Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
22384455 by Moritz Muehlenhoff at 2025-05-07T12:41:47+02:00
bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -153,6 +153,7 @@ CVE-2025-47417 (Exposure of Sensitive Information to an
Unauthorized Actor vulne
NOT-FOR-US: Crestron Automate VX
CVE-2025-47256 (Libxmp through 4.6.2 has a stack-based buffer overflow in
depack_pha i ...)
- libxmp <unfixed>
+ [bookworm] - libxmp <no-dsa> (Minor issue)
NOTE: https://github.com/libxmp/libxmp/issues/847
NOTE: https://github.com/libxmp/libxmp/pull/848
NOTE: Fixed by:
https://github.com/libxmp/libxmp/commit/004a102c5a75ad809fc309ff73ce8d0f9ab3e456
@@ -631,11 +632,10 @@ CVE-2024-42212 (HCL BigFix Compliance is affected by an
improper or missing Same
CVE-2024-11615 (The Envolve Plugin plugin for WordPress is vulnerable to
arbitrary fil ...)
NOT-FOR-US: WordPress plugin
CVE-2025-47268 (ping in iputils through 20240905 allows a denial of service
(applicati ...)
- - iputils <unfixed> (bug #1104746)
- [bookworm] - iputils <no-dsa> (Minor issue)
- [bullseye] - iputils <postponed> (Minor issue, DoS)
+ - iputils <unfixed> (unimportant; bug #1104746)
NOTE: https://github.com/iputils/iputils/issues/584
NOTE: https://github.com/Zephkek/ping-rtt-overflow/
+ NOTE: Negligible security impact
CVE-2025-43926 [ZSA-2025-07]
[experimental] - znuny 6.5.15-1
- znuny <unfixed> (bug #1104739)
@@ -2662,7 +2662,7 @@ CVE-2025-47153 (Certain build processes for libuv and
Node.js for 32-bit systems
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=892601
NOTE: https://github.com/nodejs/node-v0.x-archive/issues/4549
CVE-2025-4056
- - glib2.0 <not-affected> (Only affcts Glib on Windows)
+ - glib2.0 <not-affected> (Only affects Glib on Windows)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2362826
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3668
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4570
@@ -4520,6 +4520,7 @@ CVE-2023-43958 (An arbitrary file upload vulnerability in
the component /jquery-
NOT-FOR-US: Hospital Management System
CVE-2023-43378 (A cross-site scripting (XSS) vulnerability in Hoteldruid
v3.0.5 allows ...)
- hoteldruid <unfixed> (bug #1104020)
+ [bookworm] - hoteldruid <no-dsa> (Minor issue)
[bullseye] - hoteldruid <postponed> (minor bug; XSS)
NOTE:
https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-commento1_1-post-parameter-44ff18cb61cd4a80bbba75d5e4360ee4
CVE-2025-3856 (A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has
been cla ...)
@@ -4664,10 +4665,12 @@ CVE-2025-43970 (An issue was discovered in GoBGP before
3.35.0. pkg/packet/mrt/m
NOTE: Fixed by:
https://github.com/osrg/gobgp/commit/5153bafbe8dbe1a2f02a70bbf0365e98b80e47b0
(v3.35.0)
CVE-2025-43967 (libheif before 1.19.6 has a NULL pointer dereference in
ImageItem_Grid ...)
- libheif 1.19.7-1
+ [bookworm] - libheif <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libheif/issues/1455
NOTE: Fixed by:
https://github.com/strukturag/libheif/commit/6e35af7b0ff9fb6cc952a1539590d160db32f671
(v1.19.6)
CVE-2025-43966 (libheif before 1.19.6 has a NULL pointer dereference in
ImageItem_iden ...)
- libheif 1.19.7-1
+ [bookworm] - libheif <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/strukturag/libheif/commit/b38555387e4b5dcf036fe45b0c440aca19b7b69c
(v1.19.6)
CVE-2025-43964 (In LibRaw before 0.21.4, tag 0x412 processing in
phase_one_correct in ...)
{DLA-4142-1}
@@ -7305,6 +7308,7 @@ CVE-2025-24948 (In JotUrl 2.0, passwords are sent via
HTTP GET-type requests, po
CVE-2025-24358 (gorilla/csrf provides Cross Site Request Forgery (CSRF)
prevention mid ...)
{DLA-4151-1}
- golang-github-gorilla-csrf 1.7.2+ds1-2 (bug #1103584)
+ [bookworm] - golang-github-gorilla-csrf <no-dsa> (Minor issue)
NOTE:
https://github.com/gorilla/csrf/security/advisories/GHSA-rq77-p4h8-4crw
NOTE:
https://github.com/gorilla/csrf/commit/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb
(v1.7.3)
CVE-2025-22903 (TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to
contain a sta ...)
@@ -7365,6 +7369,7 @@ CVE-2025-3588 (A vulnerability, which was classified as
problematic, has been fo
NOT-FOR-US: joelittlejohn jsonschema2pojo
CVE-2025-3576 (A vulnerability in the MIT Kerberos implementation allows
GSSAPI-prote ...)
- krb5 1.21.2-1 (bug #1103525)
+ [bookworm] - krb5 <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2359465
NOTE: CVE relates to issues covered in:
NOTE:
https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
=====================================
data/dsa-needed.txt
=====================================
@@ -26,6 +26,8 @@ gimp
--
jpeg-xl
--
+libapache2-mod-auth-openidc
+--
libreswan
Waiting on feedback from maintainer
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22384455d06b916bf10f977645fb4b831bdd1281
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22384455d06b916bf10f977645fb4b831bdd1281
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
