During the month of October 2025 and on behalf of Freexian, I worked on the following:
mediawiki --------- Uploaded 1:1.35.13-1+deb11u5 and issued DLA-4355-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2025-11173 (OATHAuth extension): Reauthentication for enabling 2FA can be bypassed by submitting a form in Special:OATHManage. * CVE-2025-11261: Stored i18n XSS vulnerability in mw.language.listToText. * CVE-2025-61635 (ConfirmEdit extension): Missing rate limiting in ApiFancyCaptchaReload. * CVE-2025-61638 (Parsoid): Validation bypass for `data-` attributes. * CVE-2025-61639: Log entries which are hidden from the creation of the entry may be disclosed to the public recent change entry. * CVE-2025-61640: Stored i18n XSS vulnerability in Special:RecentChangesLinked. * CVE-2025-61641: DDoS vulnerability in QueryAllPages API in miser mode. * CVE-2025-61643: Suppressed recent changes may be disclosed to the public RCFeeds. * CVE-2025-61646: Public Watchlist/RecentChanges pages may disclose hidden usernames when an individual editor makes consecutive revisions on a single page, and only some are marked as hidden username. * CVE-2025-61653 (TextExtracts extension): Information disclosure vulnerability in the extracts API action endpoint due to missing read permission check. * CVE-2025-61655 (VisualEditor extension): Stored i18n XSS vulnerability in `lastModifiedAt` system messages. * CVE-2025-61656 (VisualEditor extension): Missing attribute validation for attributes unwrapped from `data-ve-attributes`. libxml2 ------- Uploaded 2.9.4+dfsg1-7+deb10u13 (buster) and 2.9.4+dfsg1-2.2+deb9u15 (stretch) and issued ELA-1542-1. https://www.freexian.com/lts/extended/updates/ela-1542-1-libxml2/ * CVE-2025-9714: Stack overflow via crafted expressions due to uncontrolled recursion. * CVE-2025-7425: Heap-use-after-free in xmlFreeID() caused by `atype` corruption. While the vulnerability was reported against libxslt, the XSLT 1.0 processing library, it is now mitigated in libxml2. Filed trixie-pu bug #1117843 and bookworm-pu bug #1117844 with a fix for CVE-2025-9714 and an improved mitigation patch for CVE-2025-7425. https://bugs.debian.org/1117843 https://bugs.debian.org/1117844 Uploaded libxml2.9=2.12.7+dfsg+really2.9.14-2.3 to sid with a fix for CVE-2025-9714 and a mitigation patch for CVE-2025-7425. https://tracker.debian.org/news/1678900/accepted-libxml29-2127dfsgreally2914-23-source-into-unstable/ (libxml2.9 is a sid-only package which is never meant to transition to testing. It is needed for a soname transition but will be removed once no package depends on it anymore, see #1112209.) libxslt ------- Backport and test fixes to LTS and ELTS suites for * CVE-2025-10911: Type confusion issue in exsltFuncResultComp(). * CVE-2025-11731: Use-after-free with key data stored cross-RVT. but didn't upload yet as the suggested fix for CVE-2025-10911 as not yet been merged upstream. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
