Your message dated Sat, 04 Jul 2026 10:03:10 +0000
with message-id <[email protected]>
and subject line Bug#1121953: fixed in rhino 1.7.15.1-0.1~deb13u1
has caused the Debian Bug report #1121953,
regarding rhino: CVE-2025-66453
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121953: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121953
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rhino
Version: 1.7.15-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rhino.
CVE-2025-66453[0]:
| Rhino is an open-source implementation of JavaScript written
| entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an
| application passed an attacker controlled float poing number into
| the toFixed() function, it might lead to high CPU consumption and a
| potential Denial of Service. Small numbers go through this call
| stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa >
| DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous
| power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-66453
https://www.cve.org/CVERecord?id=CVE-2025-66453
[1] https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rhino
Source-Version: 1.7.15.1-0.1~deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rhino, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated rhino package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Jul 2026 10:18:53 +0300
Source: rhino
Architecture: source
Version: 1.7.15.1-0.1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1121953
Changes:
rhino (1.7.15.1-0.1~deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* Rebuild for trixie.
.
rhino (1.7.15.1-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2025-66453: High CPU usage and potential DoS when passing
specific numbers to toFixed() (Closes: #1121953)
Checksums-Sha1:
e7b2f76dbab7b75d17fbf63421e0ea83687de068 2085 rhino_1.7.15.1-0.1~deb13u1.dsc
803965e62558c1726774a3d81c8c2f7b4f64f719 2993636 rhino_1.7.15.1.orig.tar.xz
c15149de3c3a126bba56d59e6cd0772c1c71870c 17204
rhino_1.7.15.1-0.1~deb13u1.debian.tar.xz
Checksums-Sha256:
aea3311041466152cb9903968fcbab2f6f919c6b585afdc0992874baca709735 2085
rhino_1.7.15.1-0.1~deb13u1.dsc
b87921e3f3d836f8d5280678912ca8a88a20afb066173402d91d8178fb160278 2993636
rhino_1.7.15.1.orig.tar.xz
52ab92f6ebf34a2e7f228dc5dc5870295be3b235a51ddd42ffc67969bd7e2c52 17204
rhino_1.7.15.1-0.1~deb13u1.debian.tar.xz
Files:
e0e5aa6b09a7c1be401c241fa74cac59 2085 interpreters optional
rhino_1.7.15.1-0.1~deb13u1.dsc
9dafbad6234145d16c3c649760574b03 2993636 interpreters optional
rhino_1.7.15.1.orig.tar.xz
ebffd7bf609e60593c1e13556ba2175a 17204 interpreters optional
rhino_1.7.15.1-0.1~deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpHadsACgkQiNJCh6LY
mLFb5hAArNLmx6x3P8zZg+zXwtTAuSMyo5Hu4U+WVO5iRieyi63UM9ymSp//EF30
GvpwQFGM463hv1+IWWEAYNje3evNUDaBaS7xRpxtL2vtvee94UdeM/AT13L0dFmo
XwaHxUnR/n/XAN7cDUZBDPAnK667EJ1jUScQnIXT28ozJQsS35uZQciL5aKoQVXi
ndY6IFA7o4quz5xaYbZYslxZ8HcrsI5VUO2AwbhUw533Ng2KqQlxxEHB++mKt3o5
azL6vUu2gzOv66+cO695mcjpOSSeJpB6aApPSK5Hx9KsQyjJbxemBI6GjUlYpdmi
I/d1RPaHoilT0CGoxAhD9zsVODxcns9ZZ6Gld+Uh0Phk1u1jBC8qe6jj+dGg6S0W
o4ZEm8sMGpNuD1GGhMg9DxBiPfjqUfkV7XcEyE//QyD3GiSJUipXD6n/cpsKk8+H
aMahcvzPuj8RLTRzLtIpB6zP46OJj8RqXFeAMN4LDwfmVsi1c8pgcvyl31/rKM95
x6TMix696oP9itSZ/GVSLR+uHD+OeT1B2hEnLWMdTYc4tap/zfHEJ/55kGXEP0RX
oI0Cz3wmVd5ufmm3DY38rLBDrJfRouUJcbVq2lVi7YoQb91OZv+Kjnkag6+lesHX
GUKWcFvBL1pMeQAQN5YBmat4rOOl5x9U7m0cnZuYIRT7Vuym3fQ=
=zu81
-----END PGP SIGNATURE-----
pgpiVbcMl5eDN.pgp
Description: PGP signature
--- End Message ---