[Freedombox-pkg-team] Bug#1123596: trixie-pu: package freedombox/25.9.3+deb13u1

James Valleroy jvalleroy at mailbox.org
Thu Dec 18 16:21:30 GMT 2025 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: freedombox at packages.debian.org, jvalleroy at mailbox.org
Control: affects -1 + src:freedombox
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
Fix a security issue CVE-2025-68462 where the backup data for several FreedomBox apps was stored with incorrect 
permissions. It was coordinated with the security team to batch the fix via upcoming point release.

[ Impact ]
Any user on the system can access some private data belonging to other users in some specific apps managed by 
FreedomBox. They can also access a stored password for a dynamic DNS service.

[ Tests ]
I tested using automated functional tests for backups and for the affected apps. I then manually checked that the 
backups-data directory had the expected permissions.

[ Risks ]
The code is fairly simple. After freedombox package is updated to have the fix, it will create or modify the 
backups-data folder to have the correct permissions.

[ Checklist ]
   [x] *all* changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in (old)stable
   [x] the issue is verified as fixed in unstable

[ Changes ]
Besides the fix for the security issue, the following changes are included:
- Update handling of apt sources.list file to tolerate comments.
- Update release date for trixie that is shown in the interface.
- Update the manual to the version retrieved August 2nd that will match with trixie content.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freedombox_25.9.3_to_25.9.3+deb13u1.diff
Type: text/x-patch
Size: 27073 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/freedombox-pkg-team/attachments/20251218/db93edd6/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-pkg-team/attachments/20251218/db93edd6/attachment-0001.sig>

More information about the Freedombox-pkg-team mailing list