Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
929c7d23 by Sylvain Beucler at 2026-06-13T13:16:01+02:00
bookworm EOL

Cf. https://lists.debian.org/debian-lts/2026/05/msg00037.html

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -41644,6 +41644,7 @@ CVE-2026-34178 (In Canonical LXD before 6.8, the backup 
import path validates pr
        - incus 6.0.6-3
        - lxd <removed>
        [trixie] - lxd 5.0.2+git20231211.1364ae4-9+deb13u5
+       [bookworm] - lxd <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4
        NOTE: https://github.com/canonical/lxd/pull/17921
        NOTE: https://github.com/lxc/incus/pull/3088
@@ -114457,6 +114458,7 @@ CVE-2025-59438 (Mbed TLS through 3.6.4 has an 
Observable Timing Discrepancy.)
        {DLA-4551-1}
        - mbedtls 3.6.5-0.1 (bug #1118752)
        [trixie] - mbedtls 3.6.5-0.1~deb13u1
+       [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/
        NOTE: 
https://github.com/Mbed-TLS/mbedtls/commit/155de2ab775e77ab6fa81bf2b1e6e63768123bc1
 (mbedtls-3.6.5)
        NOTE: 
https://github.com/Mbed-TLS/mbedtls/commit/d179dc80a5b13189c79fe4531eacb28698a7a0e9
 (mbedtls-3.6.5)
@@ -114669,6 +114671,7 @@ CVE-2025-60781 (PHP Education Manager v1.0 is 
vulnerable to Cross Site Scripting
 CVE-2025-54764 (Mbed TLS before 3.6.5 allows a local timing attack against 
certain RSA ...)
        - mbedtls 3.6.5-0.1 (bug #1118750)
        [trixie] - mbedtls 3.6.5-0.1~deb13u1
+       [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-ssbleed-mstep/
 CVE-2025-26392 (SolarWinds Observability Self-Hosted is susceptible to SQL 
injection v ...)
        NOT-FOR-US: SolarWinds
@@ -143374,6 +143377,7 @@ CVE-2025-54573 (CVAT is an open source interactive 
video and image annotation to
 CVE-2025-54572 (The Ruby SAML library is for implementing the client side of a 
SAML au ...)
        {DLA-4288-1}
        - ruby-saml <removed>
+       [bookworm] - ruby-saml <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966
        NOTE: https://github.com/SAML-Toolkits/ruby-saml/pull/770
        NOTE: Fixed by: 
https://github.com/SAML-Toolkits/ruby-saml/commit/fd2f532862b6453069d69d07a541e668609c2bbc
@@ -151347,10 +151351,12 @@ CVE-2023-50786 (Dradis through 4.16.0 allows 
referencing external images (resour
 CVE-2025-47917 (Mbed TLS before 3.6.4 allows a use-after-free in certain 
situations of ...)
        {DLA-4274-2 DLA-4274-1}
        - mbedtls 3.6.4-1 (bug #1108791)
+       [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-7.md
 CVE-2025-48965 (Mbed TLS before 3.6.4 has a NULL pointer dereference because 
mbedtls_a ...)
        {DLA-4274-1}
        - mbedtls 3.6.4-1 (bug #1108790)
+       [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-6.md
 CVE-2025-49087 (In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing 
discrepancy in  ...)
        - mbedtls 3.6.4-1 (bug #1108789)
@@ -151439,10 +151445,12 @@ CVE-2025-52718 (Improper Control of Generation of 
Code ('Code Injection') vulner
 CVE-2025-52497 (Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based 
buffer und ...)
        {DLA-4274-1}
        - mbedtls 3.6.4-1 (bug #1108786)
+       [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-2.md
 CVE-2025-52496 (Mbed TLS before 3.6.4 has a race condition in AESNI detection 
if certa ...)
        {DLA-4274-1}
        - mbedtls 3.6.4-1 (bug #1108785)
+       [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-1.md
 CVE-2025-50039 (Missing Authorization vulnerability in vgwort VG WORT METIS 
vgw-metis  ...)
        NOT-FOR-US: WordPress plugin
@@ -174521,6 +174529,7 @@ CVE-2024-12543 (User Enumeration and Data Integrity 
in Barcode functionality in
        NOT-FOR-US: OpenText
 CVE-2024-40446 (An issue in forkosh Mime Tex before v.1.77 allows an attacker 
to execu ...)
        - mimetex 1.76-6 (bug #1103801)
+       [bookworm] - mimetex <end-of-life> (EOL in bookworm LTS)
        NOTE: https://github.com/TaiYou-TW/CVE-2024-40445_CVE-2024-40446
 CVE-2024-40445 (A directory traversal vulnerability in forkosh Mime TeX before 
version ...)
        - mimetex <not-affected> (Only affects MimeTeX on Windows, cf bug 
#1105117)
@@ -188219,6 +188228,7 @@ CVE-2025-2104 (The Page Builder: Pagelayer \u2013 
Drag and Drop website builder
 CVE-2025-25293 (ruby-saml provides security assertion markup language (SAML) 
single si ...)
        {DLA-4115-1}
        - ruby-saml <removed> (bug #1100441)
+       [bookworm] - ruby-saml <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq
        NOTE: Vulnerability might be the result of an incomplete fix for a 
zipbomb attack.
        NOTE: https://github.com/SAML-Toolkits/ruby-saml/pull/383 (v1.12.0)
@@ -188232,6 +188242,7 @@ CVE-2025-25293 (ruby-saml provides security assertion 
markup language (SAML) sin
 CVE-2025-25292 (ruby-saml provides security assertion markup language (SAML) 
single si ...)
        {DLA-4115-1}
        - ruby-saml <removed> (bug #1100441)
+       [bookworm] - ruby-saml <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97
 (v1.18.0)
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9
 (v1.12.4)
@@ -188239,6 +188250,7 @@ CVE-2025-25292 (ruby-saml provides security assertion 
markup language (SAML) sin
 CVE-2025-25291 (ruby-saml provides security assertion markup language (SAML) 
single si ...)
        {DLA-4115-1}
        - ruby-saml <removed> (bug #1100441)
+       [bookworm] - ruby-saml <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97
 (v1.18.0)
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9
 (v1.12.4)
@@ -302163,6 +302175,7 @@ CVE-2024-25767 (nanomq 0.21.2 contains a 
Use-After-Free vulnerability in /nanomq
        NOT-FOR-US: NanoMQ
 CVE-2024-25763 (openNDS 10.2.0 is vulnerable to Use-After-Free via 
/openNDS/src/auth.c ...)
        - opennds 10.3.0+dfsg-0.1 (bug #1081792)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/LuMingYinDetect/openNDS_defects/blob/main/openNDS_detect_1.md
        NOTE: https://github.com/openNDS/openNDS/issues/600
        NOTE: https://github.com/openNDS/openNDS/issues/571
@@ -321676,10 +321689,12 @@ CVE-2023-42428 (Directory traversal vulnerability 
in CubeCart prior to 6.5.3 all
        NOT-FOR-US: CubeCart
 CVE-2023-41102 (An issue was discovered in the captive portal in OpenNDS 
before versio ...)
        - opennds 10.2.0+dfsg-1 (bug #1059452)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: 
https://github.com/openNDS/openNDS/commit/69dde77927b252e2a4347170504a785ac5d50c33
 (v10.1.3)
 CVE-2023-41101 (An issue was discovered in the captive portal in OpenNDS 
before versio ...)
        - opennds 10.2.0+dfsg-1 (bug #1059452)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: 
https://github.com/openNDS/openNDS/commit/69dde77927b252e2a4347170504a785ac5d50c33
 (v10.1.3)
 CVE-2023-40314 (Cross-site scripting in bootstrap.jsp in multiple versions of 
OpenNMS  ...)
@@ -321696,51 +321711,63 @@ CVE-2023-39544 (CLUSTERPRO X Ver5.1 and earlier and 
EXPRESSCLUSTER X 5.1 and ear
        NOT-FOR-US: CLUSTERPRO
 CVE-2023-38324 (An issue was discovered in OpenNDS before 10.1.2. It allows 
users to s ...)
        - opennds 10.2.0+dfsg-1 (bug #1059451)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: 
https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9
 (v10.1.2)
 CVE-2023-38323 (An issue was discovered in OpenNDS before 10.1.3. It fails to 
sanitize ...)
        - opennds 10.2.0+dfsg-1
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: From v10 onwards, statuspath configuration value is urlencoded, 
marking first 10.x upload as fixed for sid
 CVE-2023-38322 (An issue was discovered in OpenNDS Captive Portal before 
version 10.1. ...)
        - opennds 10.2.0+dfsg-1 (bug #1059451)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: 
https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9
 (v10.1.2)
 CVE-2023-38321 (OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and 
other p ...)
        - opennds 10.2.0+dfsg-1 (bug #1059451)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9
 (v10.1.2)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: While not specifically listed in the commit message, this appears 
to be the same fix as for CVE-2023-38320/CVE-2023-38322
 CVE-2023-38320 (An issue was discovered in OpenNDS Captive Portal before 
version 10.1. ...)
        - opennds 10.2.0+dfsg-1 (bug #1059451)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: 
https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9
 (v10.1.2)
 CVE-2023-38319 (An issue was discovered in OpenNDS before 10.1.3. It fails to 
sanitize ...)
        - opennds 10.2.0+dfsg-1
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: From v10 onwards, faskey configuration value is urlencoded, 
marking first 10.x upload as fixed for sid
 CVE-2023-38318 (An issue was discovered in OpenNDS before 10.1.3. It fails to 
sanitize ...)
        - opennds 10.2.0+dfsg-1
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: From v10 onwards, gatewayfqdn configuration value is urlencoded, 
marking first 10.x upload as fixed for sid
 CVE-2023-38317 (An issue was discovered in OpenNDS before 10.1.3. It fails to 
sanitize ...)
        - opennds 10.2.0+dfsg-1
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: From v10 onwards, gateway interface configuration value is 
urlencoded, marking first 10.x upload as fixed for sid
 CVE-2023-38316 (An issue was discovered in OpenNDS Captive Portal before 
version 10.1. ...)
        - opennds 10.2.0+dfsg-1 (bug #1059451)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: 
https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9
 (v10.1.2)
 CVE-2023-38315 (An issue was discovered in OpenNDS Captive Portal before 
version 10.1. ...)
        - opennds 10.2.0+dfsg-1 (bug #1059451)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: 
https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9
 (v10.1.2)
 CVE-2023-38314 (An issue was discovered in OpenNDS Captive Portal before 
version 10.1. ...)
        - opennds 10.2.0+dfsg-1 (bug #1059451)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: 
https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9
 (v10.1.2)
 CVE-2023-38313 (An issue was discovered in OpenNDS Captive Portal before 
10.1.2. it ha ...)
        - opennds 10.2.0+dfsg-1 (bug #1059451)
+       [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
        NOTE: 
https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
        NOTE: 
https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9
 (v10.1.2)
 CVE-2023-38130 (Cross-site request forgery (CSRF) vulnerability in CubeCart 
prior to 6 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/929c7d23809e1e892513c78539bec8832ea8e20a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/929c7d23809e1e892513c78539bec8832ea8e20a
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to