-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 01 Jun 2026 22:42:36 +0200 Source: mpd Architecture: source Version: 0.24.12-1 Distribution: unstable Urgency: medium Maintainer: mpd maintainers <pkg-mpd-maintainers@lists.alioth.debian.org> Changed-By: Florian Schlichting <fsfs@debian.org> Closes: 1138215 Changes: mpd (0.24.12-1) unstable; urgency=medium . * New upstream version 0.24.12 (closes: #1138215) + fixes a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx (CVE-2026-49127) + fixes a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin (CVE-2026-49128) + fixes a server-side request forgery vulnerability in CurlInputPlugin (CVE-2026-49129) + fixes a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin (CVE-2026-49130) * Add new files to d/copyright * d/copyright: fix lintian warning about old FSF postal address * Bump libcurl dependency to 7.85 * Declare compliance with Debian Policy 4.7.4 Checksums-Sha1: a6fc0764d203483922e0a052ef10aff5f7906d97 3398 mpd_0.24.12-1.dsc da342c8ed1ca0cc942aecacb1da5ed9b6bd790a6 1020148 mpd_0.24.12.orig.tar.xz 3b7b6d7f3405b6305e8f8192cf1171d4c6d344f2 833 mpd_0.24.12.orig.tar.xz.asc 306ed667e48e4ef30cd4713ff59f61de08318178 35836 mpd_0.24.12-1.debian.tar.xz 70a1082a3403b0b73e9d8c1fd8feaf28ef0e46ac 22115 mpd_0.24.12-1_amd64.buildinfo Checksums-Sha256: 206c305bb32d801fb8e4087e596cf12b58ebf8ca6a478d02afedff64094648f9 3398 mpd_0.24.12-1.dsc 14223ca883c35fbf711994bcf745726cecc9d898e3d3964265cf3a2c7519a360 1020148 mpd_0.24.12.orig.tar.xz 554fdc41adba2a48406c7dbc449f2191ed851d5a082e80d42beef8860c492463 833 mpd_0.24.12.orig.tar.xz.asc 10f858970c37a11b44fe34ca34b841e4cf584b579fd647878ca5be34c3d7e804 35836 mpd_0.24.12-1.debian.tar.xz 807555946f6d81f0cd58e721d21bdfbd60d733759e0fc26f2281d2c0f9f47624 22115 mpd_0.24.12-1_amd64.buildinfo Files: 35d7fcb66978f708bc49bfea475d6d13 3398 sound optional mpd_0.24.12-1.dsc 6c4a848e97661562fce3e20c72e6c678 1020148 sound optional mpd_0.24.12.orig.tar.xz 4c20414e8534a1d9071b19acf40d24a2 833 sound optional mpd_0.24.12.orig.tar.xz.asc 184877fd0d4ebff71445f7bbebed1dc7 35836 sound optional mpd_0.24.12-1.debian.tar.xz 26207999649769afc77bfdcf3de28a11 22115 sound optional mpd_0.24.12-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAmod8hIACgkQEpc7bnLc B7VE8w/7B+ig4rzATZ5vlMRtT5sVsd8w43NlBu+R00naAiKrBUdtqIuahd/0UzkP S7nrpSo09aZhhhp+b3FcacTaHAG/kQrrBjzGrXvbV8NWLWGuJAVaCcoT7obebP/w GMIahxJC8hfehjzmfx8X9Xd5nHCJxkvfBr9Bh9d1xAwMPUloYbttO1JqMuqEK+5c Td7dsOxteVAlxyaEuZPASEVktrnyMPypzmABdp8Zyf75gxmMj88hOkotcGcKO0+2 VV5Oiy/c5L2/lMQG7dlzZuQAHbHvJqPRkSVYwf8CPtYCfob4HBpYb45bO+DOHfG2 IoVz6H+VhuwroWq9wNcXW4wdLfcCzyVKVmtM7+lA/9QE5PHw5EyNj1biWw+QC6q7 n7Jn9xOzmNSKHU0/LqZkQotxdJBVTLOJfXKXluIc4CDGD1KPwI9n4hQMAKZDhZC6 Tdtx4eRzekdr8ZRlBJ7BRIskhCYkESQaC/zpiuhJdrFnqotvNg7g4Veowwdi0Jms 5Z4e8nqB+KeGBmMX3F64IvHWRPEkGoxt/KV+hKLB5pyyOQgaJg9QzTfaJheJL0Zv CeZVUiCiBHGY17oD8yBdhBzt6CIamT190cd1ncNRTM2GE3Q5QTG2KgUuiY65kVGO n/f64M19MJQOYU+ZA9UVPoHEVP/fV0aQ+nDxFlXSDooAJ7jP2Hg= =GuZd -----END PGP SIGNATURE-----
