Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8807afd8 by security tracker role at 2025-10-30T08:12:39+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,53 @@
+CVE-2025-9954 (Missing Authorization vulnerability in Drupal Acquia DAM allows
Forcef ...)
+ TODO: check
+CVE-2025-62257 (Password enumeration vulnerability in Liferay Portal 7.4.0
through 7.4 ...)
+ TODO: check
+CVE-2025-61959 (Prior to September 19, 2025, the Hospital Manager Backend
Services ret ...)
+ TODO: check
+CVE-2025-54549 (Cryptographic validation of upgrade images could be
circumventing by d ...)
+ TODO: check
+CVE-2025-54548 (On affected platforms, restricted users could view sensitive
portions ...)
+ TODO: check
+CVE-2025-54547 (On affected platforms, if SSH session multiplexing was
configured on t ...)
+ TODO: check
+CVE-2025-54546 (On affected platforms, restricted users could use SSH port
forwarding ...)
+ TODO: check
+CVE-2025-54545 (On affected platforms, a restricted user could break out of
the CLI sa ...)
+ TODO: check
+CVE-2025-54459 (Prior to September 19, 2025, the Hospital Manager Backend
Services exp ...)
+ TODO: check
+CVE-2025-12475 (The Blocksy Companion plugin for WordPress is vulnerable to
Stored Cro ...)
+ TODO: check
+CVE-2025-12466 (Authentication Bypass Using an Alternate Path or Channel
vulnerability ...)
+ TODO: check
+CVE-2025-12083 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2025-12082 (Incorrect Authorization vulnerability in Drupal CivicTheme
Design Syst ...)
+ TODO: check
+CVE-2025-11906 (A vulnerability exists in Progress Flowmon versions prior
12.5.6 where ...)
+ TODO: check
+CVE-2025-11881 (The AppPresser \u2013 Mobile App Framework plugin for
WordPress is vul ...)
+ TODO: check
+CVE-2025-11627 (The Site Checkup Debug AI Troubleshooting with Wizard and Tips
for Eac ...)
+ TODO: check
+CVE-2025-11428
+ REJECTED
+CVE-2025-10931 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2025-10930 (Cross-Site Request Forgery (CSRF) vulnerability in Drupal
Currency all ...)
+ TODO: check
+CVE-2025-10929 (Improper Validation of Consistency within Input vulnerability
in Drupa ...)
+ TODO: check
+CVE-2025-10928 (Improper Restriction of Excessive Authentication Attempts
vulnerabilit ...)
+ TODO: check
+CVE-2025-10927 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2025-10926 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2025-10636 (The NS Maintenance Mode for WP WordPress plugin through 1.3.1
does not ...)
+ TODO: check
+CVE-2025-10008 (The Translate WordPress and go Multilingual \u2013 Weglot
plugin for W ...)
+ TODO: check
CVE-2025-62503
- airflow <itp> (bug #819700)
CVE-2025-62402
@@ -727,7 +777,7 @@ CVE-2025-40026 (In the Linux kernel, the following
vulnerability has been resolv
CVE-2025-40025 (In the Linux kernel, the following vulnerability has been
resolved: f ...)
- linux <unfixed>
NOTE:
https://git.kernel.org/linus/c18ecd99e0c707ef8f83cace861cbc3162f4fdf1 (6.18-rc1)
-CVE-2025-62231
+CVE-2025-62231 (A flaw was identified in the X.Org X server\u2019s X Keyboard
(Xkb) ex ...)
{DSA-6044-1 DLA-4353-1}
- xorg-server 2:21.1.20-1
- xwayland <unfixed>
@@ -736,7 +786,7 @@ CVE-2025-62231
NOTE:
https://lists.x.org/archives/xorg-announce/2025-October/003635.html
NOTE: Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49acd0e55bc0b089ed77f732ad18585470
NOTE: Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa
(xorg-server-21.1.19)
-CVE-2025-62230
+CVE-2025-62230 (A flaw was discovered in the X.Org X server\u2019s X Keyboard
(Xkb) ex ...)
{DSA-6044-1 DLA-4353-1}
- xorg-server 2:21.1.20-1
- xwayland <unfixed>
@@ -747,7 +797,7 @@ CVE-2025-62230
NOTE: Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238bdad17c11707e0bdaaa3a9cd54c504be
NOTE: Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175
(xorg-server-21.1.19)
NOTE: Fixed by:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839
(xorg-server-21.1.19)
-CVE-2025-62229
+CVE-2025-62229 (A flaw was found in the X.Org X server and Xwayland when
processing X1 ...)
{DSA-6044-1 DLA-4353-1}
- xorg-server 2:21.1.20-1
- xwayland <unfixed>
@@ -2085,10 +2135,12 @@ CVE-2025-10497 (GitLab has remediated an issue in
GitLab CE/EE affecting all ver
CVE-2025-11702 (GitLab has remediated an issue in EE affecting all versions
from 17.1 ...)
- gitlab <not-affected> (Specific to EE)
CVE-2025-59024
+ {DSA-6045-1}
- pdns-recursor 5.3.1-1 (bug #1118751)
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html
CVE-2025-59023
+ {DSA-6045-1}
- pdns-recursor 5.3.1-1 (bug #1118751)
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html
@@ -6487,7 +6539,7 @@ CVE-2025-10124 (The Booking Manager WordPress plugin
before 2.1.15 registers a
NOT-FOR-US: WordPress plugin
CVE-2016-15047 (AVTECH devices that include the CloudSetup.cgi management
endpoint are ...)
NOT-FOR-US: AVTECH
-CVE-2025-61724 [net/textproto: excessive CPU consumption in
Reader.ReadResponse]
+CVE-2025-61724 (The Reader.ReadResponse function constructs a response string
through ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6499,7 +6551,7 @@ CVE-2025-61724 [net/textproto: excessive CPU consumption
in Reader.ReadResponse]
NOTE: https://github.com/golang/go/issues/75716
NOTE:
https://github.com/golang/go/commit/5d7a787aa2b486f77537eeaed9c38c940a7182b8
(go1.25.2)
NOTE:
https://github.com/golang/go/commit/a402f4ad285514f5f3db90516d72047d591b307a
(go1.24.8)
-CVE-2025-58183 [archive/tar: unbounded allocation when parsing GNU sparse map]
+CVE-2025-58183 (tar.Reader does not set a maximum size on the number of sparse
region ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6511,7 +6563,7 @@ CVE-2025-58183 [archive/tar: unbounded allocation when
parsing GNU sparse map]
NOTE: https://github.com/golang/go/issues/75677
NOTE:
https://github.com/golang/go/commit/2612dcfd3cb6dd73c76e14a24fe1a68e2708e4e3
(go1.25.2)
NOTE:
https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556
(go1.24.8)
-CVE-2025-58188 [crypto/x509: panic when validating certificates with DSA
public keys]
+CVE-2025-58188 (Validating certificate chains which contain DSA public keys
can cause ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6523,7 +6575,7 @@ CVE-2025-58188 [crypto/x509: panic when validating
certificates with DSA public
NOTE: https://github.com/golang/go/issues/75675
NOTE:
https://github.com/golang/go/commit/930ce220d052d632f0d84df5850c812a77b70175
(go1.25.2)
NOTE:
https://github.com/golang/go/commit/f9f198ab05e3282cbf6b13251d47d9141981e401
(go1.24.8)
-CVE-2025-58186 [net/http: lack of limit when parsing cookies can cause memory
exhaustion]
+CVE-2025-58186 (Despite HTTP headers having a default limit of 1MB, the number
of cook ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6535,7 +6587,7 @@ CVE-2025-58186 [net/http: lack of limit when parsing
cookies can cause memory ex
NOTE: https://github.com/golang/go/issues/75672
NOTE:
https://github.com/golang/go/commit/100c5a66802b5a895b1d0e5ed3b7918f899c4833
(go1.25.2)
NOTE:
https://github.com/golang/go/commit/c6b04dd33b0215f5deb83724661921842bf67607
(go1.24.8)
-CVE-2025-58185 [encoding/asn1: pre-allocating memory when parsing DER payload
can cause memory exhaustion]
+CVE-2025-58185 (Parsing a maliciously crafted DER payload could allocate large
amounts ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6547,7 +6599,7 @@ CVE-2025-58185 [encoding/asn1: pre-allocating memory when
parsing DER payload ca
NOTE: https://github.com/golang/go/issues/75671
NOTE:
https://github.com/golang/go/commit/e0f655bf3f96410f90756f49532bc6a1851855ca
(go1.25.2)
NOTE:
https://github.com/golang/go/commit/5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1
(go1.24.8)
-CVE-2025-47912 [net/url: insufficient validation of bracketed IPv6 hostnames]
+CVE-2025-47912 (The Parse function permits values other than IPv6 addresses to
be incl ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6559,7 +6611,7 @@ CVE-2025-47912 [net/url: insufficient validation of
bracketed IPv6 hostnames]
NOTE: https://github.com/golang/go/issues/75678
NOTE:
https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e
(go1.25.2)
NOTE:
https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea
(go1.24.8)
-CVE-2025-61723 [encoding/pem: quadratic complexity when parsing some invalid
inputs]
+CVE-2025-61723 (The processing time for parsing some invalid inputs scales
non-linearl ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6571,7 +6623,7 @@ CVE-2025-61723 [encoding/pem: quadratic complexity when
parsing some invalid inp
NOTE: https://github.com/golang/go/issues/75676
NOTE:
https://github.com/golang/go/commit/90f72bd5001d0278949fab0b7a40f7d8c712979b
(go1.25.2)
NOTE:
https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2
(go1.24.8)
-CVE-2025-58189 [crypto/tls: ALPN negotiation errors can contain arbitrary text]
+CVE-2025-58189 (When Conn.Handshake fails during ALPN negotiation the error
contains a ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6583,7 +6635,7 @@ CVE-2025-58189 [crypto/tls: ALPN negotiation errors can
contain arbitrary text]
NOTE: https://github.com/golang/go/issues/75652
NOTE:
https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976
(go1.25.2)
NOTE:
https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9
(go1.24.8)
-CVE-2025-58187 [crypto/x509: quadratic complexity when checking name
constraints]
+CVE-2025-58187 (Due to the design of the name constraint checking algorithm,
the proce ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6595,7 +6647,7 @@ CVE-2025-58187 [crypto/x509: quadratic complexity when
checking name constraints
NOTE: https://github.com/golang/go/issues/75681
NOTE:
https://github.com/golang/go/commit/f0c69db15aae2eb10bddd8b6745dff5c2932e8f5
(go1.25.2)
NOTE:
https://github.com/golang/go/commit/f334417e71f8b078ad64035bddb6df7f8910da6c
(go1.24.8)
-CVE-2025-61725 [net/mail: excessive CPU consumption in ParseAddress]
+CVE-2025-61725 (The ParseAddress function constructeds domain-literal address
componen ...)
- golang-1.25 1.25.2-1
- golang-1.24 1.24.8-1
[trixie] - golang-1.24 <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8807afd8ecd65901c769fe685e203a12db5d9688
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8807afd8ecd65901c769fe685e203a12db5d9688
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
