dpkg (1.22.21) unstable; urgency=medium
 .
   [ Guillem Jover ]
   * dpkg-deb: Fix cleanup for control member with restricted directories.
     Fixes CVE-2025-6297. Reported by zhutyra on HackerOne.
   * Perl modules:
     - Dpkg::BuildDriver::DebianRules: Fix uninitialized Perl variables.
       Closes: #1107971
     - Dpkg::BuildDriver::DebianRules: Fix R³ dpkg/target/<target> values
       handling.
     - Dpkg::BuildTree: Fix needs_root() for R³ with implementation specific
       keywords. See #1107971.
   * Code internals:
     - libdpkg: Do not segfault when adding triggers in no-act mode.
       Closes: #1108192

libpgjava (42.7.7-1) unstable; urgency=medium
 .
   * New upstream version 42.7.7.
     Fixes CVE-2025-49146: When the PostgreSQL JDBC driver is configured with
     channel binding set to required (default value is prefer), the driver
     would incorrectly allow connections to proceed with authentication methods
     that do not support channel binding (such as password, MD5, GSS, or SSPI
     authentication). This could allow a man-in-the-middle attacker to
     intercept connections that users believed were protected by channel
     binding requirements.
libpgjava (42.7.6-1) experimental; urgency=medium
 .
   * New upstream version 42.7.6.

nova (2:31.0.0-4) unstable; urgency=medium
 .
   * Add Fix-neutron-client-dict-grabbing.patch as a workaround for a nasty
     CPython bug.