Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a3ed2fb4 by Salvatore Bonaccorso at 2025-11-07T10:35:20+01:00
Directly link the single commit from merges for CVE-2025-64336
- - - - -
ab619860 by Salvatore Bonaccorso at 2025-11-07T10:35:23+01:00
Consolidate formatting slightly
- - - - -
c24e2258 by Salvatore Bonaccorso at 2025-11-07T10:42:28+01:00
Link CVE-2025-58767 relating to CVE-2024-41123
>From upstream view the issue affects only 3.3.3 to 3.4.1. But it looks
the introducing commit (part of the CVE-2024-41123 fix) in 3.3.3 was
backported to older versions.
Make a link between the two CVEs.
Mark ruby2.7 as removed from unstable along as followup from
06a0c1361bbe ("CVE-2025-58767/ruby2.7: bullseye not-affected ->
postponed").
Thanks: Sylvain Beucler for spotting and raising the problem.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -11,8 +11,8 @@ CVE-2025-64336 (ClipBucket v5 is an open source video sharing
platform. In versi
CVE-2025-64329 (containerd is an open-source container runtime. Versions
1.7.28 and be ...)
- containerd <unfixed>
NOTE:
https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2
- NOTE:
https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df
(v2.2.0)
- NOTE:
https://github.com/containerd/containerd/commit/e5cb6ddb7a7730c24253a94d7fdb6bbe13dba6f7
(v1.7.29)
+ NOTE:
https://github.com/containerd/containerd/commit/a0d0f0ef68935338d2c710db164fa7820f692530
(v2.2.0)
+ NOTE:
https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
(v1.7.29)
CVE-2025-64328 (FreePBX Endpoint Manager is a module for managing telephony
endpoints ...)
NOT-FOR-US: FreePBX Endpoint Manager
CVE-2025-64327 (ThinkDashboard is a self-hosted bookmark dashboard built with
Go and v ...)
@@ -17703,14 +17703,14 @@ CVE-2025-59304 (A directory traversal issue in
Swetrix Web Analytics API 3.1.1 b
CVE-2025-58767 (REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to
3.4.1 h ...)
- ruby3.3 <unfixed> (bug #1115655)
- ruby3.1 <not-affected> (Vulnerable code not present)
- - ruby2.7 <unfixed>
+ - ruby2.7 <removed>
[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
- ruby-rexml <removed>
NOTE:
https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/
NOTE:
https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5
- NOTE:
https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23
(v3.4.2)
- NOTE: Vulnerable code probably imported through CVE-2024-35176 and
CVE-2024-41123 backports
- NOTE: The core issue appears to be 'source.rb:IOSource.match' reading
the whole stream
+ NOTE: Fixed by:
https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23
(v3.4.2)
+ NOTE: Introduced with:
https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6
(v3.3.3)
+ NOTE: Vulnerable code introduced via the fix for CVE-2024-41123.
CVE-2025-58766 (Dyad is a local AI app builder. A critical security
vulnerability has ...)
NOT-FOR-US: Dyad
CVE-2025-58432 (ZimaOS is a fork of CasaOS, an operating system for Zima
devices and x ...)
@@ -30635,8 +30635,8 @@ CVE-2025-55279 (This vulnerability exists in ZKTeco
WL20 due to hard-coded priva
CVE-2025-55163 (Netty is an asynchronous, event-driven network application
framework. ...)
- netty <unfixed> (bug #1111105)
NOTE:
https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
- NOTE: Fixed by [1/2]
https://github.com/netty/netty/commit/be53dc3c9acd9af2e20d0c3c07cd77115a594cf1
(netty-4.1.124.Final)
- NOTE: Fixed by [2/2]
https://github.com/netty/netty/commit/009bd17b38a39fb1eecf9d22ea8ae8108afaac59
(netty-4.1.124.Final)
+ NOTE: Fixed by [1/2]:
https://github.com/netty/netty/commit/be53dc3c9acd9af2e20d0c3c07cd77115a594cf1
(netty-4.1.124.Final)
+ NOTE: Fixed by [2/2]:
https://github.com/netty/netty/commit/009bd17b38a39fb1eecf9d22ea8ae8108afaac59
(netty-4.1.124.Final)
CVE-2025-55160 (ImageMagick is free and open-source software used for editing
and mani ...)
- imagemagick 8:7.1.2.1+dfsg1-1 (bug #1111104; unimportant)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x
@@ -143021,8 +143021,9 @@ CVE-2024-41123 (REXML is an XML toolkit for Ruby. The
REXML gem before 3.3.2 has
NOTE:
https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6
NOTE:
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
NOTE: https://github.com/ruby/rexml/issues/232#issuecomment-2585211411
- NOTE: Fixed by commit [1/2]
https://github.com/ruby/rexml/commit/6cac15d45864c8d70904baa5cbfcc97181000960
(v3.3.3)
- NOTE: Fixed by commit [2/2]
https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6
(v3.3.3)
+ NOTE: Fixed by [1/2]:
https://github.com/ruby/rexml/commit/6cac15d45864c8d70904baa5cbfcc97181000960
(v3.3.3)
+ NOTE: Fixed by [2/2]:
https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6
(v3.3.3)
+ NOTE: The fix for CVE-2024-41123 introduces CVE-2025-58767.
CVE-2024-39839 (Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <=
9.7.5, 9. ...)
- mattermost-server <itp> (bug #823556)
CVE-2024-39837 (Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to
properly re ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/700ed577c13b9ed9816df8c7516530f5a9cdee02...c24e225896a7fba2b7949547e7ff2f7365ac1afd
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/700ed577c13b9ed9816df8c7516530f5a9cdee02...c24e225896a7fba2b7949547e7ff2f7365ac1afd
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
