Your message dated Sat, 10 Jan 2026 11:59:46 +0000
with message-id <[email protected]>
and subject line Released with 12.13
has caused the Debian Bug report #1116946,
regarding bookworm-pu: package open-vm-tools/2:12.2.0-1+deb12u4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116946: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116946
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:open-vm-tools
User: [email protected]
Usertags: pu
[ Reason ]
Fixing CVE-2025-41244 using the patch provided by Broadcom/VMware via
point-release as discussed with the security team.
[ Impact ]
VMware Aria Operations and VMware Tools contain a local privilege escalation
vulnerability. A malicious local actor with non-administrative privileges
having access to a VM with VMware Tools installed and managed by Aria Operations
with SDMP enabled may exploit this vulnerability to escalate privileges to root
on the same VM.
[ Tests ]
None except for the salsa pipeline - Debian doesn't have ESX hosts for
automated tests.
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/pipelines/947554
[ Risks ]
low risk, the affected package has a very very low popcon compared to
open-vm-tools itself.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
- please do not ask me how exactly this fixes an issue or what the
issue exactly was to begin with, I assume that upstream does the
right thing there.
[X] attach debdiff against the package in (old)stable
https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/jobs/8377091/artifacts/file/debian/output/open-vm-tools.debdiff
(please ignore the +salsaci version stuff, the debdiff is from the
CI indeed)
also attached.
[X] the issue is verified as fixed in unstable
supposed to be fixed in 13.0.5
[ Changes ]
new patch, directly from upstream.
( + some salsa CI / git-buildpackage related changes to build in
bookworm instead of unstable)
thanks,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 12.13\n\nThis update has been released as
part of Debian 12.13.
--- End Message ---
