Free software activities in June 2025

Here is my monthly update covering what I have been doing in the free software world during June 2025 (previous month):

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged clamav (CVE-2025-20234, CVE-2025-20260), gdk-pixbuf (CVE-2025-6199), golang-1.11 (CVE-2025-4673), ncurses (CVE-2025-6141), node-send (CVE-2025-5889), node-serialize-javascript (CVE-2024-11831), python-django (CVE-2025-48432), python3.9 (CVE-2025-6069), thunderbird (CVE-2025-5986) & xmedcon (CVE-2025-2581).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 4210-1, ELA-1470-1, ELA-1458-1 and ELA-1448-1, because a number of vulnerabilities were discovered in Django, a popular Python-based web-development framework:

  • CVE-2025-48432: Potential log injection via an unescaped request path. Django's internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals. (#1107282)

  • CVE-2025-32873: Denial-of-service possibility in strip_tags(). The django.utils.html.strip_tags() method was slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was therefore also vulnerable. strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags. (#1104872)

  • CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri. This method was subject to potential denial of service attack via certain inputs with a very large number of Unicode characters. (#1051226)

  • CVE-2023-43665: Address a denial-of-service possibility in django.utils.text.Truncator. Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator's chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable. The input processed by Truncator, when operating in HTML mode, has now been limited to the first five million characters in order to avoid potential performance and memory issues.

  • CVE-2024-24680: Potential denial-of-service in intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

  • CVE-2024-27351: Fix a potential regular expression denial-of-service (ReDoS) attack in django.utils.text.Truncator.words. This method (with html=True) and the truncatewords_html template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string.

  • CVE-2023-36053: Prevent an potential denial-of-service issue in the EmailValidator and URLValidator classes that could have been exploited via a very large number of domain name labels containing emails and/or URLs.

• Issued DLA 4220-1 and ELA-1466-1 because it was discovered that there was a potential remote code execution vulnerability in Konsole, the KDE Terminal Emulator. This vulnerability could have been exploited when loading URLs from scheme handlers such as a ssh:// or telnet://.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.