Your message dated Wed, 31 Dec 2025 13:48:43 +0000
with message-id <[email protected]>
and subject line Bug#1124374: fixed in libsodium 1.0.20-2
has caused the Debian Bug report #1124374,
regarding libsodium: CVE-2025-69277
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124374
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsodium
Version: 1.0.18-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsodium.
CVE-2025-69277[0]:
| libsodium before ad3004e, in atypical use cases involving certain
| custom cryptography or untrusted data to
| crypto_core_ed25519_is_valid_point, mishandles checks for whether an
| elliptic curve point is valid because it sometimes allows points
| that aren't in the main cryptographic group.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-69277
https://www.cve.org/CVERecord?id=CVE-2025-69277
[1] https://00f.net/2025/12/30/libsodium-vulnerability/
[2]
https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsodium
Source-Version: 1.0.20-2
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libsodium, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated libsodium
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 31 Dec 2025 14:11:01 +0100
Source: libsodium
Architecture: source
Version: 1.0.20-2
Distribution: experimental
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1124374
Changes:
libsodium (1.0.20-2) experimental; urgency=medium
.
* Backport security fix for CVE-2025-69277: mishandled checks for whether
an elliptic curve point is valid (closes: #1124374).
Checksums-Sha1:
7365002b8f77a4c7998c1debb019fab29f91f789 1916 libsodium_1.0.20-2.dsc
d3409c08ad4ac3dd67debdf65ab580027eeefbd2 8292 libsodium_1.0.20-2.debian.tar.xz
Checksums-Sha256:
c505d6105ba1bea87396d3440d8c1fb02b27150efdc272612547dd585e09e4eb 1916
libsodium_1.0.20-2.dsc
a1108740df58781c65648af95d1352e73e5d549e193aaa36ff4612d88e3e5da2 8292
libsodium_1.0.20-2.debian.tar.xz
Files:
8d12fb29242f4fee1dc6b29bbd5c526c 1916 libs optional libsodium_1.0.20-2.dsc
cc8b5dd07cd0f0f5ac2f3a8075f41450 8292 libs optional
libsodium_1.0.20-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmlVI5AACgkQ3OMQ54ZM
yL/BKxAAm4wMly9h2LB2ceRBjSnmYFJQ0if8TlMq3ZaLhtP41wlW45nA7geDfybR
0QzQe6Y7/WqbZfkJYSKLrML7z9OhZ2D5Ush7NYxEGn91FqP5yMRxobkrCiKeICd7
zPCS98c58PAkVnoM6jXZ/wyQwKXt9BNTrAM52AwbC3em8UhrBZlF4YkZLMsxriHM
5H54xq7m4TVN00By/PYznzlK1oVyWgj9+QizXm7fMO01d7WQUgswLPTNQ5fyqs6g
gJgywK2Yp2FxaDIlJwh4wEMr+aUyLKQCHQ0qaABlqXrLCJXqgsog+FOIuWCqUSa8
77FjKs7e3nYswTdCWTLuvaPqIfdOW6k2K7agvazb984S9eZVv0sBYQGXfHyVAAms
awqZD8474VgyqVXGnXbv7BDS5EXQLCyfwYdzBbFkdsRsfAXG54ACDa5Gp+rYWZ7B
45gRM5aOtUF1LYu/wKT5CQyTzcMi2v77KCbm6ewOClDt7gYTOb1FCcgKc/nznC60
i+edMXqo+zds1LUwoD6M1SjflxSSr5tEiA4OjNgSlV9xSwxXxWm9t7dwLID4qDg7
xRAUdU2eEi/A080eIfJ1SRiH/oWAt2DJattl+zff85G6xtBv+BXGt+ZNpMzVDMVa
Tb0idTstPX97nXjmihy7HA7G7mEmV1/tVSMc8l61FkVJXaf2J0g=
=lgQr
-----END PGP SIGNATURE-----
pgpEN3voJ7VZg.pgp
Description: PGP signature
--- End Message ---
