Your message dated Sat, 16 May 2026 10:23:18 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1131610,
regarding trixie-pu: package pymupdf/1.25.4+ds1-3+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131610
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:pymupdf
User: [email protected]
Usertags: pu
[ Reason ]
Fix CVE-2026-3029 via upstream change.
[ Impact ]
Vulnerable for arbitrary file write via path traversal.
[ Tests ]
New unit tests introduced with the upstream change.
[ Risks ]
Code is trivial and the new unit tests check the new behavior.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Improved safety of `pymupdf embed-extract`. This now refuses to write to
an existing file or outside current directory, unless `-output` or new flag
`-unsafe` is specified.
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
