Information on source package protobuf

Available versions

Release	Version
bullseye	3.12.4-1+deb11u1
bookworm	3.21.12-3
trixie	3.21.12-11
forky	3.21.12-15
sid	3.21.12-15

Open issues

Bug	bullseye	bookworm	trixie	forky	sid	Description
CVE-2026-0994	vulnerable	vulnerable	vulnerable	vulnerable	vulnerable	A denial-of-service (DoS) vulnerability exists in google.protobuf.json ...
CVE-2025-4565	vulnerable (no DSA, postponed)	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	Any project that uses Protobuf Pure-Python backendto parse untrusted P ...
CVE-2024-7254	vulnerable (no DSA, postponed)	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	Any project that parses untrusted Protocol Buffers datacontaining an a ...
CVE-2022-3510	vulnerable (no DSA, ignored)	fixed	fixed	fixed	fixed	A parsing issue similar to CVE-2022-3171, but with Message-Type Extens ...
CVE-2022-3509	vulnerable (no DSA, ignored)	fixed	fixed	fixed	fixed	A parsing issue similar to CVE-2022-3171, but with textformat in proto ...
CVE-2022-3171	vulnerable (no DSA, ignored)	fixed	fixed	fixed	fixed	A parsing issue with binary data in protobuf-java core and lite versio ...

Open unimportant issues

Bug	bullseye	bookworm	trixie	forky	sid	Description
CVE-2015-5237	vulnerable	vulnerable	vulnerable	vulnerable	vulnerable	protobuf allows remote authenticated attackers to cause a heap-based b ...

Resolved issues

Bug	Description
CVE-2024-2410	The JsonToBinaryStream()function is part of the protocol buffers C++ i ...
CVE-2022-1941	A parsing vulnerability for the MessageSet type in the ProtocolBuffers ...
CVE-2021-22570	Nullptr dereference when a null char is present in a proto symbol. The ...
CVE-2021-22569	An issue in protobuf-java allowed the interleaving of com.google.proto ...

Security announcements

DSA / DLA	Description
DLA-3393-1	protobuf - security update