Here is my monthly update covering what I have been doing in the free software world during June 2025 (previous month):
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
-
Investigated and triaged
clamav
(CVE-2025-20234
,CVE-2025-20260
),gdk-pixbuf
(CVE-2025-6199
),golang-1.11
(CVE-2025-4673
),ncurses
(CVE-2025-6141
),node-send
(CVE-2025-5889
),node-serialize-javascript
(CVE-2024-11831
),python-django
(CVE-2025-48432
),python3.9
(CVE-2025-6069
),thunderbird
(CVE-2025-5986
) &xmedcon
(CVE-2025-2581
). -
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
-
Issued DLA 4210-1, ELA-1470-1, ELA-1458-1 and ELA-1448-1, because a number of vulnerabilities were discovered in Django, a popular Python-based web-development framework:
-
CVE-2025-48432: Potential log injection via an unescaped request path. Django's internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. (#1107282)
-
CVE-2025-32873: Denial-of-service possibility in
strip_tags()
. Thedjango.utils.html.strip_tags()
method was slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement thestriptags
template filter, which was therefore also vulnerable.strip_tags()
now raises aSuspiciousOperation
exception if it encounters an unusually large number of unclosed opening tags. (#1104872) -
CVE-2023-41164: Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri
. This method was subject to potential denial of service attack via certain inputs with a very large number of Unicode characters. (#1051226) -
CVE-2023-43665: Address a denial-of-service possibility in
django.utils.text.Truncator
. Following the fix for CVE-2019-14232, the regular expressions used in the implementation ofdjango.utils.text.Truncator
'schars()
andwords()
methods (withhtml=True
) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. Thechars()
andwords()
methods are used to implement thetruncatechars_html
andtruncatewords_html
template filters, which were thus also vulnerable. The input processed byTruncator
, when operating in HTML mode, has now been limited to the first five million characters in order to avoid potential performance and memory issues. -
CVE-2024-24680: Potential denial-of-service in
intcomma
template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. -
CVE-2024-27351: Fix a potential regular expression denial-of-service (ReDoS) attack in
django.utils.text.Truncator.words
. This method (withhtml=True
) and thetruncatewords_html
template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string. -
CVE-2023-36053: Prevent an potential denial-of-service issue in the
EmailValidator
andURLValidator
classes that could have been exploited via a very large number of domain name labels containing emails and/or URLs.
-
-
Issued DLA 4220-1 and ELA-1466-1 because it was discovered that there was a potential remote code execution vulnerability in Konsole, the KDE Terminal Emulator. This vulnerability could have been exploited when loading URLs from scheme handlers such as a
ssh://
ortelnet://
.
You can find out more about the Debian LTS project via the following video: