[From nobody Sat Jul  4 16:49:06 2026
Received: (at submit) by bugs.debian.org; 8 Jan 2026 20:06:22 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.0 required=4.0 tests=BAYES_00,SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 17; hammy, 127; neutral, 24; spammy,
 0. spammytokens: hammytokens:0.000-+--merge_requests,
 0.000-+--UD:security-tracker.debian.org,
 0.000-+--security-tracker.debian.org,
 0.000-+--securitytrackerdebianorg, 0.000-+--H*r:jmm
Return-path: &lt;jmm@inutil.org&gt;
Received: from inutil.org ([51.38.114.215]:52158 helo=vps-b7ad3695.vps.ovh.net)
 by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from &lt;jmm@inutil.org&gt;) id 1vdwGy-007Y4H-1Y
 for submit@bugs.debian.org; Thu, 08 Jan 2026 20:06:22 +0000
Received: from soju.westfalen.local (p548dc661.dip0.t-ipconnect.de
 [84.141.198.97])
 by vps-b7ad3695.vps.ovh.net (Postfix) with ESMTPSA id 892E317C
 for &lt;submit@bugs.debian.org&gt;; Thu,  8 Jan 2026 20:06:19 +0000 (UTC)
Received: from jmm by soju.westfalen.local with local (Exim 4.99.1)
 (envelope-from &lt;jmm@soju.westfalen.local&gt;) id 1vdwG4-00000001wDk-3tul
 for submit@bugs.debian.org; Thu, 08 Jan 2026 21:05:24 +0100
Date: Thu, 8 Jan 2026 21:05:24 +0100
To: submit@bugs.debian.org
Subject: libtasn1-6: CVE-2025-13151
Message-ID: &lt;aWAOBPjQ-NcWTD18@pisco.westfalen.local&gt;
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= &lt;jmm@inutil.org&gt;
Delivered-To: submit@bugs.debian.org

Source: libtasn1-6
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for libtasn1-6.

CVE-2025-13151[0]:
| Stack-based buffer overflow in libtasn1 version: v4.20.0. The
| function fails to validate the size of input data resulting in a
| buffer overflow in asn1_expend_octet_string.

Patch isn't merged yet:
https://gitlab.com/gnutls/libtasn1/-/merge_requests/121


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-13151
    https://www.cve.org/CVERecord?id=CVE-2025-13151

Please adjust the affected versions in the BTS as needed.
]