| Name | CVE-2025-69412 |
| Description | KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1124474 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| kf5-messagelib (PTS) | bullseye | 4:20.08.3-5 | vulnerable |
| bookworm | 4:22.12.3-2~deb12u1 | vulnerable |
| messagelib (PTS) | trixie | 4:24.12.3-4 | vulnerable |
| forky | 4:25.08.3-3 | fixed |
| sid | 4:25.12.1-2 | fixed |
The information below is based on the following data on fixed versions.
Notes
[trixie] - messagelib <no-dsa> (Minor issue)
[bookworm] - kf5-messagelib <no-dsa> (Minor issue)
[bullseye] - kf5-messagelib <postponed> (Minor issue, SSL validation)
https://github.com/KDE/messagelib/commit/01adef0482bb3d5c817433db5208620c84a992b3 (v25.11.90)