Hi, On Fri, May 29, 2026 at 09:15:51AM +0900, YOKOTA Hiroshi wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:7zip > User: [email protected] > Usertags: pu > > > [ Reason ] > Fix CVE-2026-48095 (heap buffer write overflow) > > [ Impact ] > A CVE (CVSS: 8.8/10) is unfixed. > > [ Tests ] > Autopkgtest on Salsa CI was successful. > > [ Risks ] > This patch just update upstream code to v26.01. > Because upstream dose not provide individual fix patch for the CVE. > I recommend to use online for examine this update. > Attached debdiff is compressed because it's too big. (20MB) > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > * Update upstream code to v26.01 > * Adjust Debian patch to new upstream code > * Adjust debian/watch file because upstream changes download URL > > [ Other info ] > * GHSL-2026-140: Heap Buffer Write Overflow in 7-Zip > https://securitylab.github.com/advisories/GHSL-2026-140_7-Zip/ > * Examine this update from online > https://salsa.debian.org/debian/7zip/-/compare/debian%2F22.01+really25.01+dfsg-0+deb12u1...debian%2Fbookworm?from_project_id=61356
FYI: The attachement might have been too big to reach the mailinglist, so you can as well attach additionally a filtered debdiff to include only what is relevant modulo the upstream changes from the import. Regards, Salvatore
