Your message dated Thu, 05 Mar 2026 13:04:50 +0000
with message-id <[email protected]>
and subject line Bug#1118285: fixed in civetweb 1.16+dfsg-4
has caused the Debian Bug report #1118285,
regarding civetweb: CVE-2025-9648
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118285
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: civetweb
Version: 1.16+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/civetweb/civetweb/issues/1348
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.16+dfsg-2
Hi,
The following vulnerability was published for civetweb.
CVE-2025-9648[0]:
| A vulnerability in the CivetWeb library's function
| mg_handle_form_request allows remote attackers to trigger a denial
| of service (DoS) condition. By sending a specially crafted HTTP POST
| request containing a null byte in the payload, the server enters an
| infinite loop during form data parsing. Multiple malicious requests
| will result in complete CPU exhaustion and render the service
| unresponsive to further requests. This issue was fixed in commit
| 782e189. This issue affects only the library, standalone executable
| pre-built by vendor is not affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-9648
https://www.cve.org/CVERecord?id=CVE-2025-9648
[1] https://github.com/civetweb/civetweb/issues/1348
[2]
https://github.com/civetweb/civetweb/commit/782e18903515f43bafbf2e668994e82bdfa51133
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: civetweb
Source-Version: 1.16+dfsg-4
Done: Andreas Tille <[email protected]>
We believe that the bug you reported is fixed in the latest version of
civetweb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <[email protected]> (supplier of updated civetweb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 05 Mar 2026 13:33:41 +0100
Source: civetweb
Architecture: source
Version: 1.16+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Andreas Tille <[email protected]>
Closes: 1118285
Changes:
civetweb (1.16+dfsg-4) unstable; urgency=medium
.
[ Adrian Bunk ]
* CVE-2025-9648: Infinite loop in mg_handle_form_request
(Closes: #1118285)
.
[ Andreas Tille ]
* d/watch: version=5
* Standards-Version: 4.7.3 (routine-update)
* Remove Priority field to comply with Debian Policy 4.7.3 (routine-
update)
Checksums-Sha1:
88ef86a41e3540bdc8920c4cec43050b01e4f8cc 2188 civetweb_1.16+dfsg-4.dsc
a4573fda9bf66004643d79dfac228178bf5a00a9 11272
civetweb_1.16+dfsg-4.debian.tar.xz
32b7e6d7c5ad1ca79d1fddc8ba9ff2c11427afd8 7881
civetweb_1.16+dfsg-4_amd64.buildinfo
Checksums-Sha256:
0bf8edd8de6f78f405498b7c8ee1472be3f6e7b212058b220a7d7da76b1ddd2b 2188
civetweb_1.16+dfsg-4.dsc
01a76081f7d3802862387ae7f9a7cb6ac159c865cbcb2919980ae231a0517208 11272
civetweb_1.16+dfsg-4.debian.tar.xz
8a661f2d2892a08d6fb4099d794b31e40c4cd11df1038003154caf3bc28c5ca3 7881
civetweb_1.16+dfsg-4_amd64.buildinfo
Files:
03bf13f50af4ea2bcdd226a59a83d0f3 2188 web optional civetweb_1.16+dfsg-4.dsc
6d59f7f40c3388fe167d4b96a58020ac 11272 web optional
civetweb_1.16+dfsg-4.debian.tar.xz
a791215c269df3b0ad953759b7514738 7881 web optional
civetweb_1.16+dfsg-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmmpeYQRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtHJzg/9HpgaCphQDsIj3+/DXjcAA13j961qoeM7
cYR7mPUa5IsjkYyPWZ2YhlH3xuReVSGExoD/dMbX0PqpBBF3ehKrNFqo6X8+F7FJ
mJ3mZBlt6StqF1/lXzI8zIAO42mOtagcS8/RYTe8w7m6i7DTMegMLULbe/n4Vat2
dyoJEHeFvIunTcN0zpyjDMVl0sym04Ga+jXA5xfnROUrosvf0B0a6dXnSwCx5vRE
TykCc5VtWjlHtyinQghbosgb1JbPbvA4i3CEMa31DZhYYx5bnbn1NqZSFTGj6jEg
x2dCIj+DqLJGzDADGNdPq6KTg8JY3Gt0cwQ+vmSs+eQ9L+RYovRqLY399zccaT5j
CbRdtSAyaf66VqI4Ky8kMF3NMZWCXjO4T0tUaxZdyV7wrQgbk0nQtWA3ggrKmVtk
ioAJm0GIpzlhCmCMNIDvkJKXTG2iht76Ht8/USLVUXdWpYaHXg7Hho+TB+P7Q/Ja
8HqLYfQwOztlSy7T63TUwxlPWFs9SsrWt5RfLq6ABJCp0WDrrMF+4h0idNBEd5be
pYC+HEzGJaeEtUVfut3ZVPH5vi46JieFbyqDX5jvg/epjJzJALveWe/GyeR4QhRl
oAXJ9H2b4H0vwe26h/dXFYjXDflvw+kObd/h1XiHZjDeItwyg0fGXRD+FqBE+DYL
KgeS0lFP19M=
=nMzM
-----END PGP SIGNATURE-----
pgpH3x5DCxxLd.pgp
Description: PGP signature
--- End Message ---
