bookworm triage

Moritz Muehlenhoff (@jmm) Sat, 18 Oct 2025 01:57:34 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
ea6785e1 by Moritz Muehlenhoff at 2025-10-06T17:41:48+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1113,17 +1113,24 @@ CVE-2025-27231 (The LDAP 'Bind password' value cannot 
be read after saving, but
        NOTE: Fixed in: 6.0.41, 7.0.18, 7.2.12, 7.4.2
 CVE-2025-11234 (A flaw was found in QEMU. If the QIOChannelWebsock object is 
freed whi ...)
        - qemu <unfixed> (bug #1117153)
+       [trixie] - qemu <no-dsa> (Minor issue)
+       [bookworm] - qemu <no-dsa> (Minor issue)
        NOTE: 
https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg06566.html
 CVE-2025-11223 (Installer of   Panasonic   AutoDownloader      version 1.2.8 
contains  ...)
        NOT-FOR-US: Panasonic
 CVE-2025-10729 (The module will parse a <pattern> node which is not a child of 
a struc ...)
        - qt6-svg <unfixed> (bug #1117445)
+       [trixie] - qt6-svg <no-dsa> (Minor issue)
+       [bookworm] - qt6-svg <no-dsa> (Minor issue)
        - qtsvg-opensource-src <unfixed> (bug #1117446)
+       [trixie] - qtsvg-opensource-src <no-dsa> (Minor issue)
+       [bookworm] - qtsvg-opensource-src <no-dsa> (Minor issue)
        NOTE: Fixed by: https://codereview.qt-project.org/c/qt/qtsvg/+/676473
        NOTE: Fixed by: 
https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=7e8898903265d931df0aa54b3913f2c49d4d7bf2
 (dev)
        NOTE: Fixed by: 
https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=6a6273126770006232e805cf1631f93d4919b788
 (v6.9.3)
 CVE-2025-10728 (When the module renders a Svg file that contains a <pattern> 
element,  ...)
        - qt6-svg <unfixed> (bug #1117447)
+       [trixie] - qt6-svg <no-dsa> (Minor issue)
        [bookworm] - qt6-svg <not-affected> (Vulnerable code introduced later)
        - qtsvg-opensource-src <not-affected> (Vulnerable code introduced later)
        NOTE: https://bugreports.qt.io/browse/QTBUG-137553
@@ -2917,6 +2924,8 @@ CVE-2025-11163 (The SmartCrawl SEO checker, analyzer & 
optimizer plugin for Word
        NOT-FOR-US: WordPress plugin
 CVE-2025-11149 (This affects all versions of the package node-static; all 
versions of  ...)
        - node-static <unfixed>
+       [trixie] - node-static <no-dsa> (Minor issue)
+       [bookworm] - node-static <no-dsa> (Minor issue)
        NOTE: 
https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67
 (v0.1.0)
 CVE-2025-11148 (All versions of the package check-branches are vulnerable to 
Command I ...)
        TODO: check
@@ -4139,6 +4148,7 @@ CVE-2025-57353 (The Runtime components of messageformat 
package for Node.js prio
        NOT-FOR-US: messageformat package for Node.js
 CVE-2025-57352 (A vulnerability exists in the 'min-document' package prior to 
version  ...)
        - node-min-document <unfixed> (bug #1116340)
+       [trixie] - node-min-document <no-dsa> (Minor issue)
        NOTE: https://github.com/Raynos/min-document/issues/54
 CVE-2025-57351 (A prototype pollution vulnerability exists in the ts-fns 
package versi ...)
        NOT-FOR-US: ts-fns package for Node.js
@@ -4461,6 +4471,8 @@ CVE-2025-56146 (Indian Bank IndSMART Android App 3.8.1 is 
vulnerable to Missing
        NOT-FOR-US: Indian Bank IndSMART Android App
 CVE-2025-55780 (A null pointer dereference occurs in the function 
break_word_for_overf ...)
        - mupdf <unfixed> (bug #1116254)
+       [trixie] - mupdf <no-dsa> (Minor issue)
+       [bookworm] - mupdf <no-dsa> (Minor issue)
        [bullseye] - mupdf <postponed> (minor issue; DoS)
        NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=708720
        NOTE: Fixed by: 
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5


=====================================
data/dsa-needed.txt
=====================================
@@ -84,6 +84,8 @@ tomcat10/oldstable (apo)
 --
 tomcat11/stable (apo)
 --
+valkey/stable
+--
 webkit2gtk (berto)
 --
 wordpress



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea6785e1430e961819c5600161a92791acd5eb6f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea6785e1430e961819c5600161a92791acd5eb6f
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Reply via email to