Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
978809cc by Moritz Muehlenhoff at 2025-08-20T23:28:28+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -7009,6 +7009,7 @@ CVE-2023-53157 (The rosenpass crate before 0.2.1 for Rust
allows remote attacker
NOT-FOR-US: rosenpass rust crate
CVE-2023-53156 (The transpose crate before 0.2.3 for Rust allows an integer
overflow v ...)
- rust-transpose 0.2.3-1 (bug #1110260)
+ [trixie] - rust-transpose <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0080.html
NOTE: https://github.com/ejmahler/transpose/issues/11
NOTE: Fixed by:
https://github.com/ejmahler/transpose/commit/c4bcd39fabca9a31a401d0cc42d4090869b5a37a
(v0.2.3)
@@ -9466,6 +9467,7 @@ CVE-2025-53945 (apko allows users to build and publish
OCI container images buil
NOT-FOR-US: apko
CVE-2025-53901 (Wasmtime is a runtime for WebAssembly. Prior to versions
24.0.4, 33.0. ...)
- rust-wasmtime <unfixed> (bug #1109548)
+ [trixie] - rust-wasmtime <no-dsa> (Minor issue)
NOTE:
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc
CVE-2025-53888 (RIOT-OS, an operating system that supports Internet of Things
devices, ...)
NOT-FOR-US: RIOT-OS
@@ -17298,6 +17300,7 @@ CVE-2025-52937 (Vulnerability in PointCloudLibrary PCL
(surface/src/3rdparty/ope
CVE-2025-52936 (Improper Link Resolution Before File Access ('Link Following')
vulnera ...)
{DLA-4238-1}
- sslh <unfixed> (bug #1108284)
+ [trixie] - sslh <no-dsa> (Minor issue)
[bookworm] - sslh <no-dsa> (Minor issue)
NOTE: https://github.com/yrutschle/sslh/pull/494
NOTE: Fixed by:
https://github.com/yrutschle/sslh/commit/0fe9bd5a956a123342ff12352b25bff8025dac69
(v2.2.2)
@@ -24299,6 +24302,7 @@ CVE-2025-47272 (The CE Phoenix eCommerce platform,
starting in version 1.0.9.7 a
NOT-FOR-US: CE Phoenix
CVE-2025-46807 (A Allocation of Resources Without Limits or Throttling
vulnerability i ...)
- sslh <unfixed> (bug #1107213)
+ [trixie] - sslh <no-dsa> (Minor issue)
[bookworm] - sslh <no-dsa> (Minor issue)
[bullseye] - sslh <ignored> (Minor issue; too intrusive to backport)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1243122
@@ -24306,6 +24310,7 @@ CVE-2025-46807 (A Allocation of Resources Without
Limits or Throttling vulnerabi
NOTE: https://www.openwall.com/lists/oss-security/2025/06/13/1
CVE-2025-46806 (A Use of Out-of-range Pointer Offset vulnerability in sslh
leads to de ...)
- sslh <unfixed> (bug #1107214)
+ [trixie] - sslh <no-dsa> (Minor issue)
[bookworm] - sslh <not-affected> (Vulnerable code introdued later)
[bullseye] - sslh <not-affected> (Vulnerable code introdued later)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1243120
@@ -29866,6 +29871,7 @@ CVE-2025-3916 (CWE-121: Stack-based Buffer
Overflowvulnerability existsthat coul
NOT-FOR-US: Schneider Electric
CVE-2025-3757 (Versions of OpenPubkey library prior to 0.10.0 contained a
vulnerabil ...)
- golang-github-openpubkey-openpubkey <unfixed> (bug #1105736)
+ [trixie] - golang-github-openpubkey-openpubkey <no-dsa> (Minor issue)
NOTE:
https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq
CVE-2025-3744 (Nomad Enterprise (\u201cNomad\u201d) jobs using the policy
override op ...)
- nomad <not-affected> (Specific to Nomad Enterprise)
@@ -43621,6 +43627,7 @@ CVE-2024-42325 (Zabbix API user.get returns all users
that share common group wi
NOTE: Fixed by (merge commit)
https://github.com/zabbix/zabbix/commit/9edbc84251a1fb2ab75dc974c334d300d4705390
(5.0.46rc1)
CVE-2024-39780 (A YAML deserialization vulnerability was found in the Robot
Operating ...)
- ros-dynamic-reconfigure <unfixed> (bug #1102010)
+ [trixie] - ros-dynamic-reconfigure <no-dsa> (Minor issue)
[bookworm] - ros-dynamic-reconfigure <no-dsa> (Minor issue)
[bullseye] - ros-dynamic-reconfigure <postponed> (Minor issue)
NOTE: https://github.com/ros/dynamic_reconfigure/pull/202
@@ -122930,6 +122937,7 @@ CVE-2024-38518 (BigBlueButton is an open-source
virtual classroom designed to he
NOT-FOR-US: BigBlueButton
CVE-2019-25211 (parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0
mishandle ...)
- golang-github-gin-contrib-cors <unfixed> (bug #1075962)
+ [trixie] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
[bookworm] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
[bullseye] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
NOTE: https://github.com/gin-contrib/cors/pull/57
@@ -123265,11 +123273,12 @@ CVE-2024-39154 (idccms v1.35 was discovered to
contain a Cross-Site Request Forg
CVE-2024-39153 (idccms v1.35 was discovered to contain a Cross-Site Request
Forgery (C ...)
NOT-FOR-US: idccms
CVE-2024-39133 (Heap Buffer Overflow vulnerability in zziplib v0.13.77 allows
attacker ...)
- - zziplib <unfixed> (bug #1074417)
+ - zziplib 0.13.78+dfsg.1-0.1 (bug #1074417)
[bookworm] - zziplib <ignored> (Minor issue)
[bullseye] - zziplib <no-dsa> (Minor issue)
[buster] - zziplib <postponed> (Minor issue, revisi when fixed upstream)
NOTE: https://github.com/gdraheim/zziplib/issues/164
+ NOTE: No exact fixing commits known, but upstream concludes as fixed in
v0.13.78
CVE-2024-39130 (A NULL Pointer Dereference discovered in DumpTS v0.1.0-nightly
allows ...)
NOT-FOR-US: DumpTS
CVE-2024-39129 (Heap Buffer Overflow vulnerability in DumpTS v0.1.0-nightly
allows att ...)
@@ -124032,6 +124041,7 @@ CVE-2024-6160 (SQL Injection vulnerability in MegaBIP
software allows attacker t
NOT-FOR-US: MegaBIP
CVE-2024-6104 (go-retryablehttp prior to 0.7.7 did not sanitize urls when
writing the ...)
- golang-github-hashicorp-go-retryablehttp <unfixed> (bug #1076773)
+ [trixie] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor
issue)
[bookworm] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor
issue)
[bullseye] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor
issue)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027
@@ -203275,6 +203285,7 @@ CVE-2023-37463 (cmark-gfm is an extended version of
the C reference implementati
[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
[buster] - r-cran-commonmark <no-dsa> (Minor issue)
- ruby-commonmarker <unfixed> (bug #1041100)
+ [trixie] - ruby-commonmarker <ignored> (Minor issue)
[bookworm] - ruby-commonmarker <ignored> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/978809cc51991af078b803595461eb7d2329714d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/978809cc51991af078b803595461eb7d2329714d
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
