Your message dated Sat, 07 Mar 2026 21:17:06 +0000
with message-id <[email protected]>
and subject line Bug#1118285: fixed in civetweb 1.16+dfsg-2+deb13u1
has caused the Debian Bug report #1118285,
regarding civetweb: CVE-2025-9648
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118285
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: civetweb
Version: 1.16+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/civetweb/civetweb/issues/1348
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.16+dfsg-2
Hi,
The following vulnerability was published for civetweb.
CVE-2025-9648[0]:
| A vulnerability in the CivetWeb library's function
| mg_handle_form_request allows remote attackers to trigger a denial
| of service (DoS) condition. By sending a specially crafted HTTP POST
| request containing a null byte in the payload, the server enters an
| infinite loop during form data parsing. Multiple malicious requests
| will result in complete CPU exhaustion and render the service
| unresponsive to further requests. This issue was fixed in commit
| 782e189. This issue affects only the library, standalone executable
| pre-built by vendor is not affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-9648
https://www.cve.org/CVERecord?id=CVE-2025-9648
[1] https://github.com/civetweb/civetweb/issues/1348
[2]
https://github.com/civetweb/civetweb/commit/782e18903515f43bafbf2e668994e82bdfa51133
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: civetweb
Source-Version: 1.16+dfsg-2+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
civetweb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated civetweb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Mar 2026 11:54:47 +0200
Source: civetweb
Architecture: source
Version: 1.16+dfsg-2+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1112507 1118285
Changes:
civetweb (1.16+dfsg-2+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-9648: Infinite loop in mg_handle_form_request
(Closes: #1118285)
* CVE-2025-55763: Buffer overflow in the URI parser
(Closes: #1112507)
Checksums-Sha1:
caf6a5aec9451d8641087223c7d612992d2c413c 2195 civetweb_1.16+dfsg-2+deb13u1.dsc
e6fccab4dc16d90bdd113c36ab5872c2a11b6320 507608 civetweb_1.16+dfsg.orig.tar.xz
d8ef92205c2ef019d70fe89aa83b2f034dd2c0fe 11252
civetweb_1.16+dfsg-2+deb13u1.debian.tar.xz
Checksums-Sha256:
bf8a5b9a123afa18b5f9bb5da7a3ed6c97b4214623e73011636db657cd90a07f 2195
civetweb_1.16+dfsg-2+deb13u1.dsc
41dbfd68cd3b914ce440a5813f21058813b61a972600cc04fb8233a0d2d04fe4 507608
civetweb_1.16+dfsg.orig.tar.xz
1e5f56ab5592026dc5cd90302cfaa5a66b889f8959440e64dc0e373d18165ebb 11252
civetweb_1.16+dfsg-2+deb13u1.debian.tar.xz
Files:
ea2257622c27aa5676b145812e44b798 2195 web optional
civetweb_1.16+dfsg-2+deb13u1.dsc
e9c246bd5813912c908522b4c13b6abf 507608 web optional
civetweb_1.16+dfsg.orig.tar.xz
c043506fc4aebc68cfab390b9e58bbf4 11252 web optional
civetweb_1.16+dfsg-2+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmmsP0gACgkQiNJCh6LY
mLEN3g/+MkQbQF+5O5NU8jWVpdGlMzPuLyFh8fwCkLjElh2CyERcsDLmP1eA9pE2
lf5Wl6kd6ObSGoAYKTLmuOiUM95R3QCKZXxCko6zMCtYUznbqYD5KPn2I5IkVCQ2
yRKUhELZ7Zr9a7Jx97NQEZSVGZS+rX9a8jIREt9g+b/ysRPR2JcXHZtlYeJx86R5
9W3Nax5xRUfsWiuqJdgn/6EaTNZxLm2LmOLHlYVp1r7DE6Ec3UzbPY76COuhgNxW
bMm79iLDIQBQD+mefwihqeVFGmCxueqplIfPv+s8XFWBfTna2GYPy6ge4iRKn62F
DH2qeLkuyYPJQRs0BcV1ZvhqB9qdxpB2rxpUziDT4pxc/TNiEhHbUm9RCMBu7AYc
IRveFpi2lLBFeM9bHi9AvzkJWOx4VlxQ9VlyXMwjNWNp4xgXN7XadxwWutYwFS1b
cvLdlsSEOVmcpbSM+fFG35YOH2cevsb2Ni8P/tzOjcYDKPR4c8AD7etn1j309yDt
mq/aGeOPOCiKNwVQ2Xq2q4iXIhHdA1r6/4WufEFT6cV6r8c0qjttvsCfYfDkfMJJ
h4UFKeytWkBd0ofe6LAXCLvyUBWhEqbSZ1IvjIDoFzRRtoSmDS6LttUwivHp3GoJ
KlmC2EG1hcKxNW/4b3MTrCPNGq4s0BmY2J1zwHStTndXgWr4CC0=
=gf9X
-----END PGP SIGNATURE-----
pgp313lRCo5Cr.pgp
Description: PGP signature
--- End Message ---
