[Git][security-tracker-team/security-tracker][master] trixie triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat Apr 19 23:13:35 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b9126193 by Moritz Muehlenhoff at 2025-04-20T00:13:16+02:00
trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -85849,11 +85849,13 @@ CVE-2024-39241 (Cross Site Scripting (XSS) vulnerability in skycaiji 2.8 allows
 	NOT-FOR-US: skycaiji
 CVE-2024-38950 (Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attacker ...)
 	- libde265 <unfixed> (bug #1074416)
+	[trixie] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/460
 CVE-2024-38949 (Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attacker ...)
 	- libde265 <unfixed> (bug #1074416)
+	[trixie] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/460
@@ -158301,6 +158303,7 @@ CVE-2023-2453 (There is insufficient sanitization of tainted file names that are
 	NOT-FOR-US: PHP-Fusion
 CVE-2023-51441 (** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerabilit ...)
 	- axis <unfixed> (bug #1060169)
+	[trixie] - axis <ignored> (Minor issue)
 	[bookworm] - axis <ignored> (Minor issue)
 	[bullseye] - axis <no-dsa> (Minor issue)
 	[buster] - axis <no-dsa> (Minor issue)
@@ -695035,7 +695038,7 @@ CVE-2013-2126 (Multiple double free vulnerabilities in the LibRaw::unpack functi
 	- libraw 0.15.3-1 (low; bug #710353)
 	[wheezy] - libraw <no-dsa> (Not suitable for code injection, minor issue)
 	[squeeze] - libraw <not-affected> (Vulnerable code not present)
-	- libkdcraw 4:4.8.4-2 (low; bug #711317)
+	- libkdcraw 24.12.0-1
 	[wheezy] - libkdcraw <no-dsa> (Not suitable for code injection, minor issue)
 	- darktable 1.2.1-2 (unimportant; bug #711316)
 	NOTE: Not suitable for code injection, no security impact for an enduser application like Darktable
@@ -695043,6 +695046,9 @@ CVE-2013-2126 (Multiple double free vulnerabilities in the LibRaw::unpack functi
 	[squeeze] - kdegraphics <not-affected> (embedded version of kdcraw+libraw too old)
 	NOTE: https://www.openwall.com/lists/oss-security/2013/05/28/3
 	NOTE: https://github.com/LibRaw/LibRaw/commit/19ffddb0fe1a4ffdb459b797ffcf7f490d28b5a6
+	NOTE: Back in 2013, libkdcraw was fixed in 4:4.10.5-2 and later on removed and then
+	NOTE: re-introduced in sid without the epoch, so now marking 24.12.0-1 as the first
+	NOTE: upload to sid as the new fixed version, current libkdcraw uses the system-wide libraw
 CVE-2013-2125 (OpenSMTPD before 5.3.2 does not properly handle SSL sessions, which al ...)
 	- opensmtpd 5.3.3p1-1
 	NOTE: https://www.openwall.com/lists/oss-security/2013/05/18/8
@@ -697483,16 +697489,19 @@ CVE-2013-1439 (The "faster LJPEG decoder" in libraw 0.13.x, 0.14.x, and 0.15.x b
 	- libraw 0.15.4-1 (bug #721338)
 	[wheezy] - libraw <no-dsa> (Minor issue)
 	[squeeze] - libraw <no-dsa> (Minor issue)
-	- libkdcraw 4:4.10.5-2 (bug #721340)
+	- libkdcraw 24.12.0-1
 	[wheezy] - libkdcraw <no-dsa> (Minor issue)
 	- darktable 1.2.2-2 (bug #721339)
 	[wheezy] - darktable 1.0.4-1+deb7u2
+	NOTE: Back in 2013, libkdcraw was fixed in 4:4.10.5-2 and later on removed and then
+	NOTE: re-introduced in sid without the epoch, so now marking 24.12.0-1 as the first
+	NOTE: upload to sid as the new fixed version, current libkdcraw uses the system-wide libraw
 CVE-2013-1438 (Unspecified vulnerability in dcraw 0.8.x through 0.8.9, as used in lib ...)
 	{DSA-2748-1}
 	- libraw 0.15.4-1 (bug #721231)
 	[wheezy] - libraw <no-dsa> (Minor issue)
 	[squeeze] - libraw <no-dsa> (Minor issue)
-	- libkdcraw 4:4.10.5-2 (bug #721239)
+	- libkdcraw 24.12.0-1
 	[wheezy] - libkdcraw <no-dsa> (Minor issue)
 	- darktable 1.2.2-2 (bug #721233)
 	[wheezy] - darktable 1.0.4-1+deb7u2
@@ -697505,6 +697514,9 @@ CVE-2013-1438 (Unspecified vulnerability in dcraw 0.8.x through 0.8.9, as used i
 	- rawstudio <removed> (unimportant; bug #721237)
 	- rawtherapee <not-affected> (unimportant; bug #721238)
 	NOTE: Starting with 2:13.2+dfsg1-5 xbmc is a transitional package
+	NOTE: Back in 2013, libkdcraw was fixed in 4:4.10.5-2 and later on removed and then
+	NOTE: re-introduced in sid without the epoch, so now marking 24.12.0-1 as the first
+	NOTE: upload to sid as the new fixed version, current libkdcraw uses the system-wide libraw
 CVE-2013-1437 (Eval injection vulnerability in the Module-Metadata module before 1.00 ...)
 	- perl 5.18.1-2
 	[wheezy] - perl <not-affected> (Bug was introduced later)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9126193e037409acabd43fa867dc5ed6b95c186

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9126193e037409acabd43fa867dc5ed6b95c186
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250419/31524c80/attachment.htm>

More information about the debian-security-tracker-commits mailing list