Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
cc60bb14 by Moritz Muehlenhoff at 2025-08-14T17:14:03+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -7878,6 +7878,7 @@ CVE-2025-2799 (The WP Event Manager \u2013 Events
Calendar, Registrations, Sell
NOT-FOR-US: WordPress plugin
CVE-2025-53906 (Vim is an open source, command line text editor. Prior to
version 9.1. ...)
- vim <unfixed> (bug #1109374)
+ [trixie] - vim <no-dsa> (Minor issue)
[bookworm] - vim <no-dsa> (Minor issue)
[bullseye] - vim <postponed> (Minor issue; path traversal requiring
direct user interaction)
NOTE: https://www.openwall.com/lists/oss-security/2025/07/15/2
@@ -7885,6 +7886,7 @@ CVE-2025-53906 (Vim is an open source, command line text
editor. Prior to versio
NOTE: https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86
CVE-2025-53905 (Vim is an open source, command line text editor. Prior to
version 9.1. ...)
- vim <unfixed> (bug #1109374)
+ [trixie] - vim <no-dsa> (Minor issue)
[bookworm] - vim <no-dsa> (Minor issue)
[bullseye] - vim <postponed> (Minor issue; path traversal requiring
direct user interaction)
NOTE: https://www.openwall.com/lists/oss-security/2025/07/15/1
@@ -26728,6 +26730,7 @@ CVE-2025-47285 (Vyper is the Pythonic Programming
Language for the Ethereum Virt
NOT-FOR-US: Vyper
CVE-2025-47279 (Undici is an HTTP/1.1 client for Node.js. Prior to versions
5.29.0, 6. ...)
- node-undici <unfixed> (bug #1105860)
+ [trixie] - node-undici <no-dsa> (Minor issue)
[bookworm] - node-undici <no-dsa> (Minor issue)
NOTE:
https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
NOTE: https://github.com/nodejs/undici/issues/3895
@@ -26890,6 +26893,7 @@ CVE-2025-23165 (In Node.js, the `ReadFileUtf8` internal
binding leaks memory due
NOTE: Introduced by:
https://github.com/nodejs/node/commit/938471ef556f2d64257059b60889a8c84621eea6
(v20.8.0)
CVE-2025-23167 (A flaw in Node.js 20's HTTP parser allows improper termination
of HTTP ...)
- node-undici <unfixed> (bug #1105919)
+ [trixie] - node-undici <no-dsa> (Minor issue)
[bookworm] - node-undici <no-dsa> (Minor issue)
- llhttp <itp> (bug #977716)
NOTE:
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium
@@ -33252,6 +33256,7 @@ CVE-2025-46654 (CodiMD through 2.2.0 has a CSP-based
protection mechanism agains
NOT-FOR-US: CodiMD
CVE-2025-46653 (Formidable (aka node-formidable) 2.1.0 through 3.x before
3.5.3 relies ...)
- node-formidable <unfixed> (bug #1104246)
+ [trixie] - node-formidable <ignored> (Minor issue)
[bookworm] - node-formidable <ignored> (Minor issue)
[bullseye] - node-formidable <ignored> (Minor issue)
NOTE: Fixed by:
https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5
(v3.5.3)
@@ -65883,6 +65888,7 @@ CVE-2025-23208 (zot is a production-ready
vendor-neutral OCI image registry. The
NOT-FOR-US: zot
CVE-2025-23207 (KaTeX is a fast, easy-to-use JavaScript library for TeX math
rendering ...)
- node-katex <unfixed> (bug #1093446)
+ [trixie] - node-katex <no-dsa> (Minor issue)
[bookworm] - node-katex <no-dsa> (Minor issue)
[bullseye] - node-katex <postponed> (Minor issue; can be fixed in next
update)
NOTE:
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546
@@ -74874,12 +74880,14 @@ CVE-2024-37962 (Improper Neutralization of Input
During Web Page Generation ('Cr
NOT-FOR-US: Agency Dominion Fusion
CVE-2024-12801 (Server-Side Request Forgery (SSRF) in SaxEventRecorder by
QOS.CH logba ...)
- logback <unfixed> (bug #1091320)
+ [trixie] - logback <no-dsa> (Minor issue)
[bookworm] - logback <no-dsa> (Minor issue)
[bullseye] - logback <postponed> (Minor issue; can be fixed in next
update)
NOTE: https://logback.qos.ch/news.html#1.5.13
NOTE: Fixed by:
https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d
(v_1.5.13)
CVE-2024-12798 (ACE vulnerability in JaninoEventEvaluator by QOS.CH
logback-core ...)
- logback <unfixed> (bug #1091319)
+ [trixie] - logback <no-dsa> (Minor issue)
[bookworm] - logback <no-dsa> (Minor issue)
[bullseye] - logback <postponed> (Minor issue; can be fixed in next
update)
NOTE: https://logback.qos.ch/news.html#1.5.13
@@ -89574,6 +89582,7 @@ CVE-2024-7883 (When using Arm Cortex-M Security
Extensions (CMSE), Secure stack
[bookworm] - llvm-toolchain-16 <ignored> (Minor issue, doesn't affect
the default build flags in Debian and no backport into release branches planned)
[bullseye] - llvm-toolchain-16 <ignored> (Minor issue, doesn't affect
the default build flags in Debian and no backport into release branches planned)
- llvm-toolchain-17 <unfixed> (bug #1104017)
+ [trixie] - llvm-toolchain-17 <ignored> (Minor issue, doesn't affect the
default build flags in Debian and no backport into release branch 17 planned)
- llvm-toolchain-18 <unfixed> (bug #1104016)
[trixie] - llvm-toolchain-18 <ignored> (Minor issue, doesn't affect the
default build flags in Debian and no backport into release branch 18 planned)
- llvm-toolchain-19 <unfixed> (bug #1104015)
@@ -96766,6 +96775,7 @@ CVE-2024-46307 (A loop hole in the payment logic of
Sparkshop v1.16 allows attac
NOT-FOR-US: Sparkshop
CVE-2024-46304 (A NULL pointer dereference in libcoap v4.3.5-rc2 and below
allows a re ...)
- libcoap3 <unfixed> (bug #1084981)
+ [trixie] - libcoap3 <ignored> (Minor issue, no reverse deps in trixie)
[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in
Bookworm)
- libcoap2 <removed>
[bullseye] - libcoap2 <postponed> (Minor issue; can be fixed in next
update)
@@ -126878,6 +126888,7 @@ CVE-2023-6491 (The Strong Testimonials plugin for
WordPress is vulnerable to una
NOT-FOR-US: WordPress plugin
CVE-2023-51847 (An issue in obgm and Libcoap v.a3ed466 allows a remote
attacker to cau ...)
- libcoap3 <unfixed> (bug #1084981)
+ [trixie] - libcoap3 <ignored> (Minor issue, no reverse deps in trixie)
[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in
Bookworm)
- libcoap2 <removed>
[bullseye] - libcoap2 <postponed> (Minor issue; can be fixed in next
update)
@@ -145015,6 +145026,7 @@ CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap
4.3.4 allows attackers to ca
- libcoap <not-affected> (Vulnerable code not present)
- libcoap2 <not-affected> (Vulnerable code not present)
- libcoap3 <unfixed> (bug #1070362)
+ [trixie] - libcoap3 <ignored> (Minor issue, no reverse deps in trixie)
[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in
Bookworm)
NOTE: https://github.com/obgm/libcoap/issues/1351
NOTE:
https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928
(v4.3.5-rc1)
@@ -167791,6 +167803,7 @@ CVE-2024-23738 (An issue in Postman version 10.22 and
before on macOS allows a r
NOT-FOR-US: Postman on MacOS
CVE-2024-0962 (A vulnerability was found in obgm libcoap 4.3.4. It has been
rated as ...)
- libcoap3 <unfixed> (bug #1061704)
+ [trixie] - libcoap3 <ignored> (Minor issue, no reverse deps in trixie)
[bookworm] - libcoap3 <not-affected> (Vulnerable code not present)
- libcoap2 <not-affected> (Vulnerable code not present)
- libcoap <not-affected> (Vulnerable code not present)
@@ -185666,6 +185679,7 @@ CVE-2023-46602 (In International Color Consortium
DemoIccMAX 79ecb74, there is a
NOT-FOR-US: International Color Consortium DemoIccMAX
CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write
in DataS ...)
- wabt <unfixed> (bug #1055299)
+ [trixie] - wabt <no-dsa> (Minor issue)
[bookworm] - wabt <no-dsa> (Minor issue)
[bullseye] - wabt <no-dsa> (Minor issue)
[buster] - wabt <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc60bb1499968da27a7acfacf641ef8c91828c50
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc60bb1499968da27a7acfacf641ef8c91828c50
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
