Your message dated Fri, 3 Jul 2026 10:08:29 -0400
with message-id <[email protected]>
and subject line Re: Bug#1141230: libevent 2.1.13-stable
has caused the Debian Bug report #1141230,
regarding libevent 2.1.13-stable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141230: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141230
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libevent
Version: 2.1.12-stable-10

Hi!  It would be nice to package libevent 2.1.13 or later because it
fixes several security issues.  If you are open to team-maintain this
package (perhaps as a Debian Commons), I offer to assist and prepare an
update -- I help maintain the NSD and guile-fibers packages which both
depends on libevent.  It is not clear to me if the bugs are exploitable
via these other packages, but regardless it would be get the latest
version packaged.

/Simon

Kevin Bowling <[email protected]> writes:

> https://github.com/libevent/libevent/releases/tag/release-2.1.13-stable
> (and https://github.com/libevent/libevent/releases/tag/release-2.2.2-alpha)
> are primarily security releases and a re-priming the release process.
>
> Changes in version 2.1.13-stable (01 July 2026)
>
> This release contains several security fixes, affecting users of the
> following modules: evbuffer, bufferevent, evtag, evrpc, evdns, evhttp.
> If you have a program that uses one of those modules,
> or if you distribute libevent, you should upgrade.
>
> Additionally, this release backports some small modernizations to
> the libevent codebase, to aid in compiling with the compilers
> released over the last few years.
>
> Security Fixes (evtag, evrpc):
>
> Fix an out-of-bounds read in decode_tag_internal.
> (Found by @Brubbish. GHSA-fj29-64w6-73h6)
> Fix an integer overflow in evtag_unmarshal_header.
> (Found by @Brubbish. GHSA-45c6-qx49-89m8)
>
> Security Fixes (evhttp):
>
> Discard HTTP trailers, to prevent header smuggling attacks.
> (Found by @sebastianosrt. GHSA-2gmv-p5m7-98p6)
> Restrict HTTP header parsing to prevent request smuggling.
> (Originally reported by @xclow3n; and then by @kodareef5,
> @nstaller0490, @AsafMeizneer, and @yaotushaozhu.
> GHSA-q39v-w2g7-gr8j.)
> Treat CRLF and %00 more strictly in HTTP headers, to prevent
> parser mismatch attacks.
> (Reported by @xclow3n and @AsafMeizner. See GHSA-q39v-w2g7-gr8j,
> GHSA-jcwh-pvf2-73p2.)
> Fix a heap out-of-bound write that could occur when using
> AF_UNIX sockets and compiling libevent with -DNDEBUG.
> (Found by @mat-mo. GHSA-cvq5-vrvr-j338)
>
> Security fixes (evbuffer, bufferevent):
>
> Fixed a dangling pointer in evbuffer_add_reference.
> (Found by @DarkaMaul. GHSA-c2pj-cg4r-88c8)
>
> Security fixes (evdns):
>
> Fix an out-of-bounds write in dnsname_to_labels
> when building a DNS response of 2^16 bytes.
> (Found by @sectroyer. GHSA-58rx-7448-jw47)
>
> Security fixes (example code):
>
> Avoid using strcpy() in sample/http-server.c.
> (Reported by @sectroyer. GHSA-5rgj-2c58-7jrc.)
>
> Other fixes:
>
> Backport fixes for numerous compiler warnings.
> Backport fixes for compilation with openssl 3 and later.
>
> Regards,
> Kevin Bowling (co-maintainer)
>

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
Hello,

I've uploaded the package in unstable, feel free to open a new bug if necessary.

/Nicolas

--- End Message ---

Reply via email to