Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <[email protected]>
and subject line Released with 13.3
has caused the Debian Bug report #1123726,
regarding trixie-pu: package rust-sequoia-openpgp/2.0.0-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123726: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123726
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
User: [email protected]
Usertags: pu
Hi,
rust-sequoia-openpgp/2.0.0-2 in trixie is affected by
CVE-2025-67897 "DOS (crash) via special crafted encrypted message"
which is also tracked as Debian Bug #1122582 and which is
fixed by
https://gitlab.com/sequoia-pgp/sequoia/-/commit/b59886e5e7bdf7169ed330f309a6633d131776e5
In #1122582 we agreed with the security team that this should be
fixed via a point release, so I'm filing this bug to aid that.
After uploading rust-sequoia-openpgp the following source
packages need binNMUs in trixie:
rust-sequoia-sqv
rust-sequoia-sq
rust-sequoia-octopus-librnp
rust-sequoia-keystore-server
rust-sequoia-git
rust-sequoia-chameleon-gnupg
rust-sequoia-sop
[ Reason ]
as said, CVE-2025-67897
[ Impact ]
as said, DOS (crash) via special crafted encrypted message.
[ Tests ]
Upstream has fixed this a month ago and since two weeks the fix
has been in unstable and thus in forky since a week.
rust-sequoia-openpgp has autopkgtests as well.
[ Risks ]
always, but nothing really obvious here.
[ Checklist ]
[ ] *all* changes are documented in the d/changelog
[ ] I reviewed all changes and I approve them
[ ] attach debdiff against the package in (old)stable
those 3 not yet, as we will still need to discuss in the rust team,
how + where (+if?) to store such upload in git, as for recreating
the fixed package its easiest and best to just traditionally prepare
a patched package which derivates from the usual rust team workflows...
besides that, creating the actual package and meeting the above
criteria is easy :)
[x] the issue is verified as fixed in unstable
[ Changes ]
(Explain *all* the changes)
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
A scientist told me the real story is the unfolding of climate change.
And a doctor told me the real story is the ongoing pandemic.
And an activist told me the real story is the rise of fascism.
And a historian told me the real story is that these are all the same story.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as
part of Debian 13.3.
--- End Message ---
