trixie triage

Moritz Muehlenhoff (@jmm) Fri, 12 Sep 2025 04:45:22 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
c8e9f0e1 by Moritz Muehlenhoff at 2025-09-12T13:44:32+02:00
bookworm/trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -16,6 +16,8 @@ CVE-2025-58781 (WTW-EAGLE App does not properly validate 
server certificates, wh
        NOT-FOR-US: WTW-EAGLE App
 CVE-2025-58754 (Axios is a promise based HTTP client for the browser and 
Node.js. When ...)
        - node-axios <unfixed> (bug #1114963)
+       [trixie] - node-axios <no-dsa> (Minor issue)
+       [bookworm] - node-axios <no-dsa> (Minor issue)
        NOTE: 
https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj
        NOTE: https://github.com/axios/axios/pull/7011
        NOTE: 
https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593 
(v1.12.0)
@@ -94,24 +96,32 @@ CVE-2025-56556 (An issue was discovered in Subrion CMS 
4.2.1, allowing authentic
        NOT-FOR-US: Subrion CMS
 CVE-2025-48041 (Allocation of Resources Without Limits or Throttling 
vulnerability in  ...)
        - erlang <unfixed>
+       [trixie] - erlang <no-dsa> (Minor issue)
+       [bookworm] - erlang <no-dsa> (Minor issue)
        NOTE: 
https://github.com/erlang/otp/security/advisories/GHSA-79c4-cvv7-4qm3
        NOTE: https://github.com/erlang/otp/pull/10157
        NOTE: 
https://github.com/erlang/otp/commit/5f9af63eec4657a37663828d206517828cb9f288 
(OTP-27.3.4.3, OTP-28.0.3)
        NOTE: 
https://github.com/erlang/otp/commit/d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401 
(OTP-26.2.5.15)
 CVE-2025-48040 (Uncontrolled Resource Consumption vulnerability in Erlang OTP 
ssh (ssh ...)
        - erlang <unfixed>
+       [trixie] - erlang <no-dsa> (Minor issue)
+       [bookworm] - erlang <no-dsa> (Minor issue)
        NOTE: 
https://github.com/erlang/otp/security/advisories/GHSA-h7rg-6rjg-4cph
        NOTE: https://github.com/erlang/otp/pull/10162
        NOTE: 
https://github.com/erlang/otp/commit/7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a 
(OTP-27.3.4.3, OTP-28.0.3)
        NOTE: 
https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a 
(OTP-26.2.5.15)
 CVE-2025-48039 (Allocation of Resources Without Limits or Throttling 
vulnerability in  ...)
        - erlang <unfixed>
+       [trixie] - erlang <no-dsa> (Minor issue)
+       [bookworm] - erlang <no-dsa> (Minor issue)
        NOTE: 
https://github.com/erlang/otp/security/advisories/GHSA-rr5p-6856-j7h8
        NOTE: https://github.com/erlang/otp/pull/10155
        NOTE: 
https://github.com/erlang/otp/commit/c242e6458967e9514bea351814151695807a54ac 
(OTP-27.3.4.3, OTP-28.0.3)
        NOTE: 
https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0 
(OTP-26.2.5.15)
 CVE-2025-48038 (Allocation of Resources Without Limits or Throttling 
vulnerability in  ...)
        - erlang <unfixed>
+       [trixie] - erlang <no-dsa> (Minor issue)
+       [bookworm] - erlang <no-dsa> (Minor issue)
        NOTE: 
https://github.com/erlang/otp/security/advisories/GHSA-pvj7-9652-7h9r
        NOTE: https://github.com/erlang/otp/pull/10156
        NOTE: 
https://github.com/erlang/otp/commit/4e3bf86777ab3db7220c11d8ddabf15970ddd10a 
(OTP-27.3.4.3, OTP-28.0.3)
@@ -825,6 +835,7 @@ CVE-2025-9994 (The Amp\u2019ed RF BT-AP 111 Bluetooth 
access point's HTTP admin
 CVE-2025-9951 (A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which 
allows ...)
        - ffmpeg <unfixed>
        [trixie] - ffmpeg <postponed> (Minor issue, wait until it's fixed in 
the 7.1 branch)
+       [bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in 
the 5.1 branch)
        [bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in 
the 4.3 branch)
        NOTE: 
https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg
 CVE-2025-9872 (Insufficient filename validation in Ivanti Endpoint Manager 
before 202 ...)
@@ -12843,7 +12854,7 @@ CVE-2025-53399 (In Sipwise rtpengine before 13.4.1.1, 
an origin-validation error
        - rtpengine 12.5.1.35-1 (bug #1110316)
        NOTE: https://www.openwall.com/lists/oss-security/2025/07/31/1
        NOTE: 
https://github.com/EnableSecurity/advisories/tree/master/ES2025-01-rtpengine-improper-behavior-bleed-inject
-       NOTE: Fixed by: 
https://github.com/sipwise/rtpengine/commits/a68f3dd1e65ba1d81bb8996d7bfab82641f20b50
 (mr12.5.1.35)
+       NOTE: Fixed by: 
https://github.com/sipwise/rtpengine/commit/a68f3dd1e65ba1d81bb8996d7bfab82641f20b50
 (mr12.5.1.35)
        NOTE: https://github.com/sipwise/rtpengine/commits/rfuchs/security/ 
(MT#62735)
 CVE-2025-8426 (Marvell QConvergeConsole compressConfigFiles Directory 
Traversal Infor ...)
        NOT-FOR-US: Marvell


=====================================
data/dsa-needed.txt
=====================================
@@ -60,6 +60,8 @@ python-django
 python-internetarchive
   Antoine followed up on #1114635, needs handling both in trixie and bookworm
 --
+rtpengine
+--
 ruby-rack/oldstable
 --
 ruby-saml/oldstable



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8e9f0e10e1bc94f8d9c258641763d97cea25176

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8e9f0e10e1bc94f8d9c258641763d97cea25176
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage

Reply via email to