Package: release.debian.org User: [email protected] Usertags: rm X-Debbugs-Cc: [email protected], [email protected] Severity: normal
Please remove zulucrypt from bullseye (LTS). - Affected by root LPE (Local Privilege Escalation) CVE-2025-53391, which is Debian-specific, rated 9.3/10 by MITRE. bullseye tested and vulnerable (FTR buster isn't). https://security-tracker.debian.org/tracker/CVE-2025-53391 - Last maintainer contacted last December and January, no feedback. https://bugs.debian.org/1108288 https://bugs.debian.org/1124603 - Removed from unstable and testing/trixie; last version from 2022 (6.2) while upstream updated twice in 2024 (7.0, 7.1). https://bugs.debian.org/1124603 - Removal requested for bookworm. https://bugs.debian.org/1134891 - No reverse dependencies, per `apt rdepends zulucrypt-cli zulumount-cli zulucrypt-gui zulumount-gui zulupolkit zulusafe-cli libzulucrypt-exe1.2.0 libzulucrypt-exe-dev libzulucrypt1.2.0 libzulucrypt-dev libzulucryptpluginmanager1.0.0 libzulucryptpluginmanager-dev libzulucrypt-plugins` (only self-rdeps) Cheers! Sylvain Beucler Debian LTS Team
