Debian Patches
Status for swupdate/2025.12+dfsg-10
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2026-28525.diff | mongoose: Integer Underflow in Multipart Upload Parser The function mg_http_multipart_continue_wait_for_chunk() has a discrepancy between its guard condition and a subsequent subtraction in the else branch. The guard at line 250 checks `(int) io->len < mp_stream->boundary.len + 6`, allowing execution to continue when io->len >= boundary.len + 6. However, when mg_strstr() finds the boundary string in the buffer (else branch at line 264), data_len is computed as `io->len - (mp_stream->boundary.len + 8)`. The +6 vs +8 mismatch means that when io->len is in the range [boundary.len + 6, boundary.len + 7], the subtraction underflows the size_t variable to SIZE_MAX or SIZE_MAX - 1. This will fix CVE-2026-28525. Description of issue copied from vulnerability report - many thanks to Kazuma for his analyses. Reported by: Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc." |
Stefano Babic <stefano.babic@swupdate.org> | no | upstream, beee2dc0feef1cfe84f1aa6fc980e104b2e47a74 | 2026-03-19 | |
| Declare-public-key-or-gpg-cfg-mandatory.diff | crypto: Declare public key or gpg cfg mandatory The command line parsing currently insists on the gpg config options when GPG is configured at build time. With the runtime-configurable crypto the check for mandatory options has to be changed to be correct. |
Bastian Germann <bage@debian.org> | no | https://patchwork.ozlabs.org/project/swupdate/patch/20251219143651.308138-1-bage@debian.org/ | 2025-12-19 | |
| Link-config-to-swupdate-www-path.diff | example: Link config to swupdate-www path | Bastian Germann <bage@debian.org> | not-needed | 2022-11-28 | ||
| Remove-element-of-char-failing-the-doc-build.diff | Remove element-of char failing the doc build | Bastian Germann <bage@debian.org> | no | 2025-05-12 | ||
| Remove-tabularcolumns-that-crashes-latex.diff | doc: Remove tabularcolumns that crashes latex sphinx generates latex code that ends up with error: Missing # inserted in alignment preamble. |
Bastian Germann <bage@debian.org> | not-needed | 2025-12-08 | ||
| use-gcc-compiler.diff | Use gcc compiler Use explicit gcc to enable cross compiling. crossprefix-cc will not be available generally on Debian. |
Bastian Germann <bastiangermann@fishpost.de> | no | 2020-05-28 |
All known versions for source package 'swupdate'
- 2025.12+dfsg-10 (sid)
- 2025.12+dfsg-8 (forky)
- 2025.12+dfsg-7~bpo13+1 (trixie-backports)
- 2024.12.1+dfsg-3+deb13u2 (trixie)
- 2024.12.1+dfsg-3~bpo12+1 (bookworm-backports)
- 2022.12+dfsg-4+deb12u2 (bookworm)