Daniel Leidert pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8ca5b5ac by Daniel Leidert at 2025-12-08T22:21:06+01:00
lts: mark pdns-recursor as EOL in Bullseye for new CVEs
- - - - -
5ce327a2 by Daniel Leidert at 2025-12-08T22:21:07+01:00
lts: add patch link for python-urllib3/CVE-2025-66471
- - - - -
a426bdc7 by Daniel Leidert at 2025-12-08T22:21:08+01:00
lts: add patch link for python-urllib3/CVE-2025-66418
- - - - -
7fa0203b by Daniel Leidert at 2025-12-08T22:21:08+01:00
dla: add python-urllib3
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -247,9 +247,11 @@ CVE-2025-12956 (A reflected Cross-site Scripting (XSS)
vulnerability affecting E
NOT-FOR-US: Dassault Systemes
CVE-2025-59030 [Insufficient validation of incoming notifies over TCP can lead
to a denial of service in Recursor]
- pdns-recursor <unfixed> (bug #1122197)
+ [bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html
CVE-2025-59029 [Internal logic flaw in cache management can lead to a denial
of service in Recursor]
- pdns-recursor <unfixed> (bug #1122196)
+ [bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html
CVE-2025-66321 (Multi-thread race condition vulnerability in the camera
framework modu ...)
NOT-FOR-US: Huawei
@@ -935,10 +937,12 @@ CVE-2025-66471 (urllib3 is a user-friendly HTTP client
library for Python. Start
- python-urllib3 <unfixed> (bug #1122029)
NOTE: https://www.openwall.com/lists/oss-security/2025/12/05/4
NOTE:
https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37
+ NOTE: Fixed by:
https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7
(2.6.0)
CVE-2025-66418 (urllib3 is a user-friendly HTTP client library for Python.
Starting in ...)
- python-urllib3 <unfixed> (bug #1122030)
NOTE: https://www.openwall.com/lists/oss-security/2025/12/05/4
NOTE:
https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
+ NOTE: Fixed by:
https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
(2.6.0)
CVE-2025-65897 (zdh_web is a data collection, processing, monitoring,
scheduling, and ...)
NOT-FOR-US: zdh_web
CVE-2025-65879 (Warehouse Management System 1.2 contains an authenticated
arbitrary fi ...)
=====================================
data/dla-needed.txt
=====================================
@@ -341,6 +341,10 @@ python-django (Chris Lamb)
python-mechanize (dleidert)
NOTE: 20251206: Added by Front-Desk. Avoid a regression from buster (rouca)
--
+python-urllib3
+ NOTE: 20251208: Added by Front-Desk (dleidert)
+ NOTE: 20251208: wait for secteam's triage of CVE-2025-66418 and
CVE-2025-66471 (dleidert/front-desk)
+--
rails (rouca)
NOTE: 20250105: Added by Front-Desk (apo)
NOTE: 20250305: Utkarsh uploaded the CVE fixes to unstable via
rails/7.2.2.1. (utkarsh)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2b9a0e078fe39955044db693747a0991840b8507...7fa0203b339069abf12e978de91681df9cea60ba
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2b9a0e078fe39955044db693747a0991840b8507...7fa0203b339069abf12e978de91681df9cea60ba
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
