Your message dated Sat, 04 Jul 2026 11:32:21 +0000
with message-id <[email protected]>
and subject line Bug#1082381: fixed in protobuf 3.21.12-3+deb12u1
has caused the Debian Bug report #1082381,
regarding protobuf: CVE-2024-7254
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1082381: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082381
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: protobuf
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for protobuf.

CVE-2024-7254[0]:
| Any project that parses untrusted Protocol Buffers data containing
| an arbitrary number of nested groups / series of SGROUP tags can
| corrupted by exceeding the stack limit i.e. StackOverflow. Parsing
| nested groups as unknown fields with DiscardUnknownFieldsParser or
| Java Protobuf Lite parser, or against Protobuf map fields, creates
| unbounded recursions that can be abused by an attacker.

https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-7254
    https://www.cve.org/CVERecord?id=CVE-2024-7254

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message ---
Source: protobuf
Source-Version: 3.21.12-3+deb12u1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated protobuf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 02 Jul 2026 22:51:59 +0300
Source: protobuf
Architecture: source
Version: 3.21.12-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1082381 1108057 1126302 1134895
Changes:
 protobuf (3.21.12-3+deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2026-0994: JSON recursion depth bypass (closes: #1126302).
   * Fix CVE-2026-6409: PHP Denial of Service (closes: #1134895).
 .
   [ Hlib Korzhynskyy <[email protected]> ]
   * Complete fix of CVE-2024-7254 (closes: #1082381):
     - add recursion checks and recursion limit,
     - add tests.
 .
   [ Laszlo Boszormenyi (GCS) ]
   * Fix CVE-2025-4565: data containing an arbitrary number of recursive
     groups, recursive messages or a series of SGROUP tags can be corrupted
     by exceeding the Python recursion limit (closes: #1108057).
Checksums-Sha1:
 40bed51d97a6ea71e7ed41c1d07424403a31a348 3106 protobuf_3.21.12-3+deb12u1.dsc
 30d1134509211b033bbd70b82053866534eac22a 46240 
protobuf_3.21.12-3+deb12u1.debian.tar.xz
Checksums-Sha256:
 22e31f6dfc06d85a9054bf19603a412698c0d2f760a754650cd2385ea303cee0 3106 
protobuf_3.21.12-3+deb12u1.dsc
 49cdad49801545cb797355af19fbd6b3627084c6549f629512faaa4e25dd5647 46240 
protobuf_3.21.12-3+deb12u1.debian.tar.xz
Files:
 ee87dee64901a13289e4548203501121 3106 devel optional 
protobuf_3.21.12-3+deb12u1.dsc
 e8580bcac9651c4bedd80b25b9df28e0 46240 devel optional 
protobuf_3.21.12-3+deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpG0hQACgkQiNJCh6LY
mLEwTw/+KWTiTx+cy/hJZPQh1fnC9ieCkBD5aJ4kc/5QvBDCbGxyleUsoMG2JGTp
Y1oOgW+kxfuc7CI2sxNzuwEZBMTxes+9OHxGuozDonKkfsU6A12mUtTh7LgHUGqH
FP3f2xjqn4THuwyJm+oEPPQ5l6PqCiPa0aO1SLBeD/VpjyhxD/pF8QpyPJOVIk3z
Hzkkxbaeo+UBBW7eQ4fuR8fJ++8lzo9lBuBYTo43QhOyE+2pQXJCuidwPISZBj4V
7JTrk9XwjyxuZUVNbW/THbJ28g15yJDABjzNxREs2HDEB93N02Y4RoFCkT+C3Vly
s8UUinAOtrmNwdoaP9GQI0oyhTpjHu6me1qUS6SwSI+xHeFvRYrTQ0r06U7w37Us
NaVHcYgGWs6hn9g05SXmekm3WKSoX3+F7jVZteMj/HBnIHpJKcdv9P1RTsgsossW
a8TTlIFcLVn7HmQcoNcH3S9Y/xclWHI995CSTs35qbD6jk1/EQSHY6oRTSjtpcQY
obNY96Ftugm0GspDaI60aWAxfMt1OrZ53lNmR5aIvpjhm7/bwlCZ5E7VUOCAlV15
/EkGEqJx+VFin/aOw2e2l0PT2HzXZZQmyAuHtBJ7VxzXBGmjOlV1/ShmW046kOqL
hWiaQDK2Uym0Y9QMXZEPd2Ky1xuOKKwFyp+nDGvLV3x55VNy/aE=
=dIiA
-----END PGP SIGNATURE-----

Attachment: pgpnxPWf1oNDL.pgp
Description: PGP signature


--- End Message ---

Reply via email to