aspell-sk (2.04+ds.9) unstable; urgency=medium
 .
   * Rebuild with hunspell-sk 25.2.3-1.

chkrootkit (0.58b-5) unstable; urgency=medium
 .
   * Team upload
 .
   [ Richard Lewis ]
   * Add binutils and procps to 'depends' (Thanks to Stephen Helma for
     spotting this). (Closes: #1107587)

cloud-init (25.1.4-1) unstable; urgency=medium
 .
   * New upstream version 25.1.4 (Closes: #1108402, #1108403)
     - Fixes CVE-2024-6174
     - Fixes CVE-2024-11584

gnutls28 (3.8.9-3) unstable; urgency=medium
 .
   * Cherry-pick fixes from 3.8.10 release:
     + libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits
       PSK Reported by Stefan Bühler.
       [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395]
     + libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS
       timestamps Spotted by oss-fuzz and reported by OpenAI Security
       Research Team, and fix developed by Andrew Hamilton.
       [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989]
     + libgnutls: Fix double-free upon error when exporting otherName in
       SAN Reported by OpenAI Security Research Team.
       [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988]
     + certtool: Fix 1-byte write buffer overrun when parsing template
       Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low]
       [CVE-2025-32990]
     + Fixes for memory leaks in lib/x509/x509_ext.c andlib/hello_ext.c.
     + Fix uninitialized memory read while processing the "pre_shared_key"
       extension in TLS 1.3.
     + Avoid uninitialized use of crq version.

golang-github-vmware-govmomi (0.24.2-4) unstable; urgency=medium
 .
   * Team upload
   * Apply patch to fix flaky test (Closes: #1108811)

libsoup3 (3.6.5-2) unstable; urgency=medium
 .
   * Team upload
   * d/patches: Re-export patch series (no functional changes)
   * d/p/multipart-Fix-read-out-of-buffer-bounds-under-soup_multip.patch:
     Add patch from upstream git to fix multipart message parsing.
     Previously this could read outside the buffer.
     This change isn't on upstream's 3.6.x branch yet, so take it from
     3.7.x. Test coverage is included.
     (CVE-2025-32914, Closes: #1103267)
   * d/p/soup-server-http2-Check-validity-of-the-constructed-conne.patch,
     d/p/soup-server-http2-Correct-check-of-the-validity-of-the-co.patch:
     Add patch from upstream git to fix denial of service in HTTP/2 server.
     The original change does not seem to have been fully correct; a
     follow-up fix for it is also included.
     (CVE-2025-32908, Closes: #1103265)
   * d/p/auth-digest-fix-crash-in-soup_auth_digest_get_protection_.patch:
     Add patch from upstream git to fix denial of service (a crash)
     if a libsoup client is connected to a malicious server.
     (CVE-2025-4476, Closes: #1105887)
   * d/p/soup-message-headers-Correct-merge-of-ranges.patch,
     d/p/server-mem-limit-test-Limit-memory-usage-only-when-not-bu.patch:
     Add patch from upstream git fixing server-side DoS in Range requests,
     with a follow-up patch to make the newly added test work when compiled
     with AddressSanitizer.
     (CVE-2025-32907, Closes: #1103264)
   * d/p/soup-multipart-Verify-boundary-limits-for-multipart-body.patch:
     Add patch from upstream git fixing denial of service with crafted
     multipart body.
     (CVE-2025-4948, Closes: #1106204)
   * d/p/soup-multipart-Verify-array-bounds-before-accessing-its-m.patch:
     Add patch from upstream git fixing another denial of service with
     crafted multipart body.
     (CVE-2025-4969, Closes: #1106248)
   * d/p/soup-date-utils-Add-value-checks-for-date-time-parsing.patch,
     d/p/tests-Add-tests-for-date-time-including-timezone-validati.patch:
     Add patch from upstream git fixing date/time validation, and expand
     test coverage for this area.
     (CVE-2025-4945, Closes: #1106205)
   * d/p/soup-form-Fix-a-possible-memory-leak-in-soup_form_decode_.patch:
     Add patch from upstream git fixing some memory leaks
   * d/p/websocket-test-Fix-two-memory-leaks.patch,
     d/p/misc-test-Fix-two-memory-leaks.patch,
     d/p/http2-test-Fix-several-memory-leaks.patch,
     d/p/range-test-Fix-a-memory-leak.patch:
     Add patches from upstream git fixing some memory leaks in tests.
     These are certainly not denial-of-service issues, but it makes "real"
     memory leaks harder to detect if there are benign memory leaks in
     the test code.
   * d/p/test-utils-flush-stdout-after-printing.patch:
     Add patch from upstream git to improve test logging.
     This does not change production code, and should make it somewhat
     less difficult to diagnose the root cause of test failures.
     (Maybe helps: #1035983, #1109107, #1109108, #1109120)
   * d/p/test-utils-fix-deadlock-in-add_listener_in_thread.patch:
     Add patch from upstream git to fix a deadlock during testing.
     This hopefully addresses one of the many sources of low-probability test
     failures that add up to a noticeable probability of the test suite
     as a whole failing (see also #1035983). (Closes: #1109120)
   * d/p/tests-Treat-multithread-test-as-an-Apache-test.patch:
     Add patch to treat multithread-test like other Apache-based tests,
     so that it will not be run in parallel with others.
     (Maybe helps: #1035983)
   * d/rules: Capture test output into the buildd log, even if successful.
     If we don't have the output from successful test logs, it's more
     difficult to assess whether workarounds have helped, because we won't
     see whether the situation needing the workaround was ever triggered.
   * d/p/debian/docs-Remove-remotely-accessed-logo.patch:
     Remove remote logo references from local documentation, improving privacy
     and fixing a Lintian warning

mesa (25.0.7-2) unstable; urgency=medium
 .
   * patches: Revert a commit to fix mobian vm's. (Closes: #1107895)
mesa (25.0.7-1) unstable; urgency=medium
 .
   * control: Bump rustc dependency to match upstream.
   * control: Bump wayland-protocols build-dep.
   * control: Bump directx-headers build-dep.
   * control: Bump spirv-tools build dep for Intel shader compiler.
   * New upstream release. (Closes: #1105831)
   * rules: Drop obsolete removals.
   * patches: Drop a fix for lp2101817, since 25.0.6 carries a separate
     fix for that.
   * Revert a bad commit which broke Intel Haswell. (LP: #2113508)

mobile-broadband-provider-info (20250613-2) unstable; urgency=medium
 .
   * Upload to unstable
mobile-broadband-provider-info (20250613-1) experimental; urgency=medium
 .
   * Upload to experimental
   * New upstream version 20250613
     (Closes: #1107974)
   * Add salsa-ci
   * Add myself to uploaders. Thanks Graham!

prometheus (2.53.3+ds1-2) unstable; urgency=medium
 .
   * Simplify Debian test helper functions
   * Add new 0023-Use-legacy-label-name-validation.patch
   * Include labels builder in classic UI template contexts (Closes: #1108095)

prometheus-bird-exporter (1.4.2+ds-2) unstable; urgency=medium
 .
   * Add bird3 as an alternative dependency to bird | bird2 (Closes: #1107239)

pypaperless (4.1.1-1) unstable; urgency=medium
 .
   * New upstream release.

refpolicy (2:2.20250213-8) unstable; urgency=medium
 .
   * Fix syntax errors
   * Allow dovecot_auth_t to mape dovecot_runtime_t files
   * Allow mon_net_test_t to run netutils
   * removed unused interfaces fs_mounton_memory_pressure and
     userdom_watch_user_ttys
   * Remove systemd_logind_use_fds and use systemd_use_logind_fds instead
   * Allow dhcpc_t to list resolved runtime dir and stat generic units files
   * Allow systemd-logind and systemd-user-runtime-dir stat /proc as logind
     failing to do so can cause difficult to diagnose dbus issues with
     pam_login
   * Allow fwupd to signal itself

ruby-minitest (5.25.4-3) unstable; urgency=medium
 .
   * Team upload.
   * d/control: mark it as Multi-Arch: foreign (Closes: #1093724)

rust-sequoia-octopus-librnp (1.11.1-1) unstable; urgency=medium
 .
   * Package sequoia-octopus-librnp 1.11.1 from crates.io using debcargo 2.7.8
     - Closes: #1109001.
     - refresh patches.

softhsm2 (2.6.1-3) unstable; urgency=medium
 .
   * Add upstream patch to 'Fix ForkTest by exiting from child'
     (Closes: #1069539)

valkey (8.1.1+dfsg1-3) unstable; urgency=medium
 .
   * Fix CVE-2025-32023 (Closes: #1108978)
     An authenticated user may use a specially crafted string to trigger a
     stack/heap out of bounds write on hyperloglog operations, potentially
     leading to remote code execution. The bug likely affects all Valkey
     versions with hyperloglog operations implemented.
     An additional workaround to mitigate the problem without patching the
     valkey-server executable is to prevent users from executing hyperloglog
     operations. This can be done using ACL to restrict HLL commands.
     - d/p/CVE-2025-32023.patch
   * Fix CVE-2025-48367 (Closes: #1108982)
     An unauthenticated connection can cause repeated IP protocol errors,
     leading to client starvation and, ultimately, a denial of service.
     - d/p/CVE-2025-48367.patch
   * d/copyright: fix path of the lua files, thanks to lintian!

wims-lti (0.4.4.1-17) unstable; urgency=medium
 .
   * added a dependency on python3-pyutil. Closes: #1108932