Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f405fa9a by Moritz Muehlenhoff at 2025-09-10T15:11:54+02:00
bookworm/trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -21,6 +21,8 @@ CVE-2025-9994 (The Amp\u2019ed RF BT-AP 111 Bluetooth access
point's HTTP admin
NOT-FOR-US: Amped RF
CVE-2025-9951 (A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which
allows ...)
- ffmpeg <unfixed>
+ [trixie] - ffmpeg <postponed> (Minor issue, wait until it's fixed in
the 7.1 branch)
+ [bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in
the 4.3 branch)
NOTE:
https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg
CVE-2025-9872 (Insufficient filename validation in Ivanti Endpoint Manager
before 202 ...)
NOT-FOR-US: Ivanti
@@ -44,6 +46,8 @@ CVE-2025-8711 (CSRF in Ivanti Connect Secure before 22.7R2.9
or 22.8R2, Ivanti P
NOT-FOR-US: Ivanti
CVE-2025-8277 (A flaw was found in libssh's handling of key exchange (KEX)
processes ...)
- libssh <unfixed>
+ [trixie] - libssh <no-dsa> (Minor issue)
+ [bookworm] - libssh <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2383888
NOTE: https://www.libssh.org/security/advisories/CVE-2025-8277.txt
CVE-2025-8008 (A security issue exists in the protected mode of EN4TR devices,
where ...)
@@ -1059,7 +1063,9 @@ CVE-2025-9709 (On-Chip Debug and Test Interface With
Improper Access Control and
CVE-2025-9566 (There's a vulnerability in podman where an attacker may use the
kube p ...)
[experimental] - podman 5.6.1+ds1-1
- podman <unfixed> (bug #1114526)
+ [trixie] - podman <no-dsa> (Minor issue)
- libpod <removed>
+ [bookworm] - libpod <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2393152
NOTE: Fixed by:
https://github.com/containers/podman/commit/aaf8b9dc0cfec76444f7eda60660347646b90a13
(v5.6.1)
CVE-2025-9057 (The Biagiotti Core plugin for WordPress is vulnerable to Stored
Cross- ...)
@@ -3049,8 +3055,12 @@ CVE-2025-9769 (A security flaw has been discovered in
D-Link DI-7400G+ 19.12.25A
NOT-FOR-US: D-Link
CVE-2025-9375 (XML Injection vulnerability in xmltodict allows Input Data
Manipulatio ...)
- python-xmltodict <unfixed> (bug #1113825)
+ [trixie] - python-xmltodict <no-dsa> (Minor issue)
+ [bookworm] - python-xmltodict <no-dsa> (Minor issue)
NOTE: https://github.com/martinblech/xmltodict/issues/377
NOTE: https://fluidattacks.com/advisories/mono
+ NOTE:
https://github.com/martinblech/xmltodict/commit/ecd456ab88d379514b116ef9293318b74e5ed3ee
(v0.15.0)
+ NOTE:
https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33
(v0.15.1)
CVE-2025-57799 (StreamVault is a multi-platform video parsing and downloading
tool. Pr ...)
NOT-FOR-US: StreamVault
CVE-2025-55007 (Knowage is an open source analytics and business intelligence
suite. P ...)
@@ -5350,11 +5360,15 @@ CVE-2025-55398 (An issue was discovered in mouse07410
asn1c thru 0.9.29 (2025-03
NOT-FOR-US: mouse07410 asn1c
CVE-2025-54813 (Improper Output Neutralization for Logs vulnerability in
Apache Log4cx ...)
- log4cxx <unfixed> (bug #1111881)
+ [trixie] - log4cxx <no-dsa> (Minor issue)
+ [bookworm] - log4cxx <no-dsa> (Minor issue)
NOTE: https://logging.apache.org/security.html#CVE-2025-54813
NOTE: https://github.com/apache/logging-log4cxx/pull/512
NOTE: Fixed by:
https://github.com/apache/logging-log4cxx/commit/a799c934545311ff4179c68e16bbeb02b5c66348
(rel/v1.5.0, v1.5.0-RC1)
CVE-2025-54812 (Improper Output Neutralization for Logs vulnerability in
Apache Log4cx ...)
- log4cxx <unfixed> (bug #1111879)
+ [trixie] - log4cxx <no-dsa> (Minor issue)
+ [bookworm] - log4cxx <no-dsa> (Minor issue)
NOTE: https://logging.apache.org/security.html#CVE-2025-54812
NOTE: https://github.com/apache/logging-log4cxx/pull/509
NOTE:
https://github.com/apache/logging-log4cxx/commit/1c599de956ae9eedd8b5e3f744bfb867c39e8bba
(rel/v1.5.0, rv1.5.0-RC1)
@@ -27214,6 +27228,8 @@ CVE-2024-44906 (uptrace pgdriver v1.2.1 was discovered
to contain a SQL injectio
NOT-FOR-US: uptrace pgdriver
CVE-2024-44905 (go-pg pg v10.13.0 was discovered to contain a SQL injection
vulnerabil ...)
- golang-gopkg-pg.v5 <unfixed> (bug #1111939)
+ [trixie] - golang-gopkg-pg.v5 <no-dsa> (Minor issue)
+ [bookworm] - golang-gopkg-pg.v5 <no-dsa> (Minor issue)
NOTE: https://github.com/advisories/GHSA-6xp3-p59p-q4fj
NOTE: Fixed by:
https://github.com/go-pg/pg/commit/eff50a43724e52347559687a6945c116afbb41c1
(v10.15.0)
CVE-2023-45256 (Multiple SQL injection vulnerabilities in the EuroInformation
Monetico ...)
@@ -30987,7 +31003,9 @@ CVE-2025-48942 (vLLM is an inference and serving engine
for large language model
- vllm <itp> (bug #1095237)
CVE-2025-48938 (go-gh is a collection of Go modules to make authoring GitHub
CLI exten ...)
- golang-github-cli-go-gh <unfixed> (bug #1107084)
+ [bookworm] - golang-github-cli-go-gh <no-dsa> (Minor issue)
- golang-github-cli-go-gh-v2 <unfixed> (bug #1107083)
+ [trixie] - golang-github-cli-go-gh-v2 <no-dsa> (Minor issue)
NOTE:
https://github.com/cli/go-gh/security/advisories/GHSA-g9f5-x53j-h563
NOTE: Fixed by:
https://github.com/cli/go-gh/commit/df956a6624bc1210543873062ce0905357be1299
(v2.12.1)
NOTE: Fixed by:
https://github.com/cli/go-gh/commit/0f8a22fe3a4b3d418268dfef57bcee15330f5b15
(v2.12.1)
@@ -43138,6 +43156,7 @@ CVE-2024-58250 (The passprompt plugin in pppd in ppp
before 2.5.2 mishandles pri
NOTE: configurations)
CVE-2025-3839 [Require user interaction before opening URL in external
application]
- epiphany-browser 48.1-1
+ [bookworm] - epiphany-browser <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/2641
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/epiphany/-/commit/324e25caee659bce43ff5c614d105f64899dfb7f
(48.1)
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/epiphany/-/commit/9f80e7e80b75212627790d74041d46eedb6e321e
(47.5)
@@ -55854,6 +55873,7 @@ CVE-2025-2489 (Insecure information storage
vulnerability in NTFS Tools version
NOT-FOR-US: NTFS Tools
CVE-2025-2487 (A flaw was found in the 389-ds-base LDAP Server. This issue
occurs whe ...)
- 389-ds-base 3.1.2+dfsg1-1 (bug #1100994)
+ [bookworm] - 389-ds-base <no-dsa> (Minor issue)
[bullseye] - 389-ds-base <postponed> (need priviligied user; DoS)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2353071
CVE-2025-2450 (NI Vision Builder AI VBAI File Processing Missing Warning
Remote Code ...)
@@ -89507,6 +89527,7 @@ CVE-2024-53860 (sp-php-email-handler is a PHP package
for handling contact form
NOT-FOR-US: sp-php-email-handler
CVE-2024-53859 (go-gh is a Go module for interacting with the `gh` utility and
the Git ...)
- golang-github-cli-go-gh-v2 <unfixed> (bug #1088815)
+ [trixie] - golang-github-cli-go-gh-v2 <no-dsa> (Minor issue)
NOTE:
https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh
CVE-2024-53858 (The gh cli is GitHub\u2019s official command line tool. A
security vul ...)
- gh 2.46.0-3 (bug #1088808)
=====================================
data/dsa-needed.txt
=====================================
@@ -17,6 +17,8 @@ amd64-microcode (carnil)
--
ark/oldstable (jmm)
--
+cjson (jmm)
+--
chromium (dilinger)
--
frr/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f405fa9a6db01f6c5d61222fdca9b5735092c927
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f405fa9a6db01f6c5d61222fdca9b5735092c927
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
