Free software activities in August 2025

Here is my monthly update covering what I have been doing in the free software world during August 2025 (previous month):

(This section coming soon.)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged: apache2 (CVE-2024-42516, CVE-2024-43204, CVE-2024-47252, CVE-2025-23048, CVE-2025-49630, CVE-2025-49812 & CVE-2025-53020), lemonldap-ng (CVE-2024-52948), libcatalyst-authentication-credential-http-perl (CVE-2025-40920), mupdf, netty (CVE-2025-55163) & tcpreplay (CVE-2025-9019)

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• I also released an update for Redis in Debian bookworm on behalf of the Debian security team, addressing CVE-2025-48367, CVE-2025-32023 and CVE-2025-48367.

• Issued DLA 4273-1 addressing three issues that were discovered in the PostgreSQL database management system:

  • A previous fix was intended to prevent leaky functions from being applied to statistics data for columns where the calling user does not have permission to read. Some gaps in that protection were found and addressed. (CVE-2025-8713)

  • Prevent pg_dump scripts from being used to attack the user running the restore. An attacker who had gained superuser-level control over the source server might have been able to cause it to emit text that would be interpreted as psql meta-commands. (CVE-2025-8714)

  • Convert newlines to spaces in names included in comments in pg_dump output, because names containing newlines offered the ability to inject arbitrary SQL commands into the output script. (CVE-2025-8715)

• Issued DLA 4278-1 as it was discovered that there was a potential use-after-free vulnerability in mupdf, a lightweight PDF viewer. This could have allowed remote attackers to cause a denial of service attack when opening a maliciously crafted PDF file.

• Issued DLA 4260-1 because Stefan Buehler discovered a flaw in sope, an Objective-C framework. This vulnerability could have resulted in a denial-of-service attack that was exploitable through a specially crafted POST request. Special thanks to the Debian sope maintainer for their assistance. (CVE-2025-53603)

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.