[Git][security-tracker-team/security-tracker][master] Update pdfminer tracking after separate CVE assingment for incomplete fix

Salvatore Bonaccorso (@carnil) Tue, 03 Feb 2026 13:28:32 -0800


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
0a74b1dc by Salvatore Bonaccorso at 2026-02-03T22:26:25+01:00
Update pdfminer tracking after separate CVE assingment for incomplete fix

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -215,7 +215,12 @@ CVE-2025-70758 (chetans9 core-php-admin-panel through 
commit a94a780d6 contains
 CVE-2025-70560 (Boltz 2.0.0 contains an insecure deserialization vulnerability 
in its  ...)
        - boltz <itp> (bug #1109350)
 CVE-2025-70559 (pdfminer.six before 20251230 contains an insecure 
deserialization vuln ...)
-       TODO: check
+       - pdfminer 20260107+dfsg-1
+       NOTE: 
https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc
+       NOTE: https://github.com/pdfminer/pdfminer.six/pull/1172
+       NOTE: Proper fix by replacing pickle for SON for CMap storage.
+       NOTE: Fixed by: 
https://github.com/pdfminer/pdfminer.six/commit/41a247c2d66ea962823459403b828375ccc7bd33
 (20251230)
+       NOTE: CVE exists because of an incomplete fix for CVE-2025-64512
 CVE-2025-70311 (JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can 
inject malici ...)
        NOT-FOR-US: JEEWMS
 CVE-2025-6397 (Improper Neutralization of Input During Web Page Generation 
(XSS or 'C ...)
@@ -33287,13 +33292,11 @@ CVE-2025-64518 (The CycloneDX core module provides a 
model representation of the
 CVE-2025-64513 (Milvus is an open-source vector database built for generative 
AI appli ...)
        NOT-FOR-US: Milvus
 CVE-2025-64512 (Pdfminer.six is a community maintained fork of the original 
PDFMiner,  ...)
-       {DSA-6062-1 DLA-4374-2 DLA-4374-1}
-       - pdfminer 20260107+dfsg-1 (bug #1120642)
+       {DSA-6062-1 DLA-4374-1}
+       - pdfminer 20221105+dfsg-1.1 (bug #1120642)
        NOTE: 
https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
        NOTE: Fixed by: 
https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086
 (20251107)
-       NOTE: Initial fix incomplete: 
https://github.com/pdfminer/pdfminer.six/pull/1172
-       NOTE: Proper fix by replacing pickle for SON for CMap storage.
-       NOTE: Fixed by: 
https://github.com/pdfminer/pdfminer.six/commit/41a247c2d66ea962823459403b828375ccc7bd33
 (20251230)
+       NOTE: Initial fix incomplete resulting in CVE-2025-70559
 CVE-2025-64509 (Bugsink is a self-hosted error tracking tool. In versions 
prior to 2.0 ...)
        NOT-FOR-US: Bugsink
 CVE-2025-64508 (Bugsink is a self-hosted error tracking tool. In versions 
prior to 2.0 ...)


=====================================
data/DLA/list
=====================================
@@ -90,7 +90,7 @@
        {CVE-2024-47666 CVE-2025-37899 CVE-2025-38057 CVE-2025-38556 
CVE-2025-38593 CVE-2025-38678 CVE-2025-39805 CVE-2025-40083 CVE-2025-40211 
CVE-2025-40214 CVE-2025-40248 CVE-2025-40252 CVE-2025-40253 CVE-2025-40254 
CVE-2025-40257 CVE-2025-40258 CVE-2025-40259 CVE-2025-40261 CVE-2025-40262 
CVE-2025-40263 CVE-2025-40264 CVE-2025-40269 CVE-2025-40271 CVE-2025-40272 
CVE-2025-40273 CVE-2025-40275 CVE-2025-40277 CVE-2025-40278 CVE-2025-40279 
CVE-2025-40280 CVE-2025-40281 CVE-2025-40282 CVE-2025-40283 CVE-2025-40284 
CVE-2025-40285 CVE-2025-40286 CVE-2025-40288 CVE-2025-40292 CVE-2025-40293 
CVE-2025-40294 CVE-2025-40297 CVE-2025-40301 CVE-2025-40304 CVE-2025-40306 
CVE-2025-40308 CVE-2025-40309 CVE-2025-40312 CVE-2025-40313 CVE-2025-40314 
CVE-2025-40315 CVE-2025-40317 CVE-2025-40318 CVE-2025-40319 CVE-2025-40321 
CVE-2025-40322 CVE-2025-40323 CVE-2025-40324 CVE-2025-40331 CVE-2025-40341 
CVE-2025-40342 CVE-2025-40343 CVE-2025-40345 CVE-2025-40360 CVE-2025-40363 
CVE-2025-68168 CVE-2025-68171 CVE-2025-68173 CVE-2025-68176 CVE-2025-68177 
CVE-2025-68185 CVE-2025-68191 CVE-2025-68192 CVE-2025-68194 CVE-2025-68200 
CVE-2025-68204 CVE-2025-68214 CVE-2025-68217 CVE-2025-68218 CVE-2025-68220 
CVE-2025-68227 CVE-2025-68229 CVE-2025-68231 CVE-2025-68233 CVE-2025-68237 
CVE-2025-68238 CVE-2025-68241 CVE-2025-68244 CVE-2025-68245 CVE-2025-68246 
CVE-2025-68282 CVE-2025-68283 CVE-2025-68284 CVE-2025-68285 CVE-2025-68286 
CVE-2025-68287 CVE-2025-68288 CVE-2025-68289 CVE-2025-68290 CVE-2025-68295 
CVE-2025-68301 CVE-2025-68302 CVE-2025-68303 CVE-2025-68307 CVE-2025-68308 
CVE-2025-68310 CVE-2025-68312 CVE-2025-68321 CVE-2025-68327 CVE-2025-68328 
CVE-2025-68330 CVE-2025-68331 CVE-2025-68339 CVE-2025-68343 CVE-2025-68734}
        [bullseye] - linux-6.1 6.1.159-1~deb11u1
 [08 Jan 2026] DLA-4374-2 pdfminer - regression update
-       {CVE-2025-64512}
+       {CVE-2025-70559}
        [bullseye] - pdfminer 20200726-1+deb11u2
 [07 Jan 2026] DLA-4435-1 libsodium - security update
        {CVE-2025-69277}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a74b1dc370e6a1560056f451eaea1bce1aee9ca

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a74b1dc370e6a1560056f451eaea1bce1aee9ca
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update pdfminer tracking after separate CVE assingment for incomplete fix

Reply via email to