Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
89edc562 by Sylvain Beucler at 2025-12-30T19:09:35+01:00
CVE-2025-14946/libnbd: bullseye not-affected
- - - - -
af28a8e5 by Sylvain Beucler at 2025-12-30T19:13:43+01:00
CVE-2025-67746/composer: bullseye postponed
- - - - -
aeda9962 by Sylvain Beucler at 2025-12-30T19:34:32+01:00
CVE-2025-2486/edk2: bullseye also has the CVE-2023-48733-related local patch
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2,6 +2,7 @@ CVE-2025-67746
- composer 2.9.3-1
[trixie] - composer <no-dsa> (Minor issue)
[bookworm] - composer <no-dsa> (Minor issue)
+ [bullseye] - composer <postponed> (Minor issue, terminal control
characters sanitization)
NOTE:
https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
NOTE: Fixed by:
https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
(2.9.3)
NOTE: Fixed by:
https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
(2.2.26)
@@ -4338,6 +4339,7 @@ CVE-2025-14946 (A flaw was found in libnbd. A malicious
actor could exploit this
- libnbd 1.22.5-1
[trixie] - libnbd <no-dsa> (Minor issue)
[bookworm] - libnbd <not-affected> (Vulnerable code introduced later)
+ [bullseye] - libnbd <not-affected> (Vulnerable code introduced later)
NOTE: https://libguestfs.org/libnbd-release-notes-1.24.1.html#Security
NOTE:
https://lists.libguestfs.org/archives/list/[email protected]/thread/YZMBF3SJRWTRVT5L3KWSNHITFTRMQNTT/
NOTE: Fixed by:
https://gitlab.com/nbdkit/libnbd/-/commit/fffd87a3ba216cf2f9c212e5db96b13b98985edf
(v1.23.9)
@@ -14348,11 +14350,11 @@ CVE-2025-3747
CVE-2025-2486 (The Ubuntu edk2 UEFI firmware packages accidentally allowed the
UEFI S ...)
- edk2 2023.11-7
[bookworm] - edk2 2022.11-6+deb12u1
- [bullseye] - edk2 <postponed> (Can be piggyback'd with future DLA but
be careful about possible regression)
+ [bullseye] - edk2 2020.11-2+deb11u2
NOTE: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797
NOTE: To address CVE-2023-48733 in Debian a local patch disabled the
built-in Shell
NOTE: when SecureBoot is enabled fixing CVE-2025-2486.
- NOTE: Be cautious of possible regression when backporting patches to
stable releases -
+ NOTE: Be cautious of possible regression when backporting patches to
stable releases
NOTE:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797/comments/9
CVE-2025-26155 (NCP Secure Enterprise Client 13.18 and NCP Secure Entry
Windows Client ...)
NOT-FOR-US: NCP
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/985d841546c34f02d6b862642e1fbd91dbee3aa1...aeda99629fe72d21c4da4b5d7cad9a2971975038
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/985d841546c34f02d6b862642e1fbd91dbee3aa1...aeda99629fe72d21c4da4b5d7cad9a2971975038
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
