- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Bastian Germann
- Date:
- 2026-05-26 20:25:03 UTC
- Severity:
- normal
- Tags:
[ Reason ] CVE-2026-25727 (stack exhaustion) [ Impact ] Vulnerable to denial of service. [ Tests ] I have only compiled the package with a upstream patch backport. [ Risks ] Code change is trivial. There is only an inline annotation that had to be dropped to backport the patch. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] The upstream patch limits the stack frames. [ Other info ] Team upload.
CC-ing the p-u bug for Bookworm as well, since this applies equally to both. Thanks for preparing this! After this has been accepted and built, all binary packages statically linking the affected code need to be bin-NMUed (or get no-change source uploads). If desired, I can prepare a list of packages for Trixie and Bookworm. Fabian
Control: tags -1 + moreinfo [..] I'd appreciate knowing what that list looks like before we consider accepting these updates. Point releases aren't really designed to handle mini transitions. Regards, Adam
Control: tags -1 - moreinfo for Trixie, the list would include at least the following (based on Static-Built-Using, which might be incomplete!): bat (0.25.0-2+b2) -> rust-time (= 0.3.37-1) broot (1.46.3-2) -> rust-time (= 0.3.37-1) cargo-c (0.10.11-1+b2) -> rust-time (= 0.3.37-1) cargo-mutants (25.0.0-1+b1) -> rust-time (= 0.3.37-1) cargo-outdated (0.17.0-1+b1) -> rust-time (= 0.3.37-1) cddl (0.9.5-1) -> rust-time (= 0.3.37-1) condure (1.10.0-8+b1) -> rust-time (= 0.3.37-1) cotp (1.9.2-1+b3) -> rust-time (= 0.3.37-1) cyme (2.2.0+dfsg-2) -> rust-time (= 0.3.37-1) czkawka-cli (8.0.0-2) -> rust-time (= 0.3.37-1) czkawka-gui (8.0.0-2) -> rust-time (= 0.3.37-1) debcargo (2.7.8-4) -> rust-time (= 0.3.37-1) edu-sync (0.3.0-1+b1) -> rust-time (= 0.3.37-1) eza (0.21.0-1+b1) -> rust-time (= 0.3.37-1) git-absorb (0.6.17-2+b2) -> rust-time (= 0.3.37-1) git-delta (0.18.2-4+b1) -> rust-time (= 0.3.37-1) gping (1.19.0-3+b1) -> rust-time (= 0.3.37-1) grcov (0.8.22-1+b1) -> rust-time (= 0.3.37-1) hickory-dns (0.24.4-1+b2) -> rust-time (= 0.3.37-1) laurel (0.7.1-1+b2) -> rust-time (= 0.3.37-1) parsec-tool (0.7.0-7+b1) -> rust-time (= 0.3.37-1) procs (0.14.10-2) -> rust-time (= 0.3.37-1) prr (0.20.0-1+b3) -> rust-time (= 0.3.37-1) rebuilderd (0.24.0-1) -> rust-time (= 0.3.37-1) repro-env (0.4.3-2+b2) -> rust-time (= 0.3.37-1) ripasso-cursive (0.8.0-1+b2) -> rust-time (= 0.3.37-1) safe-vdash (0.19.3-2+b1) -> rust-time (= 0.3.37-1) scaphandre (1.0.2-4+b1) -> rust-time (= 0.3.37-1) speakersafetyd (1.1.2-4) -> rust-time (= 0.3.37-1) virtiofsd (1.13.2-1+deb13u1) -> rust-time (= 0.3.37-1) wormhole-rs (0.7.6-1) -> rust-time (= 0.3.37-1) xh (0.24.0-1+b1) -> rust-time (= 0.3.37-1) for Bookworm, we do not have Static-Built-Using yet, and its predecessor is likely to be more incomplete.. thanks, Fabian
Hi, Please go ahead. Thanks,
package release.debian.org tags 1128925 = trixie pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie. Thanks for your contribution! Upload details ============== Package: rust-time Version: 0.3.37-1+deb13u1 Explanation: fix denial of service [CVE-2026-25727]
package release.debian.org tags 1128925 = trixie pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian trixie. Thanks for your contribution! Upload details ============== Package: rust-time Version: 0.3.37-1+deb13u1 Explanation: fix denial of service [CVE-2026-25727]