Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker
Commits: 8a523acb by Carlos Henrique Lima Melara at 2026-01-13T21:56:19-03:00 Update NOTEs and mark CVE-2025-9086/curl as not affecting bookworm Upstream had initially the wrong commit marked as introducing the vulnerability, turns out samueloph discovered it was introduced much later and it doesn't affect bookworm and older. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -47962,9 +47962,9 @@ CVE-2025-9086 (1. A cookie is set using the `secure` keyword for `https://target {DLA-4432-1} - curl 8.16.0~rc2-1 [trixie] - curl 8.14.1-2+deb13u1 - [bookworm] - curl <no-dsa> (Minor issue) + [bookworm] - curl <not-affected> (Vulnerable code introduced later) NOTE: https://curl.se/docs/CVE-2025-9086.html - NOTE: Introduced with: https://github.com/curl/curl/commit/f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d (curl-7_31_0) + NOTE: Introduced with: https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603 (curl-8_13_0) NOTE: Fixed by: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300 (rc-8_16_0-1) CVE-2025-10148 (curl's websocket code did not update the 32 bit mask pattern for each ...) - curl 8.16.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a523acb00860e336ed26a4b517816337c6ba26b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a523acb00860e336ed26a4b517816337c6ba26b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
