[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Apr 22 11:35:49 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
9e579375 by Moritz Muehlenhoff at 2025-04-22T12:28:44+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -8731,19 +8731,23 @@ CVE-2025-30211 (Erlang/OTP is a set of libraries for the Erlang programming lang
NOTE: https://github.com/erlang/otp/commit/5ee26eb412a76ba1c6afdf4524b62939a48d1bce (OTP-25.3.2.19, OTP-26.2.5.10, OTP-27.3.1)
CVE-2025-2926 (A vulnerability was found in HDF5 up to 1.14.6 and classified as probl ...)
- hdf5 <unfixed> (bug #1103531)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5384
CVE-2025-2925 (A vulnerability has been found in HDF5 up to 1.14.6 and classified as ...)
- hdf5 <unfixed> (bug #1103532)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5383
CVE-2025-2924 (A vulnerability, which was classified as problematic, was found in HDF ...)
- hdf5 <unfixed> (bug #1103533)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5382
CVE-2025-2923 (A vulnerability, which was classified as problematic, has been found i ...)
- hdf5 <unfixed> (bug #1103534)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5381
CVE-2025-2922 (A vulnerability classified as problematic was found in Netis WF-2404 1 ...)
NOT-FOR-US: Netis
@@ -8759,19 +8763,23 @@ CVE-2025-2916 (A vulnerability, which was classified as critical, has been found
NOT-FOR-US: Aishida Call Center System
CVE-2025-2915 (A vulnerability classified as problematic was found in HDF5 up to 1.14 ...)
- hdf5 <unfixed> (bug #1103536)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5380
CVE-2025-2914 (A vulnerability classified as problematic has been found in HDF5 up to ...)
- hdf5 <unfixed> (bug #1103537)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5379
CVE-2025-2913 (A vulnerability was found in HDF5 up to 1.14.6. It has been rated as p ...)
- hdf5 <unfixed> (bug #1103538)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5376
CVE-2025-2912 (A vulnerability was found in HDF5 up to 1.14.6. It has been declared a ...)
- hdf5 <unfixed> (bug #1103539)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5370
CVE-2025-2911 (Unauthorised access to the call forwarding service system in MeetMe pr ...)
NOT-FOR-US: MeetMe
@@ -13035,15 +13043,18 @@ CVE-2025-2320 (A vulnerability has been found in 274056675 springboot-openai-cha
NOT-FOR-US: springboot-openai-chatgpt
CVE-2025-2310 (A vulnerability was found in HDF5 1.14.6 and classified as critical. T ...)
- hdf5 <unfixed> (bug #1103540)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc4.md
CVE-2025-2309 (A vulnerability has been found in HDF5 1.14.6 and classified as critic ...)
- hdf5 <unfixed> (bug #1103541)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc3.md
CVE-2025-2308 (A vulnerability, which was classified as critical, was found in HDF5 1 ...)
- hdf5 <unfixed> (bug #1103542)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc2.md
CVE-2025-2295 (EDK2 contains a vulnerability in BIOS where a user may cause an Intege ...)
- edk2 2025.02-4 (bug #1100594)
@@ -14547,7 +14558,8 @@ CVE-2025-1828 (Crypt::Random Perl package 1.05 through 1.55 may use rand() funct
NOTE: https://lists.security.metacpan.org/cve-announce/msg/27835115/
CVE-2025-2153 (A vulnerability, which was classified as critical, was found in HDF5 1 ...)
- hdf5 <unfixed> (bug #1100440)
- [bookworm] - hdf5 <no-dsa> (Minor issue)
+ [trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5329
CVE-2025-2152 (A vulnerability, which was classified as critical, has been found in O ...)
- assimp <unfixed> (bug #1100438)
@@ -37975,7 +37987,8 @@ CVE-2024-56709 (In the Linux kernel, the following vulnerability has been resolv
NOTE: https://git.kernel.org/linus/dbd2ca9367eb19bc5e269b8c58b0b1514ada9156 (6.13-rc4)
CVE-2024-56738 (GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorit ...)
- grub2 <unfixed> (bug #1102217)
- [bookworm] - grub2 <no-dsa> (Minor issue)
+ [trixie] - grub2 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - grub2 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://savannah.gnu.org/bugs/?66603
CVE-2024-56737 (GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in ...)
- grub2 2.12-6
@@ -60543,9 +60556,6 @@ CVE-2024-9925 (SQL injection vulnerability in TAI Smart Factory's QPLANT SF vers
CVE-2024-9895 (The Smart Online Order for Clover plugin for WordPress is vulnerable t ...)
NOT-FOR-US: WordPress plugin
CVE-2024-9676 (A vulnerability was found in Podman, Buildah, and CRI-O. A symlink tra ...)
- - golang-github-containers-buildah <unfixed> (bug #1089116)
- [bookworm] - golang-github-containers-buildah <no-dsa> (Minor issue)
- [bullseye] - golang-github-containers-buildah <postponed> (Minor issue)
- golang-github-containers-storage 1.55.1+ds1-1
[bookworm] - golang-github-containers-storage <no-dsa> (Minor issue)
[bullseye] - golang-github-containers-storage <postponed> (Minor issue)
@@ -60553,6 +60563,7 @@ CVE-2024-9676 (A vulnerability was found in Podman, Buildah, and CRI-O. A symlin
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2317467
NOTE: https://github.com/containers/buildah/pull/5786
NOTE: https://github.com/containers/storage/pull/2135
+ NOTE: Fix is in golang-github-containers-storage, buildah uses it
CVE-2024-9506 (Improper regular expression in Vue's parseHTML function leads to a pot ...)
NOT-FOR-US: Vue
CVE-2024-5749 (Certain HP DesignJet products may be vulnerable to credential reflecti ...)
@@ -104024,7 +104035,7 @@ CVE-2023-32873 (In keyInstall, there is a possible out of bounds write due to a
CVE-2023-32871 (In DA, there is a possible permission bypass due to an incorrect statu ...)
NOT-FOR-US: MediaTek
CVE-2024-29857 (An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castl ...)
- - bouncycastle <unfixed> (bug #1070655)
+ - bouncycastle 1.80-1 (bug #1070655)
[bookworm] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <no-dsa> (Minor issue)
[buster] - bouncycastle <postponed> (Minor issue)
@@ -104032,7 +104043,7 @@ CVE-2024-29857 (An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy
NOTE: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857
NOTE: https://github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281 (r1rv78v1)
CVE-2024-30172 (An issue was discovered in Bouncy Castle Java Cryptography APIs before ...)
- - bouncycastle <unfixed> (bug #1070655)
+ - bouncycastle 1.80-1 (bug #1070655)
[bookworm] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <no-dsa> (Minor issue)
[buster] - bouncycastle <postponed> (Minor issue)
@@ -104372,7 +104383,7 @@ CVE-2024-34453 (TwoNav 2.1.13 contains an SSRF vulnerability via the url paramat
CVE-2024-34449 (Vditor 3.10.3 allows XSS via an attribute of an A element. NOTE: the v ...)
NOT-FOR-US: Vditor
CVE-2024-34447 (An issue was discovered in Bouncy Castle Java Cryptography APIs before ...)
- - bouncycastle <unfixed> (bug #1070655)
+ - bouncycastle 1.80-1 (bug #1070655)
[bookworm] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <no-dsa> (Minor issue)
[buster] - bouncycastle <postponed> (Minor issue)
@@ -108965,7 +108976,7 @@ CVE-2024-25583 (A crafted response from an upstream server the recursor has been
CVE-2024-3154 (A flaw was found in cri-o, where an arbitrary systemd property can be ...)
- cri-o <itp> (bug #979702)
CVE-2024-30171 (An issue was discovered in Bouncy Castle Java TLS API and JSSE Provide ...)
- - bouncycastle <unfixed> (bug #1070655)
+ - bouncycastle 1.80-1 (bug #1070655)
[bookworm] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <no-dsa> (Minor issue)
[buster] - bouncycastle <postponed> (Minor issue)
@@ -144942,6 +144953,7 @@ CVE-2023-45286 (A race condition in go-resty can result in HTTP request body dis
NOTE: https://github.com/go-resty/resty/issues/743
NOTE: https://github.com/go-resty/resty/issues/739
NOTE: https://github.com/go-resty/resty/pull/745
+ NOTE: https://github.com/go-resty/resty/commit/577fed8730d79f583eb48dfc81674164e1fc471e (v2.11.0)
CVE-2023-42505 (An authenticated user with read permissions on database connections me ...)
NOT-FOR-US: Apache Superset
CVE-2023-42504 (An authenticated malicious user could initiate multiple concurrent req ...)
@@ -153928,6 +153940,7 @@ CVE-2023-43058 (IBM Robotic Process Automation 23.0.9 is vulnerable to privilege
NOT-FOR-US: IBM
CVE-2023-42445 (Gradle is a build tool with a focus on build automation and support fo ...)
- gradle <unfixed> (bug #1055176)
+ [trixie] - gradle <no-dsa> (Minor issue)
[bookworm] - gradle <no-dsa> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <no-dsa> (Minor issue)
@@ -154061,6 +154074,7 @@ CVE-2023-44390 (HtmlSanitizer is a .NET library for cleaning HTML fragments and
NOT-FOR-US: HtmlSanitizer .NET library
CVE-2023-44387 (Gradle is a build tool with a focus on build automation and support fo ...)
- gradle <unfixed> (bug #1055177)
+ [trixie] - gradle <no-dsa> (Minor issue)
[bookworm] - gradle <no-dsa> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <postponed> (Minor issue, requires local access to build machine)
@@ -167695,6 +167709,7 @@ CVE-2023-36144 (An authentication bypass in Intelbras Switch SG 2404 MR in firmw
NOT-FOR-US: Intelbras
CVE-2023-35947 (Gradle is a build tool with a focus on build automation and support fo ...)
- gradle <unfixed> (bug #1041424)
+ [trixie] - gradle <no-dsa> (Minor issue)
[bookworm] - gradle <no-dsa> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <no-dsa> (Minor issue)
@@ -167703,6 +167718,7 @@ CVE-2023-35947 (Gradle is a build tool with a focus on build automation and supp
NOTE: https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 (v8.2.0-RC3)
CVE-2023-35946 (Gradle is a build tool with a focus on build automation and support fo ...)
- gradle <unfixed> (bug #1041424)
+ [trixie] - gradle <no-dsa> (Minor issue)
[bookworm] - gradle <no-dsa> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <no-dsa> (Minor issue)
@@ -322578,6 +322594,7 @@ CVE-2021-32752 (Ether Logs is a package that allows one to check one's logs in t
NOT-FOR-US: Ether Logs
CVE-2021-32751 (Gradle is a build tool with a focus on build automation. In versions p ...)
- gradle <unfixed> (bug #1014778)
+ [trixie] - gradle <no-dsa> (Minor issue)
[bookworm] - gradle <ignored> (Minor issue)
[bullseye] - gradle <ignored> (Minor issue)
[buster] - gradle <ignored> (Minor issue)
@@ -331676,6 +331693,7 @@ CVE-2021-29430 (Sydent is a reference Matrix identity server. Sydent does not li
NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-wmg4-8cp2-hpg9
CVE-2021-29429 (In Gradle before version 7.0, files created with open permissions in t ...)
- gradle <unfixed> (bug #987284)
+ [trixie] - gradle <ignored> (Minor issue)
[bookworm] - gradle <ignored> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <no-dsa> (Minor issue)
@@ -331683,6 +331701,7 @@ CVE-2021-29429 (In Gradle before version 7.0, files created with open permission
NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
CVE-2021-29428 (In Gradle before version 7.0, on Unix-like systems, the system tempora ...)
- gradle <unfixed> (bug #987284)
+ [trixie] - gradle <ignored> (Minor issue)
[bookworm] - gradle <ignored> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <no-dsa> (Minor issue)
@@ -450330,6 +450349,7 @@ CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Con
NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server
CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials ...)
- gradle <unfixed> (low; bug #941187)
+ [trixie] - gradle <ignored> (Minor issue)
[bookworm] - gradle <ignored> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5793753c6e94f4828b1fe93d7b446160ee07ad
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5793753c6e94f4828b1fe93d7b446160ee07ad
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250422/e78b2d15/attachment.htm>
More information about the debian-security-tracker-commits
mailing list