Your message dated Wed, 31 Dec 2025 13:48:32 +0000
with message-id <[email protected]>
and subject line Bug#1124374: fixed in libsodium 1.0.18-2
has caused the Debian Bug report #1124374,
regarding libsodium: CVE-2025-69277
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124374
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsodium
Version: 1.0.18-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsodium.
CVE-2025-69277[0]:
| libsodium before ad3004e, in atypical use cases involving certain
| custom cryptography or untrusted data to
| crypto_core_ed25519_is_valid_point, mishandles checks for whether an
| elliptic curve point is valid because it sometimes allows points
| that aren't in the main cryptographic group.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-69277
https://www.cve.org/CVERecord?id=CVE-2025-69277
[1] https://00f.net/2025/12/30/libsodium-vulnerability/
[2]
https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsodium
Source-Version: 1.0.18-2
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libsodium, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated libsodium
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 31 Dec 2025 13:44:32 +0100
Source: libsodium
Architecture: source
Version: 1.0.18-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1124374
Changes:
libsodium (1.0.18-2) unstable; urgency=high
.
* Backport security fix for CVE-2025-69277: mishandled checks for whether
an elliptic curve point is valid (closes: #1124374).
* Switch pkg-config dependency to pkgconf.
Checksums-Sha1:
e2f85c8a238a4872d763b5bdc481c19a859d3187 1916 libsodium_1.0.18-2.dsc
f7cac42c4a5915a1bcacd063da06a68fc615b388 8240 libsodium_1.0.18-2.debian.tar.xz
Checksums-Sha256:
77412ee7f09ae0c150276c8892bb18cec256b03b03cc1511664da5a21afcf9cc 1916
libsodium_1.0.18-2.dsc
fd160e05c94eb3f3171e795892415bffdc3545b6c467a6a8e552ebf195766fc0 8240
libsodium_1.0.18-2.debian.tar.xz
Files:
2b03619f1269a52c75a77bca45ac1b51 1916 libs optional libsodium_1.0.18-2.dsc
1f41b334f1905352a705205e523ba14d 8240 libs optional
libsodium_1.0.18-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmlVIY8ACgkQ3OMQ54ZM
yL8M3Q//Z04VekqY6AL7J3kL/7SWCvAZ+WeUhvRhmsGNINX9oi16RurOi9COre+3
vYne8k6eAIylvppwaRQ6QSN5Fq3nmCENhZVZfOvgzDHkV26qCzoRNVRu5Cb5Iaj8
W0+CWRE35ebpBZ4tOTeaySobUxz7gdnULVF/dm1wMkG/OPCHzZYpTrFponpCbTco
nHpzpdzFqzwcUFgjwO7Hu4QUxag46Zyrddz8czHMIxTWAmqdqr2zr4Eysgkf2MyC
DswunfmJpWu9CgfmMKQcuD7lwmYfP5ngarC3jQQtlpGTIaoAxvgZSQtGcAfQjg/w
WXx590YQGX26rhW/IfYOGcd7zvciUynOzUxMGXlxh11OaJO6VahHs9BC783qVEIc
eZ9WgClVAAwQanP95xUFq0/D2xSZF7KGkoJCWx5PISCyM8tC4sUes8QAWvts2/fr
DowjCHcXkKuiYCfwh/RTJqkNBEBA+soRjutDW/26gyQLnoQm2RoRPdtIrl+F/Fb+
9ulK/5nJLGVmJgd7SMXo+030Z/rEtuqNEUrQlcekwEzesOeuyGJm0lfeic6hf3TL
vdSDjm6wDSjIhl4b5NoNP8HyidwU7Civ1rF94oZz5wpgUbTwUmrvO3GK+iKH5wKB
2woPaVsXIXmV0sx/MN62dSNbFcApi7jwtskDOXKWIeZ39enr7Ms=
=QP/m
-----END PGP SIGNATURE-----
pgpiZf8aDEgXY.pgp
Description: PGP signature
--- End Message ---
