diff -Nru iperf3-3.12/debian/changelog iperf3-3.12/debian/changelog
--- iperf3-3.12/debian/changelog	2023-07-17 10:46:06.000000000 +0200
+++ iperf3-3.12/debian/changelog	2025-08-27 10:17:07.000000000 +0200
@@ -1,3 +1,10 @@
+iperf3 (3.12-1+deb12u2) bookworm-security; urgency=high
+
+  * Fix CVE-2025-54349
+  * Fix CVE-2025-54350
+
+ -- Roberto Lumbreras <rover@debian.org>  Wed, 27 Aug 2025 10:17:07 +0200
+
 iperf3 (3.12-1+deb12u1) bookworm-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru iperf3-3.12/debian/patches/CVE-2025-54349.patch iperf3-3.12/debian/patches/CVE-2025-54349.patch
--- iperf3-3.12/debian/patches/CVE-2025-54349.patch	1970-01-01 01:00:00.000000000 +0100
+++ iperf3-3.12/debian/patches/CVE-2025-54349.patch	2025-08-04 22:52:43.000000000 +0200
@@ -0,0 +1,59 @@
+From: Sarah Larsen <swlarsen@es.net>
+Date: Wed, 25 Jun 2025 15:11:03 +0000
+Subject: [PATCH] Fix off-by-one heap overflow in auth.
+Description:
+  Reported by Han Lee (Apple Information Security)
+  CVE-2025-54349
+
+Index: iperf3-3.12/src/iperf_auth.c
+===================================================================
+--- iperf3-3.12.orig/src/iperf_auth.c	2025-08-04 22:39:57.327278650 +0200
++++ iperf3-3.12/src/iperf_auth.c	2025-08-04 22:48:11.000000000 +0200
+@@ -262,7 +262,8 @@
+ 
+     keysize = RSA_size(rsa);
+     rsa_buffer  = OPENSSL_malloc(keysize * 2);
+-    *plaintext = (unsigned char*)OPENSSL_malloc(keysize);
++    // Note: +1 for NULL
++    *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1);
+ 
+     BIO *bioBuff   = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len);
+     rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2);
+@@ -272,7 +273,7 @@
+     OPENSSL_free(rsa_buffer);
+     BIO_free(bioBuff);
+ 
+-    if (plaintext_len < 0) {
++    if (plaintext_len <= 0) {
+       /* We probably shouldn't be printing stuff like this */
+       fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
+     }
+@@ -318,7 +319,7 @@
+     int plaintext_len;
+     plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext);
+     free(encrypted_b64);
+-    if (plaintext_len < 0) {
++    if (plaintext_len <= 0) {
+         return -1;
+     }
+     plaintext[plaintext_len] = '\0';
+@@ -326,16 +327,19 @@
+     char *s_username, *s_password;
+     s_username = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_username == NULL) {
++	OPENSSL_free(plaintext);
+ 	return -1;
+     }
+     s_password = (char *) calloc(plaintext_len, sizeof(char));
+     if (s_password == NULL) {
++	OPENSSL_free(plaintext);
+ 	free(s_username);
+ 	return -1;
+     }
+ 
+     int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds);
+     if (rc != 3) {
++	OPENSSL_free(plaintext);
+ 	free(s_password);
+ 	free(s_username);
+ 	return -1;
diff -Nru iperf3-3.12/debian/patches/CVE-2025-54350.patch iperf3-3.12/debian/patches/CVE-2025-54350.patch
--- iperf3-3.12/debian/patches/CVE-2025-54350.patch	1970-01-01 01:00:00.000000000 +0100
+++ iperf3-3.12/debian/patches/CVE-2025-54350.patch	2025-08-04 22:48:04.000000000 +0200
@@ -0,0 +1,28 @@
+From: "Bruce A. Mah" <bmah@es.net>
+Date: Tue, 24 Jun 2025 15:58:21 -0700
+Subject: [PATCH] Prevent crash due to assertion failures on malformed
+ authentication attempt.
+Description:
+  Reported by Han Lee (Apple Information Security)
+  CVE-2025-54350
+
+Index: iperf3-3.12/src/iperf_auth.c
+===================================================================
+--- iperf3-3.12.orig/src/iperf_auth.c	2025-08-04 22:46:07.722191519 +0200
++++ iperf3-3.12/src/iperf_auth.c	2025-08-04 22:46:07.718191530 +0200
+@@ -28,7 +28,6 @@
+ #include "iperf_config.h"
+ 
+ #include <string.h>
+-#include <assert.h>
+ #include <time.h>
+ #include <sys/types.h>
+ /* FreeBSD needs _WITH_GETLINE to enable the getline() declaration */
+@@ -150,7 +149,6 @@
+ 
+     BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Do not use newlines to flush buffer
+     *length = BIO_read(bio, *buffer, strlen(b64message));
+-    assert(*length == decodeLen); //length should equal decodeLen, else something went horribly wrong
+     BIO_free_all(bio);
+ 
+     return (0); //success
diff -Nru iperf3-3.12/debian/patches/series iperf3-3.12/debian/patches/series
--- iperf3-3.12/debian/patches/series	2023-07-17 10:46:01.000000000 +0200
+++ iperf3-3.12/debian/patches/series	2025-08-04 22:45:56.000000000 +0200
@@ -1,2 +1,4 @@
 03-sctp.patch
 0001-Fix-memory-allocation-hazard-1542-.-1543.patch
+CVE-2025-54349.patch
+CVE-2025-54350.patch