Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8561af8a by Thorsten Alteholz at 2026-02-07T11:06:40+01:00
mark CVE-2025-65803 and CVE-2025-70968 as EOL in Bullseye
- - - - -
ae6d9996 by Thorsten Alteholz at 2026-02-07T11:09:06+01:00
mark CVE-2025-61732 as postponed with limited support in Bullseye
- - - - -
2f76e93b by Thorsten Alteholz at 2026-02-07T11:21:18+01:00
mark CVE-2025-58190 and CVE-2025-47911 as postponed with limited support in
Bullseye
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -577,11 +577,13 @@ CVE-2025-68643 (Axigen Mail Server before 10.5.57 allows
stored Cross-Site Scrip
NOT-FOR-US: Axigen Mail Server
CVE-2025-58190 (The html.Parse function in golang.org/x/net/html has an
infinite parsi ...)
- golang-golang-x-net <unfixed> (bug #1127320)
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor
issue, follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
NOTE: https://github.com/golang/go/issues/70179
NOTE: Fixed by:
https://github.com/golang/net/commit/6ec8895aa5f6594da7356da7d341b98133629009
(v0.45.0)
CVE-2025-47911 (The html.Parse function in golang.org/x/net/html has quadratic
parsing ...)
- golang-golang-x-net <unfixed> (bug #1127321)
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor
issue, follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c
NOTE: https://github.com/golang/go/issues/75682
NOTE: Fixed by:
https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d
(v0.45.0)
@@ -829,6 +831,7 @@ CVE-2025-61732 (A discrepancy between how Go and C/C++
comments were parsed allo
- golang-1.24 <unfixed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue,
follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
NOTE: https://github.com/golang/go/issues/76697
NOTE: Fixed by:
https://github.com/golang/go/commit/b19100991ac6d096e67cead47392049c178fd5ab
(go1.25.7)
@@ -8835,6 +8838,7 @@ CVE-2025-70968 (FreeImage 3.18.0 contains a Use After
Free in PluginTARGA.cpp;lo
- freeimage <unfixed> (bug #1125677)
[trixie] - freeimage <postponed> (Minor issue, revisit when fixed
upstream)
[bookworm] - freeimage <postponed> (Minor issue, revisit when fixed
upstream)
+ [bullseye] - freeimage <end-of-life> (EOL in bullseye LTS)
NOTE: https://github.com/MiracleWolf/FreeimageCrash/tree/main
NOTE: FreeImageRe fork is not affected, underlying code has reworked
memory management
CVE-2025-70747 (Tenda AX-1806 v1.0.0.1 was discovered to contain a stack
overflow in t ...)
@@ -24627,6 +24631,7 @@ CVE-2025-65803 (An integer overflow in the
psdParser::ReadImageData function of
- freeimage <unfixed> (bug #1122826)
[trixie] - freeimage <postponed> (Minor issue, revisit when fixed
upstream)
[bookworm] - freeimage <postponed> (Minor issue, revisit when fixed
upstream)
+ [bullseye] - freeimage <end-of-life> (EOL in bullseye LTS)
NOTE: https://gist.github.com/1mxml/cabd6d972557d9d992fe5f4f6ca1dd87
NOTE: https://sourceforge.net/p/freeimage/bugs/390/
CVE-2025-65792 (DataGear v5.5.0 is vulnerable to Arbitrary File Deletion.)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a950883152966246ab3b3301b93051a6bb8a2e1b...2f76e93b834e9ba06fe81a57cb03c6c11fb96359
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a950883152966246ab3b3301b93051a6bb8a2e1b...2f76e93b834e9ba06fe81a57cb03c6c11fb96359
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
