Bug#1126331: marked as done (trixie-pu: package libpng1.6/1.6.48-1+deb13u2)

Sat, 14 Mar 2026 04:52:49 -0700 

Your message dated Sat, 14 Mar 2026 11:48:35 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1126331,
regarding trixie-pu: package libpng1.6/1.6.48-1+deb13u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1126331: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126331
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libpng1.6
User: [email protected]
Usertags: pu

Upstream has released a new upstream version fixing two CVEs:
    - CVE-2026-22801 - Heap buffer over-read (Closes: #1125444
    - CVE-2026-22695 - Heap buffer over-read (Closes: #1125443)

CVE-2026-22695 has been introduced by CVE-2025-65018, fixed in trixie
via 1.6.48-1+deb13u1.

I've coordinated with the security team and we've settled on updating
the issues via s-p-u.

[ Tests ]

CVE-2026-22801 is covered by the upstream test-suite,
CVE-2026-22695's is quite a small fix, and upstream throughly analysed
the change, see https://github.com/pnggroup/libpng/issues/778.
(We're cherry-picking e4f7ad4, as suggested by upstream):
"Fixed in commit e4f7ad4, to be cherry-picked by downstream libpng
package maintainers.")

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

I'll upload the package after sending this bug.

-- 
tobi

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.4

This update has been released as part of Debian 13.4.

--- End Message ---

Reply via email to