[Debian-med-packaging] Bug#1112133: biosig: CVE-2025-54494 CVE-2025-54493 CVE-2025-54492 CVE-2025-54491 CVE-2025-54490 CVE-2025-54489 CVE-2025-54488 CVE-2025-54487 CVE-2025-54486 CVE-2025-54485 CVE-2025-54484 CVE-2025-54483 CVE-2025-54482 CVE-2025-54481 CVE-2025-54480 CVE-2025-54462 CVE-2025-53853 CVE-2025-53557 CVE-2025-53518 CVE-2025-53511 CVE-2025-52581 CVE-2025-52461 CVE-2025-48005 CVE-2025-46411

Alois Schlögl alois.schloegl at gmail.com
Mon Feb 16 22:11:03 GMT 2026 

On Tue, 2 Dec 2025 20:03:39 +0100 Andreas Tille <tille at debian.org> wrote:
> Hi Alois,
> 
> Am Tue, Dec 02, 2025 at 01:45:25PM +0100 schrieb Alois Schlögl:
> > release v3.9.1 addresses are number of the reported CVE but not all.
> > Some MFER parsing issues are only addressed at some later commits.
> > The other CVE's (related to GDF, NEX, ABF, RHS2000, BrainVision) are
> > addressed by v3.9.1.
> 
> Thank you for the confirmation.
>  
> > I've planning to release 3.9.2 within the next 5 weeks, this will fix the
> > other known security issues as well as a number of other bugs.
> > Again, the ABI will not change. If 5 weeks is to much, I can check whether I
> > can push this forward.
> 
> I personally have no pressure, just stumbled upon a bug that could / should
> be fixed with the effort of a simple upgrade to latest upstream.
> 
> Just ping on the Debian Med list + this bug once you have released the
> next version and whether it might fix this bug.
> 
> Kind regards
>       Andreas.
> 
> -- 
> https://fam-tille.de
> 
> 


Hi Andreas,


these and other vulnerabilities have been addressed in the "biosig 
3.9.3". API/ABI compatibilty is maintained, the changes are mostly 
fixing security vulnerabilities, so this might make it eligible upgrdae 
in stable-security (or at least adding to backports).

Please note, that debian/control file in salsa seems to miss some build 
dependencies. This patch should fix this (see also bug 1124146)


diff --git a/release/debian/control b/release/debian/control
index 4ea71d8b..37223977 100644
--- a/release/debian/control
+++ b/release/debian/control
@@ -10,6 +10,8 @@ Build-Depends: debhelper-compat (= 13),
                 d-shlibs,
                 gawk,
                 python3-setuptools,
+               python3-venv,
+               python3-build,
                 python3-all-dev,
                 python3-numpy,
                 zlib1g-dev,



Cheers,
    Alois

More information about the Debian-med-packaging mailing list