Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4ff417a9 by Moritz Muehlenhoff at 2025-07-11T11:10:54+02:00
bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -935,6 +935,7 @@ CVE-2025-7208 (A vulnerability was found in 9fans plan9port
up to 9da5b44. It ha
NOT-FOR-US: plan9port
CVE-2025-7207 (A vulnerability, which was classified as problematic, was found
in mru ...)
- mruby <unfixed>
+ [bookworm] - mruby <no-dsa> (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/6509
NOTE:
https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9
CVE-2025-7206 (A vulnerability, which was classified as critical, has been
found in D ...)
@@ -1113,6 +1114,7 @@ CVE-2025-4674
- golang-1.24 <unfixed>
- golang-1.23 <unfixed>
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
NOTE: https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
NOTE:
https://github.com/golang/go/commit/825eeee3f789a11231ce23a4836c74ec5e34bf2a
(go1.24.5)
@@ -2491,11 +2493,13 @@ CVE-2025-7074 (A vulnerability classified as
problematic has been found in verce
CVE-2025-7070 (A vulnerability has been found in IROAD Dashcam Q9 up to
20250624 and ...)
NOT-FOR-US: IROAD Dashcam Q9
CVE-2025-7069 (A vulnerability, which was classified as problematic, was found
in HDF ...)
- - hdf5 <unfixed> (bug #1108884)
+ - hdf5 <unfixed> (bug #1108884; unimportant)
NOTE: https://github.com/HDFGroup/hdf5/issues/5550
+ NOTE: Negligible security impact
CVE-2025-7068 (A vulnerability, which was classified as problematic, has been
found i ...)
- - hdf5 <unfixed> (bug #1108885)
+ - hdf5 <unfixed> (bug #1108885; unimportant)
NOTE: https://github.com/HDFGroup/hdf5/issues/5578
+ NOTE: Negligible security impact
CVE-2025-53605 (The protobuf crate before 3.7.2 for Rust allows uncontrolled
recursion ...)
- rust-protobuf <unfixed> (bug #1103833)
[bookworm] - rust-protobuf <no-dsa> (Minor issue)
@@ -2558,6 +2562,7 @@ CVE-2025-1735 [pgsql extension does not check for errors
during escaping]
NOTE: Fixed by:
https://github.com/php/php-src/commit/9376aeef9f8ff81f2705b8016237ec3e30bdee44
(php-8.1.33)
CVE-2025-7067 (A vulnerability classified as problematic was found in HDF5
1.14.6. Th ...)
- hdf5 <unfixed> (bug #1108886)
+ [bookworm] - hdf5 <no-dsa> (Minor issue)
NOTE: https://github.com/HDFGroup/hdf5/issues/5577
CVE-2025-7066 (Jirafeau normally prevents browser preview for text files due
to the p ...)
NOT-FOR-US: Jirafeau
@@ -4937,6 +4942,7 @@ CVE-2025-29331 (An issue in MHSanaei 3x-ui before v.2.5.3
and before allows a re
NOT-FOR-US: MHSanaei 3x-ui
CVE-2024-6174 (When a non-x86 platform is detected, cloud-init grants root
access to ...)
- cloud-init 25.1.4-1 (bug #1108403)
+ [bookworm] - cloud-init <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1
(25.1.3)
NOTE: https://github.com/advisories/GHSA-w8g9-wp36-fchj
CVE-2024-56915 (Netbox Community v4.1.7 and fixed in v.4.2.2 is vulnerable to
Cross Si ...)
@@ -4945,6 +4951,7 @@ CVE-2024-52928 (Arc before 1.26.1 on Windows has a bypass
issue in the site sett
NOT-FOR-US: Arc Browser
CVE-2024-11584 (cloud-initthrough 25.1.2 includes the systemd socket
unitcloud-init-ho ...)
- cloud-init 25.1.4-1 (bug #1108402)
+ [bookworm] - cloud-init <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/canonical/cloud-init/commit/4839736429e9057a309ccd835cb3159fb51b1353
(25.1.3)
NOTE: https://github.com/canonical/cloud-init/pull/6265
NOTE: https://github.com/advisories/GHSA-3xmh-hrxh-fx8j
@@ -5710,6 +5717,7 @@ CVE-2025-6547 (Improper Input Validation vulnerability in
pbkdf2 allows Signatur
NOTE: Fixed by:
https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb
(v3.1.3)
CVE-2025-6545 (Improper Input Validation vulnerability in pbkdf2 allows
Signature Spo ...)
- node-pbkdf2 <unfixed> (bug #1108283)
+ [bookworm] - node-pbkdf2 <no-dsa> (Minor issue)
NOTE:
https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6
NOTE: Introduced by:
https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078
(v3.0.10)
NOTE: Fixed by:
https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb
(v3.1.3)
@@ -5858,6 +5866,7 @@ CVE-2025-6494 (A vulnerability was found in sparklemotion
nokogiri c29c920907366
NOTE: https://github.com/sparklemotion/nokogiri/pull/3524
CVE-2025-6493 (A vulnerability was found in CodeMirror up to 5.17.0 and
classified as ...)
- codemirror-js <unfixed> (bug #1108477)
+ [bookworm] - codemirror-js <no-dsa> (Minor issue)
NOTE: https://github.com/codemirror/codemirror5/issues/7128
CVE-2025-52926 (In scan.rs in spytrap-adb before 0.3.5, matches for known
stalkerware ...)
- rust-spytrap-adb 0.3.5-1
@@ -37927,6 +37936,7 @@ CVE-2024-56498
CVE-2024-40635 (containerd is an open-source container runtime. A bug was
found in con ...)
{DLA-4153-1}
- containerd 1.7.24~ds1-6 (bug #1100806)
+ [bookworm] - containerd <no-dsa> (Minor issue)
NOTE:
https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
NOTE:
https://github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82
(v1.7.27)
NOTE:
https://github.com/containerd/containerd/commit/9639b9625554183d0c4d8d072dccb84fedd2320f
(v1.6.38)
=====================================
data/dsa-needed.txt
=====================================
@@ -15,6 +15,9 @@ If needed, specify the release by adding a slash after the
name of the source pa
amd64-microcode (carnil)
Coordinating with maintainer DSA/bookworm-pu and sync with mitgations in
src:linux
--
+apache2
+ First have it exposed in unstable for a week or so
+--
ark (jmm)
--
commons-vfs (apo)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ff417a9806ae4d8d4069fd2d8c63b9c3707a98b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ff417a9806ae4d8d4069fd2d8c63b9c3707a98b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
