Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: a431e9cc by Markus Koschany at 2025-11-02T23:09:17+01:00 CVE-2025-62725,docker-compose: bullseye is not affected Support for remote OCI artifacts was added in version 2.22 https://github.com/docker/compose/commit/e0f39ebbef094480660bf4f82b945b145d47ff26 - - - - - ca129454 by Markus Koschany at 2025-11-02T23:09:18+01:00 hdf5,bullseye: mark new issues as postponed - - - - - 15e2b862 by Markus Koschany at 2025-11-02T23:09:18+01:00 Add samba to dla-needed.txt - - - - - bb1c79da by Markus Koschany at 2025-11-02T23:09:18+01:00 Add git-lfs to dla-needed.txt - - - - - 843d70a4 by Markus Koschany at 2025-11-02T23:09:19+01:00 Add libwebsockets to dla-needed.txt - - - - - f8ecbbff by Markus Koschany at 2025-11-02T23:09:19+01:00 Add unbound to dla-needed.txt - - - - - 7654e25c by Markus Koschany at 2025-11-02T23:09:20+01:00 Mark consul CVE as EOL for bullseye - - - - - 1b3cd341 by Markus Koschany at 2025-11-02T23:09:21+01:00 Mark pdns-recursor CVE EOL for bullseye - - - - - 44dd6fea by Markus Koschany at 2025-11-02T23:09:23+01:00 Mark golang-15 CVE as postponed for bullseye Minor issues - - - - - e28d7a24 by Markus Koschany at 2025-11-02T23:09:24+01:00 CVE-2025-59530,golang-github-lucas-clemente-quic-go: bullseye is postponed Minor issues - - - - - b9483bcc by Markus Koschany at 2025-11-02T23:09:26+01:00 CVE-2025-62611,aiomysql: bullseye is postponed Minor issue - - - - - 357b20bc by Markus Koschany at 2025-11-02T23:09:28+01:00 CVE-2025-11146,apt-cacher-ng: bullseye is postponed Minor issue - - - - - b7444082 by Markus Koschany at 2025-11-02T23:09:29+01:00 CVE-2025-50950,audiofile: bullseye is postponed Minor issue - - - - - 857c54b9 by Markus Koschany at 2025-11-02T23:09:31+01:00 CVE-2025-50949,CVE-2025-50951,fontforge: bullseye is postponed Minor issue - - - - - 7c7fe581 by Markus Koschany at 2025-11-02T23:09:32+01:00 CVE-2025-11568,luksmeta: bullseye is postponed Minor issue - - - - - 2a4eaaf0 by Markus Koschany at 2025-11-02T23:09:34+01:00 CVE-2025-62875,opensmtpd: bullseye is postponed Minor issue - - - - - d5ee74be by Markus Koschany at 2025-11-02T23:09:35+01:00 CVE-2025-62672,rplay: bullseye is postponed Minor issue - - - - - 6e6e857b by Markus Koschany at 2025-11-02T23:09:37+01:00 CVE-2025-61783,social-auth-app-django: bullseye is postponed Minor issue - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -44,6 +44,7 @@ CVE-2025-62875 [Denial-of-Service via UNIX Domain Socket] - opensmtpd <unfixed> (bug #1119840) [trixie] - opensmtpd <no-dsa> (Minor issue) [bookworm] - opensmtpd <no-dsa> (Minor issue) + [bullseye] - opensmtpd <postponed> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2025/10/31/3 NOTE: https://github.com/OpenSMTPD/OpenSMTPD/commit/653abf00f5283a2d3247eb9aabf8987d1b2f0510 (7.8.0p0) NOTE: 270e23a6eb upstream (7.7.0p0) made major changes to the message parsing code @@ -1185,9 +1186,11 @@ CVE-2025-11705 (The Anti-Malware Security and Brute-Force Firewall plugin for Wo NOT-FOR-US: WordPress plugin CVE-2025-11375 (Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) event endpoin ...) - consul <removed> + [bullseye] - consul <end-of-life> (bug #1057418) NOTE: https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723 CVE-2025-11374 (Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) key/value end ...) - consul <removed> + [bullseye] - consul <end-of-life> (bug #1057418) NOTE: https://discuss.hashicorp.com/t/hcsec-2025-29-consuls-kv-endpoint-is-vulnerable-to-denial-of-service/76724 CVE-2023-7320 (The WooCommerce plugin for WordPress is vulnerable to Sensitive Inform ...) NOT-FOR-US: WordPress plugin @@ -1601,6 +1604,7 @@ CVE-2025-62777 (Use of Hard-Coded Credentials issue exists in MZK-DP300N version NOT-FOR-US: MZK-DP300N CVE-2025-62725 (Docker Compose trusts the path information embedded in remote OCI comp ...) - docker-compose <unfixed> (bug #1119298) + [bullseye] - docker-compose <not-affected> (Vulnerable code was introduced later) NOTE: https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q NOTE: Fixed by: https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176 (v2.40.2) CVE-2025-62594 (ImageMagick is a software suite to create, edit, compose, or convert b ...) @@ -2823,17 +2827,20 @@ CVE-2025-50951 (FontForge v20230101 was discovered to contain a memory leak via - fontforge <unfixed> (bug #1118749) [trixie] - fontforge <no-dsa> (Minor issue) [bookworm] - fontforge <no-dsa> (Minor issue) + [bullseye] - fontforge <postponed> (Minor issue) NOTE: https://github.com/fontforge/fontforge/pull/5495 NOTE: Fixed by: https://github.com/fontforge/fontforge/commit/dcb6efb85030c4bee2f18c6e46c20561d1c77a2b (20251009) CVE-2025-50950 (Audiofile v0.3.7 was discovered to contain a NULL pointer dereference ...) - audiofile <unfixed> (bug #1118940) [trixie] - audiofile <no-dsa> (Minor issue) [bookworm] - audiofile <no-dsa> (Minor issue) + [bullseye] - audiofile <postponed> (Minor issue) NOTE: https://github.com/mpruett/audiofile/issues/66 CVE-2025-50949 (FontForge v20230101 was discovered to contain a memory leak via the co ...) - fontforge <unfixed> (bug #1118748) [trixie] - fontforge <no-dsa> (Minor issue) [bookworm] - fontforge <no-dsa> (Minor issue) + [bullseye] - fontforge <postponed> (Minor issue) NOTE: https://github.com/fontforge/fontforge/pull/5491 NOTE: Fixed by: https://github.com/fontforge/fontforge/commit/da98987fa8c896fce9a7813923f4f1c75b0d8cd3 (20251009) CVE-2025-48430 (Uncaught Exception (CWE-248) in the Command Centre Server allows an Au ...) @@ -2916,11 +2923,13 @@ CVE-2025-59024 {DSA-6045-1} - pdns-recursor 5.3.1-1 (bug #1118751) [bookworm] - pdns-recursor <end-of-life> (see DSA 6045) + [bullseye] - pdns-recursor <end-of-life> (see DSA 6045) NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html CVE-2025-59023 {DSA-6045-1} - pdns-recursor 5.3.1-1 (bug #1118751) [bookworm] - pdns-recursor <end-of-life> (see DSA 6045) + [bullseye] - pdns-recursor <end-of-life> (see DSA 6045) NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html CVE-2025-9158 (The Request Tracker software is vulnerable to a Stored XSS vulnerabili ...) - request-tracker5 5.0.7+dfsg-5 @@ -2943,6 +2952,7 @@ CVE-2025-62611 (aiomysql is a library for accessing a MySQL database from the as - aiomysql 0.3.2-1 (bug #1118754) [trixie] - aiomysql <no-dsa> (Minor issue) [bookworm] - aiomysql <no-dsa> (Minor issue) + [bullseye] - aiomysql <postponed> (Minor issue) NOTE: https://github.com/aio-libs/aiomysql/security/advisories/GHSA-r397-ff8c-wv2g NOTE: https://github.com/aio-libs/aiomysql/pull/1044 NOTE: Fixed by: https://github.com/aio-libs/aiomysql/commit/32c4520dae3711367ded74a4726dcb8bb8919538 (v0.3.2) @@ -4451,6 +4461,7 @@ CVE-2025-62672 (rplay through 3.3.2 allows attackers to cause a denial of servic - rplay <unfixed> (bug #1118224) [trixie] - rplay <no-dsa> (Minor issue) [bookworm] - rplay <no-dsa> (Minor issue) + [bullseye] - rplay <postponed> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2025/10/17/3 NOTE: https://www.openwall.com/lists/oss-security/2025/10/18/4 CVE-2025-11939 (A vulnerability was determined in ChurchCRM up to 5.18.0. This issue a ...) @@ -5246,6 +5257,7 @@ CVE-2025-11568 (A data corruption vulnerability has been identified in the luksm - luksmeta 10-1 (bug #1118280) [trixie] - luksmeta <no-dsa> (Minor issue) [bookworm] - luksmeta <no-dsa> (Minor issue) + [bullseye] - luksmeta <postponed> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2404244 NOTE: https://github.com/latchset/luksmeta/pull/16 NOTE: Fixed by: https://github.com/latchset/luksmeta/commit/017998805ddf98a482bb02fc1d0a09343baab2ca (v10) @@ -6944,6 +6956,7 @@ CVE-2025-59530 (quic-go is an implementation of the QUIC protocol in Go. In vers - golang-github-lucas-clemente-quic-go 0.54.1-1 [trixie] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue) [bookworm] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue) + [bullseye] - golang-github-lucas-clemente-quic-go <postponed> (Minor issue) NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw NOTE: https://github.com/quic-go/quic-go/pull/5354 NOTE: Fixed by: https://github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42 (v0.55.0) @@ -7192,6 +7205,7 @@ CVE-2025-61783 (Python Social Auth is a social authentication/registration mecha - social-auth-app-django <unfixed> (bug #1117857) [trixie] - social-auth-app-django <no-dsa> (Minor issue) [bookworm] - social-auth-app-django <no-dsa> (Minor issue) + [bullseye] - social-auth-app-django <postponed> (Minor issue) NOTE: https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg NOTE: https://github.com/python-social-auth/social-app-django/issues/220 NOTE: https://github.com/python-social-auth/social-app-django/issues/231 @@ -7334,6 +7348,7 @@ CVE-2025-61724 (The Reader.ReadResponse function constructs a response string th - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75716 NOTE: https://github.com/golang/go/commit/5d7a787aa2b486f77537eeaed9c38c940a7182b8 (go1.25.2) @@ -7346,6 +7361,7 @@ CVE-2025-58183 (tar.Reader does not set a maximum size on the number of sparse r - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75677 NOTE: https://github.com/golang/go/commit/2612dcfd3cb6dd73c76e14a24fe1a68e2708e4e3 (go1.25.2) @@ -7358,6 +7374,7 @@ CVE-2025-58188 (Validating certificate chains which contain DSA public keys can - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75675 NOTE: https://github.com/golang/go/commit/930ce220d052d632f0d84df5850c812a77b70175 (go1.25.2) @@ -7370,6 +7387,7 @@ CVE-2025-58186 (Despite HTTP headers having a default limit of 1MB, the number o - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75672 NOTE: https://github.com/golang/go/commit/100c5a66802b5a895b1d0e5ed3b7918f899c4833 (go1.25.2) @@ -7382,6 +7400,7 @@ CVE-2025-58185 (Parsing a maliciously crafted DER payload could allocate large a - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75671 NOTE: https://github.com/golang/go/commit/e0f655bf3f96410f90756f49532bc6a1851855ca (go1.25.2) @@ -7394,6 +7413,7 @@ CVE-2025-47912 (The Parse function permits values other than IPv6 addresses to b - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75678 NOTE: https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e (go1.25.2) @@ -7406,6 +7426,7 @@ CVE-2025-61723 (The processing time for parsing some invalid inputs scales non-l - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75676 NOTE: https://github.com/golang/go/commit/90f72bd5001d0278949fab0b7a40f7d8c712979b (go1.25.2) @@ -7418,6 +7439,7 @@ CVE-2025-58189 (When Conn.Handshake fails during ALPN negotiation the error cont - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75652 NOTE: https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976 (go1.25.2) @@ -7430,6 +7452,7 @@ CVE-2025-58187 (Due to the design of the name constraint checking algorithm, the - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75681 NOTE: https://github.com/golang/go/commit/f0c69db15aae2eb10bddd8b6745dff5c2932e8f5 (go1.25.2) @@ -7442,6 +7465,7 @@ CVE-2025-61725 (The ParseAddress function constructeds domain-literal address co - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ NOTE: https://github.com/golang/go/issues/75680 NOTE: https://github.com/golang/go/commit/6a057327cf9a405e6388593dd4aedc0d0da77092 (go1.25.2) @@ -12094,6 +12118,7 @@ CVE-2025-11147 (Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. Th CVE-2025-11146 (Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vuln ...) - apt-cacher-ng 3.7.5-1 [bookworm] - apt-cacher-ng <no-dsa> (Minor issue) + [bullseye] - apt-cacher-ng <postponed> (Minor issue) NOTE: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-apt-cacher-ng NOTE: https://salsa.debian.org/blade/apt-cacher-ng/-/commit/b03d9a3ab326aad2538f42d2831b3114b830912b (upstream/3.7.5) CVE-2025-10346 (HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a sto ...) @@ -40477,6 +40502,7 @@ CVE-2025-7067 (A vulnerability classified as problematic was found in HDF5 1.14. - hdf5 <unfixed> (bug #1108886) [trixie] - hdf5 <no-dsa> (Minor issue) [bookworm] - hdf5 <no-dsa> (Minor issue) + [bullseye] - hdf5 <postponed> (Minor issue) NOTE: https://github.com/HDFGroup/hdf5/issues/5577 NOTE: https://github.com/HDFGroup/hdf5/pull/5815 NOTE: https://github.com/HDFGroup/hdf5/commit/ea4b483d981b1c73ba2b8185c544565e4b05ae0e @@ -42331,6 +42357,7 @@ CVE-2025-6816 (A vulnerability classified as problematic was found in HDF5 1.14. - hdf5 <unfixed> (bug #1108482) [trixie] - hdf5 <no-dsa> (Minor issue) [bookworm] - hdf5 <no-dsa> (Minor issue) + [bullseye] - hdf5 <postponed> (Minor issue) NOTE: https://github.com/HDFGroup/hdf5/issues/5571 NOTE: https://github.com/HDFGroup/hdf5/pull/5829 NOTE: https://github.com/HDFGroup/hdf5/commit/29c847a43db0cdc85b01cafa5a7613ea73932675 @@ -42774,6 +42801,7 @@ CVE-2025-6750 (A vulnerability, which was classified as problematic, has been fo - hdf5 <unfixed> (bug #1108409) [trixie] - hdf5 <no-dsa> (Minor issue) [bookworm] - hdf5 <no-dsa> (Minor issue) + [bullseye] - hdf5 <postponed> (Minor issue) NOTE: https://github.com/HDFGroup/hdf5/issues/5549 NOTE: https://github.com/HDFGroup/hdf5/pull/5856 NOTE: https://github.com/HDFGroup/hdf5/commit/86149a098837a37b2513746e9baf84010f75fb54 @@ -72387,11 +72415,13 @@ CVE-2025-2926 (A vulnerability was found in HDF5 up to 1.14.6 and classified as - hdf5 <unfixed> (bug #1103531) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/HDFGroup/hdf5/issues/5384 CVE-2025-2925 (A vulnerability has been found in HDF5 up to 1.14.6 and classified as ...) - hdf5 <unfixed> (bug #1103532) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/HDFGroup/hdf5/issues/5383 NOTE: https://github.com/HDFGroup/hdf5/pull/5739 NOTE: https://github.com/HDFGroup/hdf5/commit/4310c19608455c17a213383d07715efb2918defc @@ -72399,6 +72429,7 @@ CVE-2025-2924 (A vulnerability, which was classified as problematic, was found i - hdf5 <unfixed> (bug #1103533) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/HDFGroup/hdf5/issues/5382 NOTE: https://github.com/HDFGroup/hdf5/pull/5814 NOTE: https://github.com/HDFGroup/hdf5/commit/0a57195ca67d278f1cf7d01566c121048e337a59 @@ -72406,6 +72437,7 @@ CVE-2025-2923 (A vulnerability, which was classified as problematic, has been fo - hdf5 <unfixed> (bug #1103534) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/HDFGroup/hdf5/issues/5381 NOTE: https://github.com/HDFGroup/hdf5/pull/5829 NOTE: https://github.com/HDFGroup/hdf5/commit/29c847a43db0cdc85b01cafa5a7613ea73932675 @@ -72425,22 +72457,26 @@ CVE-2025-2915 (A vulnerability classified as problematic was found in HDF5 up to - hdf5 <unfixed> (bug #1103536) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/HDFGroup/hdf5/issues/5380 CVE-2025-2914 (A vulnerability classified as problematic has been found in HDF5 up to ...) - hdf5 <unfixed> (bug #1103537) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/HDFGroup/hdf5/issues/5379 NOTE: https://github.com/HDFGroup/hdf5/pull/5722 CVE-2025-2913 (A vulnerability was found in HDF5 up to 1.14.6. It has been rated as c ...) - hdf5 <unfixed> (bug #1103538) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/HDFGroup/hdf5/issues/5376 CVE-2025-2912 (A vulnerability was found in HDF5 up to 1.14.6. It has been declared a ...) - hdf5 <unfixed> (bug #1103539) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/HDFGroup/hdf5/issues/5370 CVE-2025-2911 (Unauthorised access to the call forwarding service system in MeetMe pr ...) NOT-FOR-US: MeetMe @@ -76750,16 +76786,19 @@ CVE-2025-2310 (A vulnerability was found in HDF5 1.14.6 and classified as critic - hdf5 <unfixed> (bug #1103540) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc4.md CVE-2025-2309 (A vulnerability has been found in HDF5 1.14.6 and classified as critic ...) - hdf5 <unfixed> (bug #1103541) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc3.md CVE-2025-2308 (A vulnerability, which was classified as critical, was found in HDF5 1 ...) - hdf5 <unfixed> (bug #1103542) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc2.md CVE-2025-2295 (EDK2 contains a vulnerability in BIOS where a user may cause an Intege ...) - edk2 2025.02-4 (bug #1100594) @@ -78275,6 +78314,7 @@ CVE-2025-2153 (A vulnerability, which was classified as critical, was found in H - hdf5 <unfixed> (bug #1100440) [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/HDFGroup/hdf5/issues/5329 NOTE: https://github.com/HDFGroup/hdf5/pull/5795 NOTE: https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0 ===================================== data/dla-needed.txt ===================================== @@ -102,6 +102,10 @@ freeimage NOTE: 20240922: Many postponed CVE. NOTE: 20241202: still WIP (santiago) -- +git-lfs + NOTE: 20251102: Added by Front-Desk (apo) + NOTE: 20251102: Fix may be partial due to git < 2.42 in bullseye. +-- golang-github-gorilla-csrf NOTE: 20250422: Added by Front-Desk (rouca) NOTE: 20250422: Need to binNMU reverse depends (in that order): golang-github-alecthomas-chroma, golang-github-niklasfasching-go-org, golang-github-yuin-goldmark-highlighting, hugo (rouca) @@ -188,6 +192,9 @@ libsoup2.4 NOTE: 20250520: seems sensible. Or maybe someone else will have more luck NOTE: 20250520: than me with getting the backported tests to run. (spwhitton) -- +libwebsockets + NOTE: 20251102: Added by Front-Desk (apo) +-- libxmltok NOTE: 20250421: Added by Front-Desk (ta) NOTE: 20250421: Also review all other expat CVEs. (bunk) @@ -301,6 +308,11 @@ rails NOTE: 20250621: rails DSA uploaded the last 6.1 release before EOL (2024-11) NOTE: 20250621: 6.0 branch is EOL (2023-06) so all open CVEs need individual backport (Beuc) -- +samba + NOTE: 20251102: Added by Front-Desk (apo) + NOTE: 20251102: Minor issue, but fixes are proposed for bookworm onwards + NOTE: 20251102: hence it makes sense to sync with these distributions. +-- sogo NOTE: 20240922: Added by Front-Desk (apo) NOTE: 20240922: See also postponed issues. @@ -324,6 +336,9 @@ trafficserver NOTE: 20250403: There are multiple new CVEs. But none of them is addresses in Sid and maintainers didn't reply to me last time (dleidert) NOTE: 20250405: DSA 5896-1 is out (Beuc/front-desk) -- +unbound + NOTE: 20251102: Added by Front-Desk (apo) +-- watcher NOTE: 20250908: Added by Front-Desk (apo) NOTE: 20250908: See also nova. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5f166b41ed76d509efc4dad771897b36baff01bd...6e6e857b45c02bf6b5ce36dab8814414dcfdc63b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5f166b41ed76d509efc4dad771897b36baff01bd...6e6e857b45c02bf6b5ce36dab8814414dcfdc63b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
