CARVIEW

MOTORHOMES

Select Language

HTTP/2 302 x-content-type-options: nosniff x-frame-options: sameorigin referrer-policy: no-referrer x-xss-protection: 1 permissions-policy: interest-cohort=() strict-transport-security: max-age=15552000 location: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121357 content-length: 307 content-type: text/html; charset=iso-8859-1 date: Fri, 26 Dec 2025 19:59:10 GMT server: Apache HTTP/2 200 cache-control: public, max-age=300 x-content-type-options: nosniff x-frame-options: sameorigin referrer-policy: no-referrer x-xss-protection: 1 permissions-policy: interest-cohort=() strict-transport-security: max-age=15552000 etag: f13bde322e43a30a84aa0e0b05cb69f0 vary: Accept-Encoding content-encoding: gzip x-clacks-overhead: GNU Terry Pratchett content-length: 5731 content-type: text/html; charset=utf-8 date: Fri, 26 Dec 2025 19:59:10 GMT server: Apache #1121357 - bookworm-pu: package r-cran-gh/1.4.0-1+deb12u1 - Debian Bug report logs

Debian Bug report logs - #1121357
bookworm-pu: package r-cran-gh/1.4.0-1+deb12u1

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Affects: src:r-cran-gh

Reported by: Daniel Leidert <dleidert@debian.org>

Date: Tue, 25 Nov 2025 05:13:02 UTC

Severity: normal

Tags: bookworm, pending

Reply or subscribe to this bug.

Display info messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121357}), r-cran-gh@packages.debian.org (additional cc recipient for {1121357}):
Bug#1121357; Package release.debian.org. (Tue, 25 Nov 2025 05:13:02 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Leidert <dleidert@debian.org>:
New Bug report received and forwarded. Copy sent to r-cran-gh@packages.debian.org, debian-release@lists.debian.org. (Tue, 25 Nov 2025 05:13:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: r-cran-gh@packages.debian.org
Control: affects -1 + src:r-cran-gh
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
The package is affected by CVE-2025-54956. The HTTP response is delivered in a
data structure that includes the Authorization header from the corresponding
HTTP request. This upload fixes this issue.
[ Impact ]
If not approved, users contionue to be vulnerable to CVE-2025-54956.
[ Tests ]
The testsuite runs successful. A few tests have been adjusted to the new
behavior. Their success is an indication that the changed code works and
nothing has been broken.
[ Risks ]
The main risks are regressions or breakages. But the test suite runs successful
and the code changes are not too complicated.
[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
[ Changes ]
The changes remove the request headers that were originally stored in the
response object. Instead, the sensitive information is passed explicitely.
[ Other info ]
n/a
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmklOloACgkQS80FZ8KW
0F1lbA//TBCtauvVgXB4O42PHh1mPNjAvEEQ9AHk4U/rwqq1+DsZ0JitZw2eZYcM
igXbj2RRDOSaSu6aWXPqf33/YFM3VgRQHuDplJei7iOzHnTKllDI4lqK1B/19lPQ
kMm9F8yC+YOXgWYTICoypXZBjgBUaPMiRW/HmSvCCSIeaqIzkAzZkMTym+lu4UMn
PHCEWdYmN6eJTKo949H2iI3CrRP8Ma884HLfXDWo43v2NQaHV1LvP/aFxSfgsDs3
YtnI/DnBpAHjABIngRVirEy71Ifhwwbn7zL3MxvcpJoj9cHd0pDqd+Awt7Q25Mkr
JFy9VBO/N43BOjnvR8tU/36ssDUReQnwnz/B1BzpPzQfmOy0eOFX7bYDOQMdURkJ
VSkghYQtqfYzAIrjCOR6wpLnAJJ/+WbICBB4CxTcrw71q9szSuQG0Cp1OnNyWWVg
LTtTUOFBAEEPlKGdglk/xvG7PinHLne8sIhpj5/QqbHcOSuJiDaPHv20KeSRrVBz
HgS90sujXHXywsQuMBQrtplsLU/ZWdcU2wxwn3a+hMWsTLFyc/A5+grNN360X/Iu
feYBMsD4IshsctsI7RLJv0PPxWZ5YKwFGU+BifCDpWZZ6OT6oDgjCU51H9Oe4EHH
OZOzSkRSqHRCcvAvAAviw8rGY00K0gBCL/ve+yXv5PhYQnF9THk=
=BFsX
-----END PGP SIGNATURE-----

[r-cran-gh_1.4.0-1+deb12u1.debdiff (text/plain, attachment)]

Added indication that 1121357 affects src:r-cran-gh Request was from Daniel Leidert <dleidert@debian.org> to submit@bugs.debian.org. (Tue, 25 Nov 2025 05:13:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121357}):
Bug#1121357; Package release.debian.org. (Sat, 06 Dec 2025 15:51:02 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org. (Sat, 06 Dec 2025 15:51:02 GMT) (full text, mbox, link).

Message #12 received at 1121357@bugs.debian.org (full text, mbox, reply):

Control: tags -1 + confirmed
On Tue, 2025-11-25 at 06:10 +0100, Daniel Leidert wrote:
> The package is affected by CVE-2025-54956. The HTTP response is
> delivered in a data structure that includes the Authorization header
> from the corresponding HTTP request. This upload fixes this issue.
Please go ahead.
Regards,
Adam

Added tag(s) confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to 1121357-submit@bugs.debian.org. (Sat, 06 Dec 2025 15:51:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org> (release.debian.org for {1121357}):
Bug#1121357; Package release.debian.org. (Sun, 07 Dec 2025 17:09:06 GMT) (full text, mbox, link).

Acknowledgement sent to Adam D Barratt <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to debian-release@lists.debian.org. (Sun, 07 Dec 2025 17:09:06 GMT) (full text, mbox, link).

Message #19 received at 1121357@bugs.debian.org (full text, mbox, reply):

package release.debian.org
tags 1121357 = bookworm pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.
Thanks for your contribution!
Upload details
==============
Package: r-cran-gh
Version: 1.4.0-1+deb12u1
Explanation: fix sensitive data leak issue [CVE-2025-54956]

Added tag(s) pending; removed tag(s) confirmed. Request was from Adam D Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 07 Dec 2025 17:09:15 GMT) (full text, mbox, link).

Message sent on to Daniel Leidert <dleidert@debian.org>:
Bug#1121357. (Sun, 07 Dec 2025 17:09:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Dec 26 19:59:12 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Original Source | Taken Source

Debian Bug report logs - #1121357 bookworm-pu: package r-cran-gh/1.4.0-1+deb12u1

Debian Bug report logs - #1121357
bookworm-pu: package r-cran-gh/1.4.0-1+deb12u1