CVE-2025-8454

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-8454
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-8454.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-8454
Downstream
Published
2025-08-01T06:15:29Z
Modified
2025-08-06T16:46:13.368054Z
Summary
[none]
Details

It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.

References

Affected packages

Debian:11 / devscripts

Package

Name
devscripts
Purl
pkg:deb/debian/devscripts?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.21.3
2.21.3+deb11u1~bpo10+1
2.21.3+deb11u1
2.21.4~bpo11+1
2.21.4
2.21.5
2.21.6~bpo11+1
2.21.6
2.21.7~bpo11+1
2.21.7
2.22.1~bpo11+1
2.22.1
2.22.2~bpo11+1
2.22.2
2.22.2+hurd.1
2.23.0
2.23.1
2.23.2
2.23.3
2.23.4
2.23.5~bpo11+1
2.23.5
2.23.6~bpo11+1
2.23.6
2.23.7~bpo11+1
2.23.7
2.24.1
2.24.2
2.24.3
2.24.4
2.24.5
2.24.6
2.24.7
2.24.8
2.24.9
2.24.10
2.25.1
2.25.2
2.25.3
2.25.4
2.25.5
2.25.6
2.25.7
2.25.8~bpo12+1
2.25.8
2.25.9
2.25.10~bpo12+1
2.25.10
2.25.11
2.25.12
2.25.13
2.25.14
2.25.15~bpo12+1
2.25.15
2.25.16
2.25.17

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / devscripts

Package

Name
devscripts
Purl
pkg:deb/debian/devscripts?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.23.4
2.23.4+deb12u1
2.23.4+deb12u2
2.23.5~bpo11+1
2.23.5
2.23.6~bpo11+1
2.23.6
2.23.7~bpo11+1
2.23.7
2.24.1
2.24.2
2.24.3
2.24.4
2.24.5
2.24.6
2.24.7
2.24.8
2.24.9
2.24.10
2.25.1
2.25.2
2.25.3
2.25.4
2.25.5
2.25.6
2.25.7
2.25.8~bpo12+1
2.25.8
2.25.9
2.25.10~bpo12+1
2.25.10
2.25.11
2.25.12
2.25.13
2.25.14
2.25.15~bpo12+1
2.25.15
2.25.16
2.25.17

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / devscripts

Package

Name
devscripts
Purl
pkg:deb/debian/devscripts?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.25.15
2.25.16
2.25.17

Ecosystem specific

{
    "urgency": "not yet assigned"
}