[Git][security-tracker-team/security-tracker][master] 6 commits: add libxml2

Sun Apr 20 23:37:40 BST 2025


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b7da3e17 by Thorsten Alteholz at 2025-04-21T00:21:15+02:00
add libxml2

- - - - -
3590f7a0 by Thorsten Alteholz at 2025-04-21T00:22:20+02:00
update note

- - - - -
7bc27eb4 by Thorsten Alteholz at 2025-04-21T00:25:35+02:00
mark CVE-2023-26819 as postponed for Bullseye

- - - - -
21b114fc by Thorsten Alteholz at 2025-04-21T00:28:30+02:00
add libxmltok

- - - - -
8a4b2cbd by Thorsten Alteholz at 2025-04-21T00:30:50+02:00
mark CVE-2025-29480 as postponed for gdal

- - - - -
a39f1d4c by Thorsten Alteholz at 2025-04-21T00:34:53+02:00
mark CVE-2025-31344 as postponed for Bullseye

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4376,6 +4376,7 @@ CVE-2025-31672 (Improper Input Validation vulnerability in Apache POI. The issue
 	NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=69620
 CVE-2025-31344 (Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. ...)
 	- giflib <unfixed> (bug #1102520)
+	[bullseye] - giflib <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/04/07/3
 	NOTE: https://sourceforge.net/p/giflib/bugs/176/
 	NOTE: Patch by Mandriva: https://github.com/OpenMandrivaAssociation/giflib/blob/master/giflib-5.2.2-cve-2025-31344.patch
@@ -4729,6 +4730,7 @@ CVE-2025-29481 (Buffer Overflow vulnerability in libbpf 1.5.0 allows a local att
 	NOTE: https://lore.kernel.org/bpf/20250410095517.141271-1-vmalik@redhat.com/
 CVE-2025-29480 (Buffer Overflow vulnerability in gdal 3.10.2 allows a local attacker t ...)
 	- gdal <unfixed>
+	[bullseye] - gdal <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/lmarch2/poc/blob/main/gdal/gdal.md
 CVE-2025-29479
 	REJECTED
@@ -187496,6 +187498,7 @@ CVE-2023-26820 (siteproxy v1.0 was discovered to contain a path traversal vulner
 CVE-2023-26819 (cJSON 1.7.15 might allow a denial of service via a crafted JSON docume ...)
 	- cjson <unfixed> (bug #1103687)
 	[bookworm] - cjson <no-dsa> (Minor issue)
+	[bullseye] - cjson <postponed> (Minor issue)
 	NOTE: https://github.com/boofish/json_bugs/tree/main/cjson
 CVE-2023-26818 (Telegram 9.3.1 and 9.4.0 allows attackers to access restricted files,  ...)
 	NOT-FOR-US: Telegram on MacOS


=====================================
data/dla-needed.txt
=====================================
@@ -156,6 +156,12 @@ libstring-compare-constanttime-perl
   NOTE: 20250412: Said patch just pushed to unstable, but in-depth testing / cross-review remains to be done AFAIK
   NOTE: 20250412: Also, disputed upstream (Beuc/front-desk)
 --
+libxml2 (Thorsten Alteholz)
+  NOTE: 20250421: Added by Front-Desk (ta)
+--
+libxmltok (Thorsten Alteholz)
+  NOTE: 20250421: Added by Front-Desk (ta)
+--
 linux (Ben Hutchings)
   NOTE: 20230111: Perma-added, Linux package specifically delegated to bwh (LTS Team)
 --
@@ -280,6 +286,7 @@ sogo
 --
 suricata (Thorsten Alteholz)
   NOTE: 20250331: re added to fix next bunch of CVEs (ta)
+  NOTE: 20250420: WIP taking care of postponed CVEs
 --
 symfony
   NOTE: 20241110: Added by Front-Desk (apo)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54ff7fe2f1dc4f60637e31762bf5b83438ec9a66...a39f1d4cde3d078957c6fbc89d8c55a8626796ee

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54ff7fe2f1dc4f60637e31762bf5b83438ec9a66...a39f1d4cde3d078957c6fbc89d8c55a8626796ee
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250420/71ea68d1/attachment-0001.htm>
