-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 02 Jul 2026 22:28:07 +0300 Source: protobuf Architecture: source Version: 3.21.12-11+deb13u1 Distribution: trixie Urgency: medium Maintainer: Laszlo Boszormenyi (GCS) Changed-By: Adrian Bunk Closes: 1082381 1108057 1126302 1134895 Changes: protobuf (3.21.12-11+deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Fix CVE-2026-0994: JSON recursion depth bypass (closes: #1126302). * Fix CVE-2026-6409: PHP Denial of Service (closes: #1134895). . [ Hlib Korzhynskyy ] * Complete fix of CVE-2024-7254 (closes: #1082381): - add recursion checks and recursion limit, - add tests. . [ Laszlo Boszormenyi (GCS) ] * Fix CVE-2025-4565: data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit (closes: #1108057). Checksums-Sha1: ab88f63d8d42af219a219db2b9d3f0d26a980769 3075 protobuf_3.21.12-11+deb13u1.dsc 7aec582dff3ab784ca7d2a2c99e59c64e8866fb5 5141502 protobuf_3.21.12.orig.tar.gz d57d3335b1e1f0d5a9258c23ff0c860090bb040e 48312 protobuf_3.21.12-11+deb13u1.debian.tar.xz Checksums-Sha256: 8f60b706ef31fa14c88d93314a5a3ae07b98fa0bc3bb4b58739598de6357779a 3075 protobuf_3.21.12-11+deb13u1.dsc 930c2c3b5ecc6c9c12615cf5ad93f1cd6e12d0aba862b572e076259970ac3a53 5141502 protobuf_3.21.12.orig.tar.gz 52c7c9377a2cb93649fb778baf4fe76d4489893ef04bad675acfa9b16e6313d5 48312 protobuf_3.21.12-11+deb13u1.debian.tar.xz Files: 256beb94b7e5df55ac9048da6900d5f1 3075 devel optional protobuf_3.21.12-11+deb13u1.dsc d38562490234d8080bdbe8eb7baf937a 5141502 devel optional protobuf_3.21.12.orig.tar.gz 964899f3010a9b2c14603ccbeed6f1c2 48312 devel optional protobuf_3.21.12-11+deb13u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpGwHkACgkQiNJCh6LY mLEpWg/9FMk3yD2YLya4M+zEtReTCpODpV4Eo5zRvM70dH7mfxCrrKaaA0PtmPzW D45PWYzOGjGOC9YGU8fPSqRu26Y+9V1hT8XhHUeIB8oOFc61Vzl5vTcBB4QMan9L udDe//9T+j2ZXkljlhjF1UAlm0Aoj5+GjXAc2r/kqfHBiQGs+5vT6+Z0BnbdgwNY xXCKY1VWCjNbCcC3awXnMIxBjqFuOzFKN8VOMhBXpFwlX53828pWFjtBLnT0HntC wDOKfyDXYBx/ypErB5iW8vGySQ+sgDKGmePMOqDXtq0kpfxXJZY6dQCmOIvp0zVA h8Is943KN8qDJItDIKtt1Ie6fH69jLAnLgye6SIDYgNzpKFWFJZMKKJEYOZzuQYd azfwGGsfc8Y60GfcctgV/ZshDja7aAyIenfz4odmvqwgZL/z4F+p3yTm9+0kYwFD H44ozWAHOmiGuOvECjbraeNb2FHvOVqqQRzZRDX27mJwzxKxhSCEPQMd1Y/jeuJg u8qjRe0qniBJ0Gjnw1MV5KJaAp5wcXoSfF4nXjeZFcsx+ZsCaWWDg45mQhif9s50 nIQt3cqU0ToIYHplbRFEG+EDVynSwiOAt65qgVEDj0QeGpwku8GB0xTtnGmIGx7n /xW72wAxK+kI7jx3Dr12xsxVD6clANecDsHmYSlGqkEqY/CqpkY= =MlG1 -----END PGP SIGNATURE-----