Maytham Alsudany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b92713e1 by Maytham Alsudany at 2025-08-09T16:40:28+08:00
Process some NFUs
- - - - -
6c00c56e by Maytham Alsudany at 2025-08-09T16:41:16+08:00
Add CVE-2025-45512/u-boot
- - - - -
114ed8c8 by Maytham Alsudany at 2025-08-09T16:43:13+08:00
Add CVE-2024-8244/golang-1.{24,23,19,15}
- - - - -
a8be0c07 by Maytham Alsudany at 2025-08-09T16:43:42+08:00
Add CVE-2025-50340/sogo
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -39,7 +39,7 @@ CVE-2025-8355 (In Xerox FreeFlow Core version 8.0.4, improper
handling of XML in
CVE-2025-8284 (By default, the Packet Power Monitoring and Control Web
Interface do n ...)
NOT-FOR-US: Packet Power
CVE-2025-8088 (A path traversal vulnerability affecting the Windows version of
WinRAR ...)
- TODO: check
+ NOT-FOR-US: WinRAR on Windows
CVE-2025-5095 (Burk Technology ARC Solo's password change mechanism can be
utilized w ...)
NOT-FOR-US: Burk Technology
CVE-2025-53606 (Deserialization of Untrusted Data vulnerability in Apache
Seata (incub ...)
@@ -143,7 +143,7 @@ CVE-2025-54949 (A heap buffer overflow vulnerability in the
loading of ExecuTorc
CVE-2025-54940 (An HTML injection vulnerability exists in WordPress plugin
"Advanced C ...)
NOT-FOR-US: WordPress plugin
CVE-2025-54887 (jwe is a Ruby implementation of the RFC 7516 JSON Web
Encryption (JWE) ...)
- TODO: check
+ NOT-FOR-US: jwe ruby gem
CVE-2025-54886 (skops is a Python library which helps users share and ship
their sciki ...)
NOT-FOR-US: Skops
CVE-2025-54793 (Astro is a web framework for content-driven websites. In
versions 5.2. ...)
@@ -542,7 +542,11 @@ CVE-2025-20331 (A vulnerability in the web-based
management interface of Cisco I
CVE-2025-20215 (A vulnerability in the meeting-join functionality of Cisco
Webex Meeti ...)
NOT-FOR-US: Cisco
CVE-2024-8244 (The filepath.Walk and filepath.WalkDir functions are documented
as not ...)
- TODO: check
+ - golang-1.24 <unfixed>
+ - golang-1.23 <unfixed>
+ - golang-1.19 <removed>
+ - golang-1.15 <removed>
+ NOTE: https://github.com/golang/go/issues/70007
CVE-2024-52885 (The Mobile Access Portal's File Share application is
vulnerable to a d ...)
NOT-FOR-US: Mobile Access Portal
CVE-2025-8656 (Kenwood DMX958XR Protection Mechanism Failure Software
Downgrade Vulne ...)
@@ -973,7 +977,8 @@ CVE-2025-46958 (Adobe Experience Manager versions 6.5.22
and earlier are affecte
CVE-2025-46658 (An issue was discovered in ExonautWeb in 4C Strategies Exonaut
21.6. T ...)
NOT-FOR-US: 4C Strategies Exonaut
CVE-2025-45512 (A lack of signature verification in the bootloader of DENX
Software En ...)
- TODO: check
+ - u-boot <undetermined>
+ NOTE: https://github.com/AzhariRamadhan/CVE-2025-45512
CVE-2025-44964 (A lack of SSL certificate validation in BlueStacks v5.20
allows attack ...)
NOT-FOR-US: BlueStacks
CVE-2025-43980 (An issue was discovered on FIRSTNUM JC21A-04 devices through
2.01ME/FN ...)
@@ -1245,7 +1250,8 @@ CVE-2025-50420 (An issue in the pdfseparate utility of
freedesktop poppler v25.0
NOTE:
https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1849
NOTE: Fixed by:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/08d7894e4dd0e313c179e30f06ad8f546619b1b3
CVE-2025-50340 (An Insecure Direct Object Reference (IDOR) vulnerability was
discovere ...)
- TODO: check
+ - sogo 5.7.0-1
+ NOTE:
https://github.com/millad7/SOGo_web_mail-vulnerability-CVE-2025-50340
CVE-2025-46206 (An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote
attacker to c ...)
- mupdf 1.25.1+ds1-7 (bug #1110482)
[trixie] - mupdf <no-dsa> (Minor issue)
@@ -1499,7 +1505,7 @@ CVE-2025-54790 (Files is a module for managing files
inside spaces and user prof
CVE-2025-54789 (Files is a module for managing files inside spaces and user
profiles. ...)
NOT-FOR-US: Files (a module for managing files inside spaces and user
profiles)
CVE-2025-54782 (Nest is a framework for building scalable Node.js server-side
applicat ...)
- TODO: check
+ NOT-FOR-US: nest nodejs module
CVE-2025-54781 (Himmelblau is an interoperability suite for Microsoft Azure
Entra ID a ...)
NOT-FOR-US: Himmelblau
CVE-2025-54424 (1Panel is a web interface and MCP Server that manages
websites, files, ...)
@@ -1873,7 +1879,7 @@ CVE-2025-37109 (Cross-site scripting vulnerability has
been identified in HPE Te
CVE-2025-37108 (Cross-site scripting vulnerability has been identified in HPE
Telco Se ...)
NOT-FOR-US: HPE
CVE-2025-34146 (A prototype pollution vulnerability exists in
@nyariv/sandboxjs versio ...)
- TODO: check
+ NOT-FOR-US: @nyariv/sandboxjs nodejs module
CVE-2025-2813 (An unauthenticated remote attacker can cause a Denial of
Service by se ...)
NOT-FOR-US: PHOENIX
CVE-2025-29557 (ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access
Control ...)
@@ -1929,7 +1935,7 @@ CVE-2013-10033 (An unauthenticated SQL injection
vulnerability exists in Kimai v
CVE-2012-10021 (A stack-based buffer overflow vulnerability exists in D-Link
DIR-605L ...)
NOT-FOR-US: D-Link
CVE-2011-10008 (A stack-based buffer overflow vulnerability exists in MPlayer
Lite r33 ...)
- TODO: check
+ NOT-FOR-US: MPlayer WW
CVE-2025-8373 (A vulnerability was found in code-projects Vehicle Management
1.0. It ...)
NOT-FOR-US: code-projects Vehicle Management
CVE-2025-8372 (A vulnerability was found in code-projects Exam Form Submission
1.0 an ...)
@@ -2522,7 +2528,7 @@ CVE-2025-33092 (IBM Db2 for Linux 12.1.0, 12.1.1, and
12.1.2 is vulnerable to
CVE-2025-31965 (Improper access restrictions in HCL BigFix Remote Control
Server WebUI ...)
NOT-FOR-US: HCL
CVE-2025-2928 (SQL Injection affecting the Archiver role.)
- TODO: check
+ NOT-FOR-US: Genetec Security Center
CVE-2025-2533 (IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to a
denial ...)
NOT-FOR-US: IBM
CVE-2025-2179 (An incorrect privilege assignment vulnerability in the Palo
Alto Netwo ...)
@@ -3417,7 +3423,7 @@ CVE-2016-15046 (A client-side remote code execution
vulnerability exists in Hanw
CVE-2015-10142 (Sitecore Experience Platform (XP) prior to 8.0 Initial Release
(rev. 1 ...)
NOT-FOR-US: Sitecore
CVE-2014-125119 (A filename spoofing vulnerability exists in WinRAR when
opening specia ...)
- TODO: check
+ NOT-FOR-US: WinRAR
CVE-2014-125118 (A command injection vulnerability exists in the eScan Web
Management C ...)
NOT-FOR-US: eScan Web Management Console
CVE-2014-125117 (A stack-based buffer overflow vulnerability in the my_cgi.cgi
componen ...)
@@ -4199,7 +4205,7 @@ CVE-2018-25113 (An unauthenticated path traversal
vulnerability exists in Dicoog
CVE-2017-20198 (The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users
to deplo ...)
NOT-FOR-US: Marathon UI in DC/OS
CVE-2016-15045 (A local privilege escalation vulnerability exists in
lastore-daemon, t ...)
- TODO: check
+ NOT-FOR-US: lastore-daemon in Deepin Linux
CVE-2015-10141 (An unauthenticated OS command injection vulnerability exists
within Xd ...)
- xdebug <unfixed> (unimportant)
NOTE:
https://kirtixs.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/55eda87984ccc825a654477530c7c914bb621bb9...a8be0c07bb783feee8b3110f25d76e3726557571
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/55eda87984ccc825a654477530c7c914bb621bb9...a8be0c07bb783feee8b3110f25d76e3726557571
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
