Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:iperf3 User: [email protected] Usertags: pu
Hi, I'm iperf3 maintainer and there are two CVE fixed upstream. Version 3.19.1-1 with the fix is already in unstable and testing, and Adrian Bunk uploaded the fix for bullseye a few days ago. I am using my personal email, I am still having problems sending mail from [email protected]. This is the fix for trixie. I have been emailing with Salvatore Bonaccorso and both agree that DSA are not needed for these issues and the package can go with the next trixie point release. Details below, and debdiff attached. I will wait for your instructions before doing the upload. Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110376 CVE-2025-54349 | In iperf before 3.19.1, iperf_auth.c has an off-by-one error and | resultant heap-based buffer overflow. https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66 patch: https://github.com/esnet/iperf/commit/42280d2292ed5f213bfcb33b2206ebcdb151ae66.patch This patch fails to apply but it is easy to do it by hand. CVE-2025-54350 | In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion | failure and application exit upon a malformed authentication | attempt. https://github.com/esnet/iperf/commit/de932ea16bc959f839d28d370f0602de52c5def1 patch: https://github.com/esnet/iperf/commit/de932ea16bc959f839d28d370f0602de52c5def1.patch This one applies with offset warnings. Regards, -- Roberto Lumbreras Debian Developer [email protected]
iperf3-trixie.debdiff
Description: Binary data
iperf3-trixie.debdiff.asc
Description: Binary data
