Bug#1116054: libscram-java: CVE-2025-59432
Salvatore Bonaccorso
carnil at debian.org
Wed Sep 24 08:24:18 BST 2025
Hi Christoph,
You are fast :)
On Tue, Sep 23, 2025 at 08:28:07PM +0200, Christoph Berg wrote:
> Re: Salvatore Bonaccorso
> > The following vulnerability was published for libscram-java.
>
> Hi Salvatore,
>
> I just uploaded 3.2-1 to unstable with the fix. libpgjava will need a
> (sourceful) rebuild once that package is installed.
>
> A branch with just the fix can be found at
> https://salsa.debian.org/java-team/libscram-java/-/tree/cve-2025-59432?ref_type=heads
> (I have no plans yet to upload that anywhere, do you want me to do that?)
FWIW, I do not think we need a DSA for it. If you might include fixes
in the upcoming point releases and have time for it that would be
enough I would say. Will that work for you?
>
> FYI, while building the fix on apt.postgresql.org I noticed that the
> current libscram-java does not compile anymore on bullseye and jammy,
> in case anyone wants to try that.
Ok! I guess it will be relevant for LTS team then if they decide to
issue a DLA.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list