Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
24b9f521 by Sylvain Beucler at 2025-11-08T11:05:27+01:00
dla: drop sogo
Re-add when there's bookworm activity
- - - - -
da2a705a by Sylvain Beucler at 2025-11-08T11:05:30+01:00
dla: drop node-prismjs
1 no-dsa issue
- - - - -
66d1b782 by Sylvain Beucler at 2025-11-08T11:05:32+01:00
dla: drop node-axios
2 no-dsa issues
- - - - -
63e9ef03 by Sylvain Beucler at 2025-11-08T11:05:32+01:00
dla: drop knot-resolver
Only no-dsa and ignored CVEs, it was already the case at
591e4eaa3a81b4bf83881fb2bdbaf4b103259432 so not sure why it was added
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -21086,6 +21086,7 @@ CVE-2025-58754 (Axios is a promise based HTTP client
for the browser and Node.js
- node-axios 1.12.1+dfsg-1 (bug #1114963)
[trixie] - node-axios <no-dsa> (Minor issue)
[bookworm] - node-axios <no-dsa> (Minor issue)
+ [bullseye] - node-axios <postponed> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj
NOTE: https://github.com/axios/axios/pull/7011
NOTE:
https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593
(v1.12.0)
@@ -80652,6 +80653,7 @@ CVE-2025-27518 (Cognita is a RAG (Retrieval Augmented
Generation) Framework for
CVE-2025-27152 (axios is a promise based HTTP client for the browser and
node.js. The ...)
- node-axios 1.8.4+dfsg-1 (bug #1102223)
[bookworm] - node-axios <no-dsa> (Minor issue)
+ [bullseye] - node-axios <postponed> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
NOTE: Similar to: https://github.com/axios/axios/issues/6463
(CVE-2024-39338)
CVE-2025-26643 (The UI performs the wrong action in Microsoft Edge
(Chromium-based) al ...)
@@ -82678,6 +82680,7 @@ CVE-2024-53382 (Prism (aka PrismJS) through 1.29.0
allows DOM Clobbering (with r
- node-prismjs 1.30.0+dfsg+~1.26.5-1 (bug #1099619)
[trixie] - node-prismjs <no-dsa> (Minor issue)
[bookworm] - node-prismjs <no-dsa> (Minor issue)
+ [bullseye] - node-prismjs <postponed> (Minor issue)
NOTE:
https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660
NOTE: https://github.com/PrismJS/prism/issues/3864
NOTE: https://github.com/PrismJS/prism/pull/3863 (v1.30.0)
@@ -134566,6 +134569,7 @@ CVE-2024-27364 (An issue was discovered in Mobile
Processor, Wearable Processor
NOT-FOR-US: Samsung
CVE-2024-24510 (Cross Site Scripting vulnerability in Alinto SOGo before
5.10.0 allows ...)
- sogo 5.10.0-1
+ [bullseye] - sogo <postponed> (Follow bookworm updates)
NOTE: Fixed by:
https://github.com/Alinto/sogo/commit/21468700718ed71774eaf2979ee59330fc569424
(SOGo-5.10.0)
CVE-2023-50883 (ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an
immediat ...)
NOT-FOR-US: ONLYOFFICE Docs
=====================================
data/dla-needed.txt
=====================================
@@ -156,11 +156,6 @@ jackson-core
NOTE: 20250707: Added by Front-Desk (apo)
NOTE: 20251016: A single patch is not possible to apply to fix the CVE. I'm
working on backporting more than one.
--
-knot-resolver
- NOTE: 20240924: Added by Front-Desk (lamby)
- NOTE: 20250506: Writting to upstream to get a PoC to reproduce open CVEs.
- NOTE: 20250522: Processing some tips received by upstream to try to
reproduce CVE. Still working on the patches.
---
lasso (abhijith)
NOTE: 20251108: Added by Front-Desk (Beuc)
NOTE: 20251108: CVE-2025-47151 is a critical RCE (Beuc/front-desk)
@@ -239,12 +234,6 @@ nagvis
netty (rouca)
NOTE: 20250814: Added by Front-Desk (lamby)
--
-node-axios
- NOTE: 20250308: Added by Front-Desk (rouca)
---
-node-prismjs
- NOTE: 20250303: Added by Front-Desk (rouca)
---
nova
NOTE: 20250908: Added by Front-Desk (apo)
NOTE: 20250908: See also watcher. Consider fixing postponed issues and sync
@@ -341,11 +330,6 @@ samba
NOTE: 20251102: hence it makes sense to sync with these distributions.
(apo/front-desk)
NOTE: 20251107: Upcoming trixie SPU
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119136 (Beuc/front-desk)
--
-sogo
- NOTE: 20240922: Added by Front-Desk (apo)
- NOTE: 20240922: See also postponed issues.
- NOTE: 20250609: Please take care of vulnerable embed js (rouca)
---
squid (rouca)
NOTE: 20251027: Added by Front-Desk (pochu)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/98293eec01e2864ba4d7d95a0e6479213ea76a1f...63e9ef034af0f194567bfa906ea57fabd72bc426
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/98293eec01e2864ba4d7d95a0e6479213ea76a1f...63e9ef034af0f194567bfa906ea57fabd72bc426
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
