It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
History

Wed, 06 Aug 2025 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:debian:devscripts:2.25.15:*:*:*:*:*:*:*

Mon, 04 Aug 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian devscripts
Vendors & Products Debian
Debian devscripts

Fri, 01 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-347
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 01 Aug 2025 08:00:00 +0000

Type Values Removed Values Added
Description It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification for files already downloaded even if a previous verification did fail. It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.

Fri, 01 Aug 2025 06:00:00 +0000

Type Values Removed Values Added
Description It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification for files already downloaded even if a previous verification did fail.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: debian

Published:

Updated: 2025-08-01T13:47:20.337Z

Reserved: 2025-08-01T05:31:30.538Z

Link: CVE-2025-8454

cve-icon Vulnrichment

Updated: 2025-08-01T13:46:16.099Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-01T06:15:29.493

Modified: 2025-08-06T16:17:38.593

Link: CVE-2025-8454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-04T09:00:45Z