Free software activities in June 2025

Here is my monthly update covering what I have been doing in the free software world during June 2025 (previous month):

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted at least 3 patches to fix specific reproducibility issues in packages such as cctools, python-django-import-export & tree-puzzle, etc.

• Prepared for an upcoming talk on Saturday 2nd August with Vagrant Cascadian this year's FOSSY 2025.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for May 2025.

• Updated the main Reproducible Builds website and documentation to improve the docker instructions on the diffoscope website. […]

Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 298, 299 and 300 to Debian:

• Add python3-defusedxml to the Build-Depends in order to include it in the Docker image. […]
• Handle the RPM format's HEADERSIGNATURES and HEADERIMMUTABLE as a special-case to avoid unnecessarily large diffs. Thanks to Daniel Duan for the report and suggestion. […][…]
• Update copyright years. […]

Debian

• python-django:

  • 5.2.2-1 — New upstream security release.
  • 5.2.3-1 — New upstream bugfix release.
  • 4.2.22-1 — New upstream security release.
  • 4.2.23-1 — New upstream bugfix release.

• xtrlock (2.17) — Explicitly add libcrypt-dev to Build-Depends, as there is an effort to drop the libc6-dev transitive dependency. (#1107012)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged clamav (CVE-2025-20234, CVE-2025-20260), gdk-pixbuf (CVE-2025-6199), golang-1.11 (CVE-2025-4673), ncurses (CVE-2025-6141), node-send (CVE-2025-5889), node-serialize-javascript (CVE-2024-11831), python-django (CVE-2025-48432), python3.9 (CVE-2025-6069), thunderbird (CVE-2025-5986) & xmedcon (CVE-2025-2581).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 4210-1, ELA-1470-1, ELA-1458-1 and ELA-1448-1, because a number of vulnerabilities were discovered in Django, a popular Python-based web-development framework:

  • CVE-2025-48432: Potential log injection via an unescaped request path. Django's internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. (#1107282)

  • CVE-2025-32873: Denial-of-service possibility in strip_tags(). The django.utils.html.strip_tags() method was slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was therefore also vulnerable. strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags. (#1104872)

  • CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri. This method was subject to potential denial of service attack via certain inputs with a very large number of Unicode characters. (#1051226)

  • CVE-2023-43665: Address a denial-of-service possibility in django.utils.text.Truncator. Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator's chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable. The input processed by Truncator, when operating in HTML mode, has now been limited to the first five million characters in order to avoid potential performance and memory issues.

  • CVE-2024-24680: Potential denial-of-service in intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

  • CVE-2024-27351: Fix a potential regular expression denial-of-service (ReDoS) attack in django.utils.text.Truncator.words. This method (with html=True) and the truncatewords_html template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string.

  • CVE-2023-36053: Prevent an potential denial-of-service issue in the EmailValidator and URLValidator classes that could have been exploited via a very large number of domain name labels containing emails and/or URLs.

• I also prepared an Django upload for bullseye addressing five CVEs.

• Issued DLA 4220-1 and ELA-1466-1 because it was discovered that there was a potential remote code execution vulnerability in Konsole, the KDE Terminal Emulator. This vulnerability could have been exploited when loading URLs from scheme handlers such as a ssh:// or telnet://.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.