Source: finit Version: 4.11-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for finit. CVE-2025-32022[0]: | Finit provides fast init for Linux systems. Finit's urandom plugin | has a heap buffer overwrite vulnerability at boot which leads to it | overwriting other parts of the heap, possibly causing random | instabilities and undefined behavior. The urandom plugin is enabled | by default, so this bug affects everyone using Finit 4.2 or later | that do not explicitly disable the plugin at build time. This bug is | fixed in Finit 4.12. Those who cannot upgrade or backport the fix to | urandom.c are strongly recommended to disable the plugin in the call | to the `configure` script. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-32022 https://www.cve.org/CVERecord?id=CVE-2025-32022 [1] https://github.com/troglobit/finit/security/advisories/GHSA-fv6v-vw8h-9x79 [2] https://github.com/troglobit/finit/commit/3feff37ba51fa0a6a0a06f59682a0918aa5b04de Regards, Salvatore
