Free software activities in October 2025

Here is my monthly update covering what I have been doing in the free software world during October 2025 (previous month):

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Submitted at least 7 patches to fix specific reproducibility issues in mobilitydb, ne, pyraf, python-can, rsbackup, etc.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for September 2025.

• Kept isdebianreproducibleyet.com up to date. […]

diffoscope

Elsewhere in our tooling, I made the following changes to diffoscope, including uploading version 307 to Debian unstable, and made a number of changes, including fixing compatibility with LLVM version 21 […], an attempt to automatically attempt to deploy to PyPI by liaising with the PyPI developers/maintainers (with this experimental feature). […]

Debian

• memcached (1.6.39-2) — Don't use the embedded Lua code copy. (#1119119)

• pydevd (3.4.1+ds-1) — New upstream release.

• python-django:

  • 4.2.25-1 — New upstream security release.
  • 6.0~beta1-1 — New upstream beta release.

• redis (8.0.4-1) — New upstream release.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged firmware-nonfree (CVE-2024-23198, CVE-2024-24984, CVE-2024-25563 & CVE-2024-28049), p7zip (CVE-2025-11001 and CVE-2025-11002), python-socketio (CVE-2025-61765), redis (CVE-2025-49112 & CVE-2025-46818), openssh (CVE-2025-61984 & CVE-2025-61985), qtsvg-opensource-src (CVE-2025-10729) and varnish.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 4324-1 and ELA-1535-1 as It was discovered that there were two vulnerabilities in Django, a popular web development framework:

  • CVE-2025-59681: Fix a potential SQL injection in QuerySet.annotate(), alias(), aggregate() and extra(). These methods were subject to SQL injection in column aliases, using a suitably crafted dictionary via dictionary expansion as the **kwargs passed to these methods on MySQL and MariaDB.

  • CVE-2025-59682: Fix a potential partial directory-traversal vulnerability in archive.extract(). This function, used by startapp --template and startproject --template allowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory.

• Issued DLA 4325-1 and ELA-1537-1 because multiple vulnerabilities were discovered in Redis, the popular key/value database:

  • CVE-2025-46817: Fix an issue where an authenticated user could have used a specially-crafted Lua script to cause an integer overflow and potentially lead to remote code execution.

  • CVE-2025-46819: Address a potential vulnerability where an authenticated user could have used a specially-crafted Lua script to read out-of-bound data and/or crash the server and thereby create a denial of service attack.

  • CVE-2025-49844: Fix an issue where authenticated users could have exploited a specially-crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.