CC-ing the p-u bug for Bookworm as well, since this applies equally to both.
On Tue, Feb 24, 2026, at 5:07 PM, Bastian Germann wrote: > Package: release.debian.org > Severity: normal > Tags: trixie > X-Debbugs-Cc: [email protected] > Control: affects -1 + src:rust-time > User: [email protected] > Usertags: pu > > [ Reason ] > CVE-2026-25727 (stack exhaustion) > > [ Impact ] > Vulnerable to denial of service. > > [ Tests ] > I have only compiled the package with a upstream patch backport. > > [ Risks ] > Code change is trivial. There is only an inline annotation that had to > be dropped to backport the patch. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > The upstream patch limits the stack frames. > > [ Other info ] > Team upload. Thanks for preparing this! After this has been accepted and built, all binary packages statically linking the affected code need to be bin-NMUed (or get no-change source uploads). If desired, I can prepare a list of packages for Trixie and Bookworm. Fabian
