[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sat Apr 19 20:58:49 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
64d7b4f2 by Moritz Muehlenhoff at 2025-04-19T21:58:04+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -5446,7 +5446,6 @@ CVE-2025-3196 (A vulnerability, which was classified as critical, was found in O
[bookworm] - assimp <no-dsa> (Minor issue)
[bullseye] - assimp <postponed> (Minor issue, no upstream patch)
NOTE: https://github.com/assimp/assimp/issues/6069
- TODO: fixed upstream in master, need to identify upstream commit
CVE-2025-3195 (A vulnerability, which was classified as critical, has been found in i ...)
NOT-FOR-US: itsourcecode System
CVE-2025-3194 (Versions of the package bigint-buffer from 0.0.0 are vulnerable to Buf ...)
@@ -21643,6 +21642,7 @@ CVE-2025-1595 (A vulnerability has been found in Anhui Xufan Information Technol
NOT-FOR-US: Anhui Xufan Information Technology EasyCVR
CVE-2025-1594 (A vulnerability, which was classified as critical, was found in FFmpeg ...)
- ffmpeg <unfixed>
+ [trixie] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 7.1 branch)
[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed upstream)
NOTE: https://ffmpeg.org/pipermail/ffmpeg-devel/2025-February/339544.html
@@ -22402,6 +22402,7 @@ CVE-2025-25474 (DCMTK v3.6.9+ DEV was discovered to contain a buffer overflow vi
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d205bcd307164c99e0d4bbf412110372658d847
CVE-2025-25473 (FFmpeg git master before commit c08d30 was discovered to contain a NUL ...)
- ffmpeg <unfixed>
+ [trixie] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 7.1 branch)
[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
[bullseye] - ffmpeg <not-affected> (Vulnerable code introduced later; ff_flush_packet_queue() is always called)
NOTE: https://trac.ffmpeg.org/ticket/11419
@@ -49335,6 +49336,7 @@ CVE-2024-48962 (Improper Control of Generation of Code ('Code Injection'), Cross
NOT-FOR-US: Apache OFBiz
CVE-2024-52616 (A flaw was found in the Avahi-daemon, where it initializes DNS transac ...)
- avahi <unfixed> (bug #1088111)
+ [trixie] - avahi <no-dsa> (Minor issue; workarounds/mitigation exist by setting enable-wide-area=no)
[bookworm] - avahi <no-dsa> (Minor issue; workarounds/mitigation exist by setting enable-wide-area=no)
[bullseye] - avahi <postponed> (Minor issue; workarounds/mitigation exist by setting enable-wide-area=no)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2326429
@@ -49345,6 +49347,7 @@ CVE-2024-52616 (A flaw was found in the Avahi-daemon, where it initializes DNS t
NOTE: https://github.com/avahi/avahi/security/advisories/GHSA-r9j3-vjjh-p8vm
CVE-2024-52615 (A flaw was found in Avahi-daemon, which relies on fixed source ports f ...)
- avahi <unfixed> (bug #1088110)
+ [trixie] - avahi <no-dsa> (Minor issue; workarounds/mitigation exist by setting enable-wide-area=no)
[bookworm] - avahi <no-dsa> (Minor issue; workarounds/mitigation exist by setting enable-wide-area=no)
[bullseye] - avahi <postponed> (Minor issue; workarounds/mitigation exist by setting enable-wide-area=no)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2326418
@@ -54552,7 +54555,9 @@ CVE-2024-7883 (When using Arm Cortex-M Security Extensions (CMSE), Secure stack
[bullseye] - llvm-toolchain-16 <ignored> (Minor issue, doesn't affect the default build flags in Debian and no backport into release branches planned)
- llvm-toolchain-17 <unfixed>
- llvm-toolchain-18 <unfixed>
+ [trixie] - llvm-toolchain-18 <ignored> (Minor issue, doesn't affect the default build flags in Debian and no backport into release branch 18 planned)
- llvm-toolchain-19 <unfixed>
+ [trixie] - llvm-toolchain-19 <ignored> (Minor issue, doesn't affect the default build flags in Debian and no backport into release branch 19 planned)
[bookworm] - llvm-toolchain-19 <ignored> (Minor issue, doesn't affect the default build flags in Debian and no backport into release branches planned)
NOTE: https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2322994
@@ -150773,6 +150778,7 @@ CVE-2023-45675 (stb_vorbis is a single file MIT licensed library for processing
NOTE: https://github.com/nothings/stb/issues/1552
CVE-2023-45667 (stb_image is a single file MIT licensed library for processing images. ...)
- libstb <unfixed> (bug #1054911)
+ [trixie] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libstb <no-dsa> (Minor issue)
[buster] - libstb <no-dsa> (Minor issue)
@@ -150780,6 +150786,7 @@ CVE-2023-45667 (stb_image is a single file MIT licensed library for processing i
NOTE: https://github.com/nothings/stb/issues/1550
CVE-2023-45666 (stb_image is a single file MIT licensed library for processing images. ...)
- libstb <unfixed> (bug #1054911)
+ [trixie] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libstb <no-dsa> (Minor issue)
[buster] - libstb <no-dsa> (Minor issue)
@@ -150787,6 +150794,7 @@ CVE-2023-45666 (stb_image is a single file MIT licensed library for processing i
NOTE: https://github.com/nothings/stb/issues/1548
CVE-2023-45664 (stb_image is a single file MIT licensed library for processing images. ...)
- libstb <unfixed> (bug #1054911)
+ [trixie] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libstb <no-dsa> (Minor issue)
[buster] - libstb <no-dsa> (Minor issue)
@@ -150794,6 +150802,7 @@ CVE-2023-45664 (stb_image is a single file MIT licensed library for processing i
NOTE: https://github.com/nothings/stb/issues/1542
CVE-2023-45663 (stb_image is a single file MIT licensed library for processing images. ...)
- libstb <unfixed> (bug #1054911)
+ [trixie] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libstb <no-dsa> (Minor issue)
[buster] - libstb <no-dsa> (Minor issue)
@@ -150801,6 +150810,7 @@ CVE-2023-45663 (stb_image is a single file MIT licensed library for processing i
NOTE: https://github.com/nothings/stb/issues/1542
CVE-2023-45662 (stb_image is a single file MIT licensed library for processing images. ...)
- libstb <unfixed> (bug #1054911)
+ [trixie] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libstb <no-dsa> (Minor issue)
[buster] - libstb <no-dsa> (Minor issue)
@@ -150808,6 +150818,7 @@ CVE-2023-45662 (stb_image is a single file MIT licensed library for processing i
NOTE: https://github.com/nothings/stb/issues/1540
CVE-2023-45661 (stb_image is a single file MIT licensed library for processing images. ...)
- libstb <unfixed> (bug #1054911)
+ [trixie] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libstb <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libstb <no-dsa> (Minor issue)
[buster] - libstb <no-dsa> (Minor issue)
@@ -154003,6 +154014,7 @@ CVE-2023-43951 (SSCMS 7.2.2 was discovered to contain a cross-site scripting (XS
NOT-FOR-US: SSCMS
CVE-2023-43898 (Nothings stb 2.28 was discovered to contain a Null Pointer Dereference ...)
- libstb <unfixed> (bug #1053627)
+ [trixie] - libstb <no-dsa> (Minor issue)
[bookworm] - libstb <no-dsa> (Minor issue)
[bullseye] - libstb <no-dsa> (Minor issue)
[buster] - libstb <postponed> (Minor issue, DoS / clean crash)
@@ -303319,6 +303331,7 @@ CVE-2021-40267
RESERVED
CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vul ...)
- freeimage <unfixed> (bug #1055305)
+ [trixie] - freeimage <no-dsa> (Minor issue)
[bookworm] - freeimage <no-dsa> (Minor issue)
[bullseye] - freeimage <no-dsa> (Minor issue)
[buster] - freeimage <postponed> (Fix together with some other upload, low severity, DoS in user interactive software)
@@ -303326,18 +303339,21 @@ CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp
NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40266.patch
CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function ...)
- freeimage <unfixed> (bug #1055304)
+ [trixie] - freeimage <no-dsa> (Minor issue)
[bookworm] - freeimage <no-dsa> (Minor issue)
[bullseye] - freeimage <no-dsa> (Minor issue)
[buster] - freeimage <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/337/
CVE-2021-40264 (NULL pointer dereference vulnerability in FreeImage before 1.18.0 via ...)
- freeimage <unfixed> (bug #1055303)
+ [trixie] - freeimage <no-dsa> (Minor issue)
[bookworm] - freeimage <no-dsa> (Minor issue)
[bullseye] - freeimage <no-dsa> (Minor issue)
[buster] - freeimage <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/335/
CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad funct ...)
- freeimage <unfixed> (bug #1055302)
+ [trixie] - freeimage <no-dsa> (Minor issue)
[bookworm] - freeimage <no-dsa> (Minor issue)
[bullseye] - freeimage <no-dsa> (Minor issue)
[buster] - freeimage <postponed> (Fix together with some other upload, low severity, DoS in user interactive software)
@@ -303345,6 +303361,7 @@ CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad
NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40263.patch
CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 1.18.0 via ...)
- freeimage <unfixed> (bug #1055301)
+ [trixie] - freeimage <no-dsa> (Minor issue)
[bookworm] - freeimage <no-dsa> (Minor issue)
[bullseye] - freeimage <no-dsa> (Minor issue)
[buster] - freeimage <no-dsa> (Minor issue)
@@ -312830,6 +312847,7 @@ CVE-2021-36490
RESERVED
CVE-2021-36489 (Buffer Overflow vulnerability in Allegro through 5.2.6 allows attacker ...)
- allegro4.4 <unfixed> (bug #1032670)
+ [trixie] - allegro4.4 <ignored> (Minor issue)
[bookworm] - allegro4.4 <ignored> (Minor issue)
[bullseye] - allegro4.4 <no-dsa> (Minor issue)
[buster] - allegro4.4 <no-dsa> (Minor issue)
@@ -520061,6 +520079,7 @@ CVE-2018-10113 (An issue was discovered in GEGL through 0.3.32. The process func
NOTE: https://gitlab.gnome.org/GNOME/gegl/commit/c83b05d565a1e3392c9606a4ecaa560eb9a4ee29
CVE-2018-10112 (An issue was discovered in GEGL through 0.3.32. The gegl_tile_backend_ ...)
- gegl <unfixed> (low; bug #1014710)
+ [trixie] - gegl <ignored> (Minor issue, architectual limitation)
[bookworm] - gegl <ignored> (Minor issue, architectual limitation)
[bullseye] - gegl <ignored> (Minor issue, architectual limitation)
[buster] - gegl <ignored> (Minor issue, architectual limitation)
@@ -520072,6 +520091,7 @@ CVE-2018-10112 (An issue was discovered in GEGL through 0.3.32. The gegl_tile_ba
NOTE: https://github.com/xiaoqx/pocs/tree/master/gegl#4-gegl-outbound-write-2
CVE-2018-10111 (An issue was discovered in GEGL through 0.3.32. The render_rectangle f ...)
- gegl <unfixed> (low; bug #1014710)
+ [trixie] - gegl <ignored> (Minor issue, architectual limitation)
[bookworm] - gegl <ignored> (Minor issue, architectual limitation)
[bullseye] - gegl <ignored> (Minor issue, architectual limitation)
[buster] - gegl <ignored> (Minor issue, architectual limitation)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d7b4f22b11f5b26a840e21baa16d1eba8c2d26
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64d7b4f22b11f5b26a840e21baa16d1eba8c2d26
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250419/bc969d8f/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list