Conclusion: Our version of icu is not affected and there is no need for a fix.

Conclusion: Our version of bind is not affected and there is no need for a fix.

Conclusion: We have prepared and backported security-patches for our version of fcgi.

CVE-2025-2761:  GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of FLI files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25100.

Conclusion: We have prepared security-patches for our version of gimp. Furthermore we will remove the following plugins:

file-dds
file-ico
file-fax3g
file-psd

Sorry for everyone using PSD-files for import / export. But we do not plan with those file-formats as gimp has sufficient others. ico-files can be converted and created on different ways (graphicsmagick). So there is no loss in any way, just a win in security-fixes.

CVE-2025-32415:  In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Conclusion: We have prepared security-patches for our version of libxml2.

Conclusion: We have prepared already security-patches for our version of haproxy.

Conclusion: We have prepared already security-patches for our version of yelp.

CVE-2023-39615: Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

CVE-2023-45322: libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

CVE-2024-25062: An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Conclusion: We have prepared already security-patches for our version of libxml2.

CVE-2022-24883: Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.

Conclusion: We have prepared already security-patches for our version of freerdp.

Conclusion: The security-threat does not apply to our system / kernel.

We can only warn about too much trust, even though the projects and packages are marked as "free and permissive". Nevertheless never forget they are software running and the more complex it gets the more problematic it can be.

Use also verification of attack-vectors, common known steps from recurring attacks:

• Manipulated repositories: Attacker using widely known and used platforms like Github to create false or fake projects, including malicious code

• Compromised dependencies: In this case malicious code is added within the libraries and frameworks other projects are using

• Social engineering: In some cases attacking groups and / or individuals pretend first to grant help and support for a project and when getting more rights likewise to modify and add code start with adding their malicious actions

Free software is always based on trust and therefore those attacks are very harmful for the future of free and libre software and culture. Also the further analysis of this current thread shows exactly why Hyperbola as project persists on exactly a full package and software running only local after the installation. We do not plan to include any kind of software sideloading further data after its installation without the users knowledge and we will always patch or remove packages (applications) when adding such demands and features.

Conclusion: The security-threat does not apply to UXP and therefore not to iceweasel-uxp and icedove-uxp.

Conclusion: We have backported a fix and patch our package unbound.

Conclusion: We will update our package ffmpeg to version 4.4.5.

CVE-2024-43374: The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.

Conclusion: We will update our package vim to version 9.1.0707.