[Git][security-tracker-team/security-tracker][master] Drop CVE-2025-9086/curl from DLA-4432-1 and mark bullseye not-affected

Wed, 14 Jan 2026 14:21:13 -0800 


Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker 
/ security-tracker


Commits:
9ab52126 by Carlos Henrique Lima Melara at 2026-01-14T19:18:58-03:00
Drop CVE-2025-9086/curl from DLA-4432-1 and mark bullseye not-affected

The vulnerability was initially assessed as introduced in a very old
version of curl, but it actually was introduced in 8.13.0 which is
newer than bookworm so it doesn't affect bullseye. The patch applied as
part of DLA-4432-1 does not cause any regressions and is at most a small
bugfix.

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -48737,10 +48737,10 @@ CVE-2025-10200 (Use after free in Serviceworker in 
Google Chrome on Desktop prio
        - chromium 140.0.7339.127-1
        [bullseye] - chromium <end-of-life> (see #1061268)
 CVE-2025-9086 (1. A cookie is set using the `secure` keyword for 
`https://target`   2 ...)
-       {DLA-4432-1}
        - curl 8.16.0~rc2-1
        [trixie] - curl 8.14.1-2+deb13u1
        [bookworm] - curl <not-affected> (Vulnerable code introduced later)
+       [bullseye] - curl <not-affected> (Vulnerable code introduced later)
        NOTE: https://curl.se/docs/CVE-2025-9086.html
        NOTE: Introduced with: 
https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603 
(curl-8_13_0)
        NOTE: Fixed by: 
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300 
(rc-8_16_0-1, curl-8_16_0)


=====================================
data/DLA/list
=====================================
@@ -20,7 +20,6 @@
        {CVE-2023-5349}
        [bullseye] - ruby-rmagick 2.16.0-7+deb11u1
 [04 Jan 2026] DLA-4432-1 curl - security update
-       {CVE-2025-9086}
        [bullseye] - curl 7.74.0-1.3+deb11u16
 [02 Jan 2026] DLA-4431-1 gimp - security update
        {CVE-2022-30067 CVE-2025-14422 CVE-2025-14425}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ab52126db12b14182d36dda188900b0a98cab49

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ab52126db12b14182d36dda188900b0a98cab49
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to