#1140663 trixie-pu: package u-boot/2025.01-3+deb13u1

Package:
release.debian.org
Source:
release.debian.org
Submitter:
Andreas Henriksson
Date:
2026-06-24 09:45:02 UTC
Severity:
normal
Tags:
#1140663#5
Date:
2026-06-24 09:43:45 UTC
From:
To:
On behalf of the LTS Team and in coordination with u-boot maintainer
I'd like to propose this stable update of u-boot.

[ Reason ]
I've prepared an updated u-boot package for stable fixing 2 outstanding
CVEs, which have both been tagged no-DSA. The same upstream version
is currently in use in unstable, testing and stable. The
unstable/testing upload can thus serve us as a useful test for this
stable-proposed-update.

[ Impact ]
The two issues are a rouge dhcp server can extract memory from u-boot
bootp (dhcp) implementation + FIT verification can be bypassed.
I expect the latter to not be very commonly used with debian packages

[ Tests ]
No regressions has been reported so far in unstable/testing, however
note that the binary payload of the debian package is *not*
automatically installed on target systems (unlike for example
upgrade-grub2) so I'm not sure exactly how much actual testing has
happened yet.

The package has also been in debusine which runs as much tests as
are available. The included test that came with the FIT verification
bugfix is however unused.

The debusine work-request for the stable update is at:
https://debusine.debian.net/debian/developers/work-request/856876/

It has not yet been signed, and is thus not uploaded to the archive yet.
Please tell me when to proceed to sign/upload (or feel free to sign it
yourself).

[ Risks ]
I don't think FIT verification is much used by those using the debian
packaged u-boot and dhcp is likely not the standard boot path either.
Any regression is thus unlikely to effect most u-boot users regular
bootup.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Backported patches cherry-picked from upstream for CVE fixes.

[ Other info ]
Apart from unstable/testing, the issue is already fixed in LTS
(bookworm, bullseye). The security team has been involved in
coordinating all of these uploads. I've also been discussing and
offering my help with u-boot maintainer.