[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat Apr 5 15:48:16 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bf3b42d4 by Moritz Muehlenhoff at 2025-04-05T16:48:00+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -436,6 +436,7 @@ CVE-2025-3197 (Versions of the package expand-object from 0.0.0 are vulnerable t
 	TODO: check
 CVE-2025-3196 (A vulnerability, which was classified as critical, was found in Open A ...)
 	- assimp <unfixed>
+	[bookworm] - assimp <no-dsa> (Minor issue)
 	NOTE: https://github.com/assimp/assimp/issues/6069
 	TODO: fixed upstream in master, need to identify upstream commit
 CVE-2025-3195 (A vulnerability, which was classified as critical, has been found in i ...)
@@ -576,16 +577,19 @@ CVE-2025-3161 (A vulnerability was found in Tenda AC10 16.03.10.13 and classifie
 	NOT-FOR-US: Tenda
 CVE-2025-3160 (A vulnerability has been found in Open Asset Import Library Assimp 5.4 ...)
 	- assimp <unfixed>
+	[bookworm] - assimp <no-dsa> (Minor issue)
 	NOTE: https://github.com/assimp/assimp/issues/6025
 	NOTE: https://github.com/assimp/assimp/pull/6049
 	NOTE: Fixed by: https://github.com/assimp/assimp/commit/4b8f55cc0008af43a8a50b91f0134e2f4e80142e
 CVE-2025-3159 (A vulnerability, which was classified as critical, was found in Open A ...)
 	- assimp <unfixed>
+	[bookworm] - assimp <no-dsa> (Minor issue)
 	NOTE: https://github.com/assimp/assimp/issues/6024
 	NOTE: https://github.com/assimp/assimp/pull/6051
 	NOTE: Fixed by: https://github.com/assimp/assimp/commit/e8a6286542924e628e02749c4f5ac4f91fdae71b
 CVE-2025-3158 (A vulnerability, which was classified as critical, has been found in O ...)
 	- assimp <unfixed>
+	[bookworm] - assimp <no-dsa> (Minor issue)
 	NOTE: https://github.com/assimp/assimp/issues/6023
 CVE-2025-3157 (A vulnerability was found in Intelbras WRN 150 1.0.15_pt_ITB01. It has ...)
 	NOT-FOR-US: Intelbras WRN
@@ -797,6 +801,7 @@ CVE-2025-22871
 	- golang-1.23 1.23.8-1
 	- golang-1.24 1.24.2-1
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk/m/cs_6qIK5BAAJ
@@ -982,6 +987,7 @@ CVE-2024-13673 (The Big Boom Directory plugin for WordPress is vulnerable to Sto
 	NOT-FOR-US: WordPress plugin
 CVE-2024-53868 (Apache Traffic Server allows request smuggling if chunked messages are ...)
 	- trafficserver <unfixed> (bug #1101996)
+	[bookworm] - trafficserver <postponed> (Fix along with next DSA)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/04/02/4
 	NOTE: https://github.com/apache/trafficserver/commit/f266206adb95951436a21850cef2ad8e9e4a28cf
 	NOTE: https://github.com/apache/trafficserver/commit/3d2f29c88f9b073cb0fd3b9c7f85430e2170acbb (9.2.10-rc0)
@@ -3323,15 +3329,19 @@ CVE-2025-30211 (Erlang/OTP is a set of libraries for the Erlang programming lang
 	NOTE: https://github.com/erlang/otp/commit/5ee26eb412a76ba1c6afdf4524b62939a48d1bce (OTP-25.3.2.19, OTP-26.2.5.10, OTP-27.3.1)
 CVE-2025-2926 (A vulnerability was found in HDF5 up to 1.14.6 and classified as probl ...)
 	- hdf5 <unfixed>
+	[bookworm] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5384
 CVE-2025-2925 (A vulnerability has been found in HDF5 up to 1.14.6 and classified as  ...)
 	- hdf5 <unfixed>
+	[bookworm] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5383
 CVE-2025-2924 (A vulnerability, which was classified as problematic, was found in HDF ...)
 	- hdf5 <unfixed>
+	[bookworm] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5382
 CVE-2025-2923 (A vulnerability, which was classified as problematic, has been found i ...)
 	- hdf5 <unfixed>
+	[bookworm] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5381
 CVE-2025-2922 (A vulnerability classified as problematic was found in Netis WF-2404 1 ...)
 	NOT-FOR-US: Netis
@@ -3347,15 +3357,19 @@ CVE-2025-2916 (A vulnerability, which was classified as critical, has been found
 	NOT-FOR-US: Aishida Call Center System
 CVE-2025-2915 (A vulnerability classified as problematic was found in HDF5 up to 1.14 ...)
 	- hdf5 <unfixed>
+	[bookworm] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5380
 CVE-2025-2914 (A vulnerability classified as problematic has been found in HDF5 up to ...)
 	- hdf5 <unfixed>
+	[bookworm] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5379
 CVE-2025-2913 (A vulnerability was found in HDF5 up to 1.14.6. It has been rated as p ...)
 	- hdf5 <unfixed>
+	[bookworm] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5376
 CVE-2025-2912 (A vulnerability was found in HDF5 up to 1.14.6. It has been declared a ...)
 	- hdf5 <unfixed>
+	[bookworm] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5370
 CVE-2025-2911 (Unauthorised access to the call forwarding service system in MeetMe pr ...)
 	NOT-FOR-US: MeetMe
@@ -5865,6 +5879,7 @@ CVE-2025-30347 (Varnish Enterprise before 6.0.13r13 allows remote attackers to o
 CVE-2025-30346 (Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 all ...)
 	{DLA-4101-1}
 	- varnish 7.7.0-1
+	[bookworm] - varnish <no-dsa> (Minor issue)
 	NOTE: https://varnish-cache.org/security/VSV00015.html
 	NOTE: https://github.com/varnishcache/varnish-cache/commit/8ef69a03b36aeac5f364c01eb20f821860e47f14 (varnish-7.7.0)
 	NOTE: https://github.com/varnishcache/varnish-cache/commit/a9640a13276048815cc51a12cda2603f4d4444e4 (varnish-7.6.2)


=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ frr
 gh
   Santiago Vila might work on preparing an update
 --
+graphicsmagick
+--
 jpeg-xl
 --
 libreswan



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf3b42d4fd1e25dba0343207a20f33b5fcf8c389

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf3b42d4fd1e25dba0343207a20f33b5fcf8c389
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250405/5e2e4958/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list