Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8eb3d474 by Moritz Muehlenhoff at 2025-11-16T20:16:16+01:00
bookworm/trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -26,6 +26,7 @@ CVE-2025-12482 (The Booking for Appointments and Events
Calendar \u2013 Amelia p
NOT-FOR-US: WordPress plugin
CVE-2025-13193 [libvirt-daemon: data leak for new offline snapshots]
- libvirt <unfixed> (bug #1120119)
+ [trixie] - libvirt <no-dsa> (Minor issue)
[bookworm] - libvirt <not-affected> (Vulnerable code introduced later)
[bullseye] - libvirt <not-affected> (Vulnerable code introduced later)
NOTE: Introduced after:
https://gitlab.com/libvirt/libvirt/-/commit/9b94a9e8ab1de1a33fa97e0362b1e763b09d52c8
(v9.7.0-rc1)
@@ -370,6 +371,8 @@ CVE-2025-64726 (Socket Firewall is an HTTP/HTTPS proxy
server that intercepts pa
NOT-FOR-US: Socket Firewall
CVE-2025-64718 (js-yaml is a JavaScript YAML parser and dumper. In js-yaml
4.1.0 and b ...)
- node-js-yaml <unfixed> (bug #1120696)
+ [trixie] - node-js-yaml <no-dsa> (Minor issue)
+ [bookworm] - node-js-yaml <no-dsa> (Minor issue)
NOTE:
https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m
NOTE: Fixed by:
https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879
(4.1.1)
CVE-2025-64717 (ZITADEL is an open source identity management platform.
Starting in ve ...)
@@ -581,6 +584,8 @@ CVE-2025-13121 (A security vulnerability has been detected
in cameasy Liketea 1.
NOT-FOR-US: cameasy Liketea
CVE-2025-13120 (A vulnerability has been found in mruby up to 3.4.0. This
vulnerabilit ...)
- mruby <unfixed> (bug #1120796)
+ [trixie] - mruby <no-dsa> (Minor issue)
+ [bookworm] - mruby <no-dsa> (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/6649
NOTE: Fixed by:
https://github.com/mruby/mruby/commit/eb398971bfb43c38db3e04528b68ac9a7ce509bc
CVE-2025-13119 (A flaw has been found in Fabian Ros/SourceCodester Simple
E-Banking Sy ...)
@@ -934,6 +939,8 @@ CVE-2025-63927 (A heap-use-after-free vulnerability exists
in airpig2011 IEC104
NOT-FOR-US: airpig2011 IEC104
CVE-2025-63811 (An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru
1.7.0 allow ...)
- golang-github-dvsekhvalnov-jose2go <unfixed> (bug #1120701)
+ [trixie] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
+ [bookworm] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
[bullseye] - golang-github-dvsekhvalnov-jose2go <postponed> (Limited
support, minor issue, follow bookworm DSAs/point-releases)
NOTE: https://github.com/dvsekhvalnov/jose2go/issues/33
CVE-2025-63679 (free5gc v4.1.0 and before is vulnerable to Buffer Overflow.
When AMF r ...)
@@ -964,10 +971,14 @@ CVE-2025-59118 (Unrestricted Upload of File with
Dangerous Type vulnerability in
NOT-FOR-US: Apache software not packaged in Debian
CVE-2025-59089 (If an attacker causes kdcproxy to connect to an
attacker-controlled KD ...)
- python-kdcproxy <unfixed> (bug #1120702)
+ [trixie] - python-kdcproxy <no-dsa> (Minor issue)
+ [bookworm] - python-kdcproxy <no-dsa> (Minor issue)
NOTE: https://github.com/latchset/kdcproxy/pull/68
NOTE: Fixed by:
https://github.com/latchset/kdcproxy/commit/c7675365aa20be11f03247966336c7613cac84e1
CVE-2025-59088 (If kdcproxy receives a request for a realm which does not have
server ...)
- python-kdcproxy <unfixed> (bug #1120702)
+ [trixie] - python-kdcproxy <no-dsa> (Minor issue)
+ [bookworm] - python-kdcproxy <no-dsa> (Minor issue)
NOTE: https://github.com/latchset/kdcproxy/pull/68
NOTE: Fixed by:
https://github.com/latchset/kdcproxy/commit/1773f28eeea72ec6efcd433d3b66595c44d1253f
CVE-2025-64503 (cups-filters contains backends, filters, and other software
required t ...)
@@ -2273,6 +2284,8 @@ CVE-2025-63147 (Tenda AX3 V16.03.12.10_CN was discovered
to contain a stack over
NOT-FOR-US: Tenda
CVE-2025-60876 (BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and
other C0 ...)
- busybox <unfixed> (bug #1120795)
+ [trixie] - busybox <postponed> (Minor issue, revisit when fixed
upstream)
+ [bookworm] - busybox <postponed> (Minor issue, revisit when fixed
upstream)
[bullseye] - busybox <postponed> (Minor issue, revisit when fixed
upstream)
NOTE:
https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092
CVE-2025-56503 (An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows
authenticate ...)
@@ -3361,6 +3374,7 @@ CVE-2025-20289 (Multiple vulnerabilities in the web-based
management interface o
NOT-FOR-US: Cisco
CVE-2025-12745 (A weakness has been identified in QuickJS up to
eb2c89087def1829ed9963 ...)
- quickjs <unfixed> (bug #1120268)
+ [trixie] - quickjs <no-dsa> (Minor issue)
NOTE: https://github.com/bellard/quickjs/issues/451
NOTE:
https://github.com/bellard/quickjs/commit/c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea
CVE-2025-12497 (The Premium Portfolio Features for Phlox theme plugin for
WordPress is ...)
@@ -224892,6 +224906,7 @@ CVE-2023-41863 (Unauth. Stored Cross-Site Scripting
(XSS) vulnerability in Pepro
NOT-FOR-US: WordPress plugin
CVE-2023-41419 (An issue in Gevent before version 23.9.0 allows a remote
attacker to e ...)
- python-gevent 23.9.1-0.1
+ [bookworm] - python-gevent <no-dsa> (Minor issue)
NOTE: https://github.com/gevent/gevent/issues/1989
NOTE: Fixed by:
https://github.com/gevent/gevent/commit/2f53c851eaf926767fbac62385615efd4886221c
(23.9.0)
CVE-2023-41303 (Command injection vulnerability in the distributed file system
module. ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eb3d474b475548e8a9ea8aa3052a35ed0b0f062
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8eb3d474b475548e8a9ea8aa3052a35ed0b0f062
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
