhArSXFqIUeqZ+qk8sGj9
j+UZvXWU96cmG1cdGmBLLx2mLqPPBAgA3zE1WRybmrCFdgbe+JGwDp+lITee4EGw
lNyhgld3HPiTdwQ1nVmWnwZ3GflgBkOADmMy1O62NhURECrRxdDg2TBuWDsfRe5U
fNCMPlVLowqJjmxkBWr+0x/Hq2TC4zM5u0AWdV+NIUD+lJwhdF1Q9uXvYGeCHGC6
89UJ/BnAi4/zRJRrA5FOsSjB/ZGEpmPQYZ2ybXINn4251E4EmZGJS7wC5hhC7C1G
njoy0QGwnly+dwGEtZuFrt2jFv0zGTWRdk5EELrWwI6Nc5a7PLRLn07oyfcDtoLH
L8OrfXTkBWH1jgoiOFyx32HsHh+QNDo/mbntbTZlHiGKYiHdG6DdL9/JqJwlACuv
GQVLQOnzA2PgiXwiyUeGG3uAN6M+ksgA2Ey77v9Hkvq4zY+GlXbtCn3p/zZ2NWtp
jLcUrkZIiiLME0IVhjjs7YK85nNSNohsl0VpMZqzbM4RD0prJfqRxNSOM5qQ0Jm1
w0TXjkoGB8TV8Xzj/NTnEiAKkjT5PQ/c3AUIgn4/p6FfnP+0fREcyKmObg4HIA2U
kq5NwR86eoVGFPEfQf43BLY7ZLv+ME63jID59IidrRSwisRzh4E=
=UnvB
-----END PGP SIGNATURE-----
pgpVxL7iyUEAq.pgp
Description: PGP signature
--- End Message ---
