bookworm triage

Moritz Muehlenhoff (@jmm) Sun, 07 Dec 2025 08:07:15 -0800


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
5b44b89b by Moritz Muehlenhoff at 2025-12-07T17:06:37+01:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -350,12 +350,10 @@ CVE-2025-13682 (The Trail Manager plugin for WordPress is 
vulnerable to Stored C
 CVE-2025-13678 (The Thai Lottery Widget plugin for WordPress is vulnerable to 
Stored C ...)
        NOT-FOR-US: WordPress plugin
 CVE-2025-13654 (A stack buffer overflow vulnerability exists in the buffer_get 
functio ...)
-       - duc 1.4.6-1 (bug #1122057)
-       [trixie] - duc <no-dsa> (Minor issue)
-       [bookworm] - duc <no-dsa> (Minor issue)
-       [bullseye] - duc <postponed> (Minor issue)
+       - duc 1.4.6-1 (bug #1122057; unimportant)
        NOTE: Fixed by: 
https://github.com/zevv/duc/commit/8638c4365ffd9e1966bdef8af6339dbee8c17e66 
(1.4.6)
        NOTE: 
https://hackingbydoing.wixsite.com/hackingbydoing/post/stack-buffer-overflow-in-duc
+       NOTE: Crash in CLI tool, no security impact
 CVE-2025-13620 (The Wp Social Login and Register Social Counter plugin for 
WordPress i ...)
        NOT-FOR-US: WordPress plugin
 CVE-2025-13614 (The Cool Tag Cloud plugin for WordPress is vulnerable to 
Stored Cross- ...)
@@ -396,6 +394,7 @@ CVE-2025-66571 (UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 
contain a PHP object inj
        NOT-FOR-US: UNA CMS
 CVE-2025-66564 (Sigstore Timestamp Authority is a service for issuing RFC 3161 
timesta ...)
        - golang-github-sigstore-timestamp-authority <unfixed> (bug #1122060)
+       [trixie] - golang-github-sigstore-timestamp-authority <no-dsa> (Minor 
issue)
        NOTE: 
https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh
        NOTE: Fixed by: 
https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421
 (v2.0.3)
 CVE-2025-66563 (Monkeytype is a minimalistic and customizable typing test. In 
25.49.0  ...)
@@ -428,6 +427,7 @@ CVE-2025-66509 (LaraDashboard is an all-In-one solution to 
start a Laravel Appli
        NOT-FOR-US: LaraDashboard
 CVE-2025-66506 (Fulcio is a free-to-use certificate authority for issuing code 
signing ...)
        - golang-github-sigstore-fulcio <unfixed> (bug #1122059)
+       [trixie] - golang-github-sigstore-fulcio <no-dsa> (Minor issue)
        NOTE: 
https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw
        NOTE: Fixed by: 
https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a
 (v1.8.3)
 CVE-2025-66479 (Anthropic Sandbox Runtime is a lightweight sandboxing tool for 
enforci ...)
@@ -633,6 +633,8 @@ CVE-2025-65806 (The E-POINT CMS eagle.gsam-1169.1 file 
upload feature improperly
        NOT-FOR-US: E-POINT CMS
 CVE-2025-65637 (A denial-of-service vulnerability exists in 
github.com/sirupsen/logrus ...)
        - golang-logrus 1.9.3-1
+       [trixie] - golang-logrus <no-dsa> (Minor issue)
+       [bookworm] - golang-logrus <no-dsa> (Minor issue)
        [bullseye] - golang-logrus <postponed> (Limited support, can be fixed 
later - not serious enough to require an immediate update)
        NOTE: https://github.com/mjuanxd/logrus-dos-poc
        NOTE: https://github.com/sirupsen/logrus/issues/1370
@@ -1213,8 +1215,14 @@ CVE-2025-12744 (A flaw was found in the ABRT 
daemon\u2019s handling of user-supp
        NOT-FOR-US: abrt is Red Hat / Fedora specific
 CVE-2025-12385 (Allocation of Resources Without Limits or Throttling, Improper 
Validat ...)
        - qt6-declarative <unfixed> (bug #1122054)
+       [trixie] - qt6-declarative <no-dsa> (Minor issue)
+       [bookworm] - qt6-declarative <no-dsa> (Minor issue)
        - qtdeclarative-opensource-src <unfixed> (bug #1122055)
+       [trixie] - qtdeclarative-opensource-src <no-dsa> (Minor issue)
+       [bookworm] - qtdeclarative-opensource-src <no-dsa> (Minor issue)
        - qtdeclarative-opensource-src-gles <unfixed> (bug #1122056)
+       [trixie] - qtdeclarative-opensource-src-gles <no-dsa> (Minor issue)
+       [bookworm] - qtdeclarative-opensource-src-gles <no-dsa> (Minor issue)
        NOTE: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239
        NOTE: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766
 CVE-2025-12358 (The ShopEngine Elementor WooCommerce Builder Addon plugin for 
WordPres ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -63,10 +63,12 @@ ruby-saml/oldstable
 --
 runc
 --
-sogo/oldstable
+sogo
 --
 sympa/oldstable
 --
+tika
+--
 tomcat10/oldstable (apo)
 --
 tomcat11/stable (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b44b89bbcee7f5b052fe3b108ba44e046194215

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b44b89bbcee7f5b052fe3b108ba44e046194215
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Reply via email to