Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
905b9996 by Moritz Muehlenhoff at 2025-08-26T14:20:56+02:00
trixie/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1927,13 +1927,11 @@ CVE-2025-9132 (Out of bounds write in V8 in Google
Chrome prior to 139.0.7258.13
- chromium 139.0.7258.138-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-9165 (A flaw has been found in LibTIFF 4.7.0. This affects the
function _TIF ...)
- - tiff 4.7.0-4 (bug #1111878)
- [trixie] - tiff <no-dsa> (Minor issue)
- [bookworm] - tiff <no-dsa> (Minor issue)
- [bullseye] - tiff <ignored> (No security impact, CVE disputed)
+ - tiff 4.7.0-4 (bug #1111878; unimportant)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/728
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/747
NOTE:
https://gitlab.com/libtiff/libtiff/-/commit/ed141286a37f6e5ddafb5069347ff5d587e7a4e0
+ NOTE: Memory leak in CLI tool, no security impact
CVE-2025-9157 (A vulnerability was determined in appneta tcpreplay up to
4.5.2-beta2. ...)
- tcpreplay <unfixed> (unimportant)
NOTE: Crash in CLI tool, no security impact
@@ -2827,6 +2825,7 @@ CVE-2025-38502 (In the Linux kernel, the following
vulnerability has been resolv
NOTE:
https://git.kernel.org/linus/abad3d0bad72a52137e0c350c59542d75ae4f513 (6.17-rc1)
CVE-2025-8959 (HashiCorp's go-getter library subdirectory download feature is
vulnera ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1111318)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
CVE-2025-8898 (The Taxi Booking Manager for Woocommerce | E-cab plugin for
WordPress ...)
NOT-FOR-US: WordPress plugin
@@ -3445,6 +3444,7 @@ CVE-2025-50861 (The Lotus Cars Android app
(com.lotus.carsdomestic.intl) 1.2.8 c
NOT-FOR-US: Lotus Cars Android app (com.lotus.carsdomestic.intl)
CVE-2025-50817 (A vulnerability in the Python-Future 1.0.0 module allows for
arbitrary ...)
- python-future <removed>
+ [bookworm] - python-future <no-dsa> (Minor issue)
NOTE:
https://medium.com/@abcd_68700/cve-2025-50817-python-future-module-arbitrary-code-execution-via-unintended-import-of-test-py-f0818ea93cf4
NOTE: https://github.com/PythonCharmers/python-future/issues/268
CVE-2025-50518 (A use-after-free vulnerability exists in the
coap_delete_pdu_lkd funct ...)
@@ -3885,6 +3885,7 @@ CVE-2025-8754 (Missing Authentication for Critical
Function vulnerability in ABB
NOT-FOR-US: ABB group
CVE-2025-8671 (A mismatch caused by client-triggered server-sent stream resets
betwee ...)
- h2o <removed>
+ [bookworm] - h2o <no-dsa> (Minor issue)
- haproxy <not-affected> (Performs stream management correctly)
- varnish 7.7.2-1
NOTE: https://kb.cert.org/vuls/id/767506
@@ -5895,6 +5896,7 @@ CVE-2024-8244 (The filepath.Walk and filepath.WalkDir
functions are documented a
[trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.23 <unfixed> (bug #1110946)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
NOTE: https://github.com/golang/go/issues/70007
CVE-2024-52885 (The Mobile Access Portal's File Share application is
vulnerable to a d ...)
@@ -6260,6 +6262,7 @@ CVE-2012-10023 (A stack-based buffer overflow
vulnerability exists in FreeFloat
NOT-FOR-US: FreeFloat FTP Server
CVE-2025-8556 (A flaw was found in CIRCL's implementation of the FourQ
elliptic curve ...)
- golang-github-cloudflare-circl 1.6.1-1
+ [bookworm] - golang-github-cloudflare-circl <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2371624
NOTE:
https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
CVE-2025-8586 (A vulnerability, which was classified as problematic, was found
in lib ...)
@@ -10313,6 +10316,7 @@ CVE-2025-5681 (Authorization Bypass Through
User-Controlled Key vulnerability in
NOT-FOR-US: Turtek Software Eyotek
CVE-2025-54121 (Starlette is a lightweight ASGI (Asynchronous Server Gateway
Interface ...)
- starlette 0.46.1-3 (bug #1109805)
+ [bookworm] - starlette <no-dsa> (Minor issue)
[bullseye] - starlette <postponed> (minor issue; Dos can be fixed in
next update)
NOTE:
https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73
NOTE: Fixed by:
https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1
(0.47.2)
@@ -71167,6 +71171,7 @@ CVE-2024-50857 (The ip_do_job request in GestioIP
v3.5.7 is vulnerable to Cross-
- gestioip <itp> (bug #742110)
CVE-2024-4227 (In Genivia gSOAP with a specific configuration an
unauthenticated remo ...)
- gsoap 2.8.135-1
+ [bookworm] - gsoap <no-dsa> (Minor issue)
NOTE:
https://www.genivia.com/advisory.html#Upgrade_recommendation_when_option_-c++11_is_used_to_generate_C++11_source_code
NOTE:
https://www.genivia.com/changelog.html#Version_2.8.133_(03/21/2024)
NOTE: Fixed by: https://sourceforge.net/p/gsoap2/code/222/
@@ -108510,6 +108515,7 @@ CVE-2024-6232 (There is a MEDIUM severity
vulnerability affecting CPython.
- python2.7 <removed>
[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only
included to build a few applications)
- pypy3 7.3.18+dfsg-1
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <postponed> (Minor issue; ReDoS)
NOTE: https://github.com/python/cpython/issues/121285
NOTE: https://github.com/python/cpython/pull/121286
@@ -111634,6 +111640,7 @@ CVE-2024-7592 (There is a LOW severity vulnerability
affecting CPython, specific
[bookworm] - python3.11 3.11.2-6+deb12u5
- python3.9 <removed>
- pypy3 7.3.18+dfsg-1
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <postponed> (Minor issue; DoS)
NOTE: https://github.com/python/cpython/pull/123075
NOTE: https://github.com/python/cpython/issues/123067
@@ -115948,6 +115955,7 @@ CVE-2024-6923 (There is a MEDIUM severity
vulnerability affecting CPython. The
- python2.7 <removed>
[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only
included to build a few applications)
- pypy3 7.3.18+dfsg-1
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <postponed> (Minor issue)
NOTE: https://github.com/python/cpython/issues/121650
NOTE: https://github.com/python/cpython/pull/122233
@@ -127706,6 +127714,7 @@ CVE-2024-4032 (The \u201cipaddress\u201d module
contained incorrect information
- python3.7 <removed>
- python2.7 <not-affected> (ipaddress module added in 3.3)
- pypy3 7.3.18+dfsg-1
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <postponed> (Minor issue)
NOTE: https://github.com/advisories/GHSA-mh6q-v4mp-2cc7
NOTE: https://github.com/python/cpython/issues/113171
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/905b999663b4cc97bcf2c5fc61f7bffada315d42
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/905b999663b4cc97bcf2c5fc61f7bffada315d42
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
