Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0ac20982 by Moritz Muehlenhoff at 2025-06-05T17:34:08+02:00
bookworm triage
- - - - -
c0373348 by Moritz Muehlenhoff at 2025-06-05T17:34:10+02:00
bugnums
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -7,33 +7,33 @@ CVE-2011-10007
CVE-2025-5690 (PostgreSQL Anonymizer v2.0 and v2.1 contain a vulnerability
that allow ...)
NOT-FOR-US: PostgreSQL Anonymizer
CVE-2025-5683 (When loading a specifically crafted ICNS format image file in
QImage t ...)
- - qtimageformats-opensource-src <unfixed>
- - qt6-imageformats <unfixed>
+ - qtimageformats-opensource-src <unfixed> (bug #1107318)
+ - qt6-imageformats <unfixed> (bug #1107317)
NOTE: https://codereview.qt-project.org/c/qt/qtimageformats/+/644548
NOTE:
https://github.com/qt/qtimageformats/commit/efd332516f510144927121fa749ce819b82ec633
NOTE: https://codereview.qt-project.org/c/qt/qtimageformats/+/644548
CVE-2025-5646 (A vulnerability has been found in Radare2 5.9.9 and classified
as prob ...)
- - radare2 <unfixed>
+ - radare2 <unfixed> (bug #1107316)
NOTE: https://github.com/radareorg/radare2/issues/24235
NOTE:
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798
CVE-2025-5645 (A vulnerability, which was classified as problematic, was found
in Rad ...)
- - radare2 <unfixed>
+ - radare2 <unfixed> (bug #1107316)
NOTE: https://github.com/radareorg/radare2/issues/24234
NOTE:
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798
CVE-2025-5644 (A vulnerability, which was classified as problematic, has been
found i ...)
- - radare2 <unfixed>
+ - radare2 <unfixed> (bug #1107316)
NOTE: https://github.com/radareorg/radare2/issues/24233
NOTE:
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798
CVE-2025-5643 (A vulnerability classified as problematic was found in Radare2
5.9.9. ...)
- - radare2 <unfixed>
+ - radare2 <unfixed> (bug #1107316)
NOTE: https://github.com/radareorg/radare2/issues/24232
NOTE:
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798
CVE-2025-5642 (A vulnerability classified as problematic has been found in
Radare2 5. ...)
- - radare2 <unfixed>
+ - radare2 <unfixed> (bug #1107316)
NOTE: https://github.com/radareorg/radare2/issues/24231
NOTE:
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798
CVE-2025-5641 (A vulnerability was found in Radare2 5.9.9. It has been rated
as probl ...)
- - radare2 <unfixed>
+ - radare2 <unfixed> (bug #1107316)
NOTE: https://github.com/radareorg/radare2/issues/24230
NOTE:
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798
CVE-2025-5640 (A vulnerability was found in PX4-Autopilot 1.12.3. It has been
classif ...)
@@ -474,6 +474,7 @@ CVE-2025-4517 (Allows arbitrary filesystem writes outside
the extraction directo
- python3.9 <removed>
- python2.7 <removed>
- jython <unfixed>
+ [bookworm] - jython <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/issues/135034
NOTE: https://github.com/python/cpython/pull/135037
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
@@ -488,6 +489,7 @@ CVE-2025-4435 (When using a TarFile.errorlevel = 0and
extracting with a filter t
- python3.9 <removed>
- python2.7 <removed>
- jython <unfixed>
+ [bookworm] - jython <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/issues/135034
NOTE: https://github.com/python/cpython/pull/135037
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
@@ -506,6 +508,7 @@ CVE-2025-4330 (Allows the extraction filter to be ignored,
allowing symlink targ
- python3.9 <removed>
- python2.7 <removed>
- jython <unfixed>
+ [bookworm] - jython <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/issues/135034
NOTE: https://github.com/python/cpython/pull/135037
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
@@ -522,6 +525,7 @@ CVE-2025-4138 (Allows the extraction filter to be ignored,
allowing symlink targ
- python3.9 <removed>
- python2.7 <removed>
- jython <unfixed>
+ [bookworm] - jython <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/issues/135034
NOTE: https://github.com/python/cpython/pull/135037
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
@@ -618,6 +622,7 @@ CVE-2024-12718 (Allows modifying some file metadata (e.g.
last modified) with fi
- python3.9 <removed>
- python2.7 <removed>
- jython <unfixed>
+ [bookworm] - jython <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/issues/135034
NOTE: https://github.com/python/cpython/pull/135037
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
@@ -711,6 +716,7 @@ CVE-2025-5419 (Out of bounds read and write in V8 in Google
Chrome prior to 137.
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-5455 (An issue was found in the private API function qDecodeDataUrl()
in QtC ...)
- qt6-base <unfixed>
+ [bookworm] - qt6-base <no-dsa> (Minor issue)
- qtbase-opensource-src <unfixed>
- qtbase-opensource-src-gles <unfixed>
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/642006
@@ -1755,6 +1761,7 @@ CVE-2025-4947 (libcurl accidentally skips the certificate
verification for QUIC
NOTE: curl in Debian not built with wolfSSL support
CVE-2025-40911 (Net::CIDR::Set versions 0.10 through 0.13 for Perl does not
properly h ...)
- libnet-cidr-set-perl 0.15-1 (bug #1106699)
+ [bookworm] - libnet-cidr-set-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/29942240/
NOTE: Fixed by:
https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a
(v0.14)
CVE-2025-5278 (A flaw was found in GNU Coreutils. The sort utility's
begfield() funct ...)
@@ -3278,6 +3285,7 @@ CVE-2025-4998 (A vulnerability has been found in H3C
Magic R200G up to 100R002 a
NOT-FOR-US: H3C
CVE-2025-4969 (A vulnerability was found in the libsoup package. This flaw
stems from ...)
- libsoup3 <unfixed> (bug #1106248)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1106325)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
@@ -3905,12 +3913,14 @@ CVE-2024-5878 (Multiple plugins for WordPress are
vulnerable to Stored Cross-Sit
NOT-FOR-US: WordPress plugin
CVE-2025-4948 (A flaw was found in the soup_multipart_new_from_message()
function of ...)
- libsoup3 <unfixed> (bug #1106204)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1106337)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463
CVE-2025-4945 (A flaw was found in the cookie parsing logic of the libsoup
HTTP libra ...)
- libsoup3 <unfixed> (bug #1106205)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1106375)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
@@ -5469,6 +5479,7 @@ CVE-2023-2334 (The edd-google-sheet-connector-pro
WordPress plugin before 1.4, E
NOT-FOR-US: WordPress plugin
CVE-2025-4476 (A denial-of-service vulnerability has been identified in the
libsoup H ...)
- libsoup3 <unfixed> (bug #1105887)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/440
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/457
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c
@@ -11764,6 +11775,7 @@ CVE-2024-10635 (Enterprise Protection contains an
improper input validation vuln
NOT-FOR-US: Proofpoint
CVE-2025-4035 (A flaw was found in libsoup. When handling cookies, libsoup
clients mi ...)
- libsoup3 <unfixed> (bug #1104414)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1104415)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2362651
@@ -19201,6 +19213,7 @@ CVE-2025-32054 (In JetBrains IntelliJ IDEA before
2024.3, 2024.2.4 source code c
CVE-2025-32052 (A flaw was found in libsoup. A vulnerability in the
sniff_unknown() fu ...)
{DLA-4140-1}
- libsoup3 3.6.1-1
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 2.74.3-10 (bug #1102214)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425
@@ -19216,12 +19229,14 @@ CVE-2025-32051 (A flaw was found in libsoup. The
libsoup soup_uri_decode_data_ur
CVE-2025-32050 (A flaw was found in libsoup. The libsoup append_param_quoted()
functio ...)
{DLA-4140-1}
- libsoup3 3.6.1-1
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 2.74.3-10 (bug #1102212)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323
(3.6.1)
CVE-2025-32049 (A flaw was found in libsoup. The SoupWebsocketConnection may
accept a ...)
- libsoup3 <unfixed> (bug #1102067)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1102211)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/390
=====================================
data/dsa-needed.txt
=====================================
@@ -28,6 +28,8 @@ gimp (jmm)
--
jpeg-xl
--
+libfile-find-rule-perl (carnil)
+--
libreswan
Waiting on feedback from maintainer
--
@@ -57,7 +59,7 @@ php-laravel-framework
python-django
Chris is working on it
--
-python-tornado
+python-tornado (jmm)
--
ring
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1f23321c663d213a246cb5127f8dd4641b45a75d...c037334874f8b986c6629c0004b06ef3689ace5f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1f23321c663d213a246cb5127f8dd4641b45a75d...c037334874f8b986c6629c0004b06ef3689ace5f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
