-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 13 Jun 2026 10:15:04 -0400 Source: debusine Architecture: source Version: 0.11.3+deb13u1 Distribution: trixie Urgency: medium Maintainer: Raphaƫl Hertzog Changed-By: Stefano Rivera Changes: debusine (0.11.3+deb13u1) trixie; urgency=medium . * Security update for stable: - Enforce permissions on the file body upload endpoint. - CVE-2026-11852: Restrict artifact relation creation and deletion. - Sbuild task: harden against shell injection. - CVE-2026-11853: Reject .dsc/.changes checksum filenames with multiple path components. Checksums-Sha1: 3c21d91a8aee3758767b5a42e02a2cbe66c6219b 4813 debusine_0.11.3+deb13u1.dsc 40bb3a789ec622c012a4f81f519b51a2f7485001 1298460 debusine_0.11.3+deb13u1.tar.xz 424a5e48eb0ada9b87e89973a5f40c939409bc12 2710476 debusine_0.11.3+deb13u1.git.tar.xz 46a9dcd1a3e1bdacff9347ae9eb98da83ec6f6f1 17520 debusine_0.11.3+deb13u1_source.buildinfo Checksums-Sha256: 2d2e20430a771980a134cfc632240914f59996954e76268da41ffea8e57f6431 4813 debusine_0.11.3+deb13u1.dsc 61da98bf19778f241faf9428bb577057d8eba240775467cebc4653d50dc8bc25 1298460 debusine_0.11.3+deb13u1.tar.xz 0243ce2a5adb130207ea57a1d5dc5beaa89f72870de7c95c34249ecdd302766a 2710476 debusine_0.11.3+deb13u1.git.tar.xz 1a5a28abd07f64a07820f6508cb3c1607a163db4925edb3b6408805d0a460c3b 17520 debusine_0.11.3+deb13u1_source.buildinfo Files: 5c20ef114264bef19f30f108776ad6d9 4813 devel optional debusine_0.11.3+deb13u1.dsc 627e318b1ebe9f45519cccea8294ea07 1298460 devel optional debusine_0.11.3+deb13u1.tar.xz 06566559b0ab0b886e29f685fb3cb929 2710476 devel optional debusine_0.11.3+deb13u1.git.tar.xz fbee272ffa4a1ae54406326d1789ee17 17520 devel optional debusine_0.11.3+deb13u1_source.buildinfo Git-Tag-Info: tag=cf9f28d4b9e6c8cd1fcecc7a98a0b81fe8983cd4 fp=ee9ad6f90520fa11f69f4824477b0db0263a54d8 Git-Tag-Tagger: Stefano Rivera -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmotZkQACgkQYG0ITkaD wHlOSg/9GW43tSDPnABFDL+mKLOG+9ExjY0Z4bGJTdBm2kts2cnOJ7RdC+B1Zsvt sQV3dp4lk675XeVf3rQiI8VYlWDj593y0P1rRwc6NdzTYnQxfx086y0FWlEtsyQX yxpBMj3GXMFewi4tClUCTypMd31QYtCBRobfWPqTk+g12CfPUtPeu0ch3zz/KodS 8DLS8QpSUcb2sIo8psgwsCthiC811VXo6J8c6CV8nFV+5BxVIOs1p78O4Jzz3YGf cZpDELxKsPPE83S0uw08umCo9h90VoqCT7OoCpaNfNRGC7q/IPi+iZfP2yObqRbp T/o53tVw+qaf5JSfCNsjvF1UahW8Tdk/fNNQDtgczP4Ruo5WH8nIRWX8x9s1PtJG cV7sA59qqHAA9e1FEe7dIIg8wKRWmIp0kVCTAurPPlsLKH1xxTyyghH/0IEoFXd/ yTB8ZHUTWPW6G1eG1dICt0NWIqvOZ/eBgsP6FJ8QcO2eEsK266PHkqB+kjEU6NV4 bephEB5W0tWRczL4KCMpPeGfPsyqyEMqSeyzRQ/qP29RO3/3blBxBq6DVaUxJkEA N85TZwLvsyT4KyJuPfMFA5vpi3UEZb3+EecXGzV/lHZuGBcCBpoKjbgnpalFS8eQ pkMihwi5rf4379k0F1scrOeZxt2TsfgFzAfNNSemwxeFiohoahI= =gCCp -----END PGP SIGNATURE-----