Your message dated Thu, 02 Jul 2026 13:50:04 +0000
with message-id <[email protected]>
and subject line Bug#1121953: fixed in rhino 1.7.15.1-0.1
has caused the Debian Bug report #1121953,
regarding rhino: CVE-2025-66453
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1121953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121953
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rhino
Version: 1.7.15-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for rhino.

CVE-2025-66453[0]:
| Rhino is an open-source implementation of JavaScript written
| entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an
| application passed an attacker controlled float poing number into
| the toFixed() function, it might lead to high CPU consumption and a
| potential Denial of Service. Small numbers go through this call
| stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa >
| DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous
| power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-66453
    https://www.cve.org/CVERecord?id=CVE-2025-66453
[1] https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: rhino
Source-Version: 1.7.15.1-0.1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
rhino, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated rhino package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 30 Jun 2026 21:23:20 +0300
Source: rhino
Architecture: source
Version: 1.7.15.1-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1121953
Changes:
 rhino (1.7.15.1-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
     - CVE-2025-66453: High CPU usage and potential DoS when passing
       specific numbers to toFixed() (Closes: #1121953)
Checksums-Sha1:
 57668dcc7fa669d0177b086583c6a452812b94c8 2052 rhino_1.7.15.1-0.1.dsc
 803965e62558c1726774a3d81c8c2f7b4f64f719 2993636 rhino_1.7.15.1.orig.tar.xz
 26c17252556a4a11d36b58bcf404e784bce1bb66 17164 rhino_1.7.15.1-0.1.debian.tar.xz
Checksums-Sha256:
 877dfc64824abe89d5ed065f40e6f95a02c4b0c58588db6de484baee884c49ff 2052 
rhino_1.7.15.1-0.1.dsc
 b87921e3f3d836f8d5280678912ca8a88a20afb066173402d91d8178fb160278 2993636 
rhino_1.7.15.1.orig.tar.xz
 88903342a5f5dac6803936ff1bbd37ac3790e375011f80f10dc792ebb3fea54f 17164 
rhino_1.7.15.1-0.1.debian.tar.xz
Files:
 d62eef512369cf90f36afb53e00fd55d 2052 interpreters optional 
rhino_1.7.15.1-0.1.dsc
 9dafbad6234145d16c3c649760574b03 2993636 interpreters optional 
rhino_1.7.15.1.orig.tar.xz
 e23c16e7476b6d269d406159eb391e79 17164 interpreters optional 
rhino_1.7.15.1-0.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpECy0ACgkQiNJCh6LY
mLHYsg/+I0xxC7od0ua+k1L7eSlWjE71+FwzrtUKuslG4+dD/ocMFUp5cFp6hKvE
vvNO4YwtCoJCB4LcB6siA/8g2wfcBShnGHGJGczexvJmSzanX0qX1qzEZzahTGXV
+KmER5Tbp2NgvJBfcQZq8GxFrtxeEHLtr7ZjC2z6Cm+boVrZcS2FdHKKxFTkqKmf
aB7JAGkqTqVgYDxQ/R00jTSEGwYAZRRkgt+6QunfvRMcwIi3ctIXx9Ya1aCZraFe
AqtxVVCjZ4V/qNTKGCNpij3ymG5NvZ4lf7X1TRFTEOKdkwPYngsOzIITL65krB9x
Sf9ue0tfZPQVfSHfxJQzglVP6jSNyqjGv/+a9dth0b8r+TUUYZgvqF1mTCQ0z33h
6g/NDGDVhGiJUwKF05DgtXdJE9RhipQjOiBRW18zTBVfb1BI/y0DqSuhI/hLs5Ga
cn0QQCoA1H73v3QLT4ltaDq2DHEzCMF117QhrB14vkgPDQLdJkvO/fs1gTFpvkBv
YkttegfD8T0uKL0r/u3e1SYS0didtN/OZFx0eXLp9AQ2rT1Ir/hXO/Vbd0RH7WJ2
oXHTHqi4uESc3n6Fuv7j4geByXARHR96SdOatzxJt56OGLhe0Zb2GivosrYgVIGS
b0rq3An3h2NZ+9QHiaBHgIfHS6OUDSkzZGrXf1xQo791BDcqFgw=
=Bu8q
-----END PGP SIGNATURE-----

Attachment: pgpsn44hSziwH.pgp
Description: PGP signature


--- End Message ---

Reply via email to