[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Apr 22 14:20:49 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6375f786 by Moritz Muehlenhoff at 2025-04-22T15:20:36+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2865,6 +2865,7 @@ CVE-2025-32914 (A flaw was found in libsoup, where the soup_multipart_new_from_m
- libsoup2.4 <unfixed> (bug #1103512)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/436
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450
+ NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf
CVE-2025-32913 (A flaw was found in libsoup, where the soup_message_headers_get_conten ...)
- libsoup3 3.6.4-1
- libsoup2.4 <unfixed> (bug #1103515)
@@ -2903,6 +2904,7 @@ CVE-2025-32908 (A flaw was found in libsoup. The HTTP/2 server in libsoup may no
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/429
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/451
NOTE: Introduced after: https://gitlab.gnome.org/GNOME/libsoup/-/commit/5fb25e7810498170dd3458c9509035cef945e299 (3.1.2)
+ NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a792b23ab87cacbf4dd9462bf7b675fa678efbae
CVE-2025-32907 (A flaw was found in libsoup. The implementation of HTTP range requests ...)
- libsoup3 <unfixed> (bug #1103264)
- libsoup2.4 <unfixed> (bug #1103518)
@@ -11784,6 +11786,8 @@ CVE-2024-6982 (A remote code execution vulnerability exists in the Calculate fun
NOT-FOR-US: parisneo/lollms
CVE-2024-6866 (corydolphin/flask-cors version 4.01 contains a vulnerability where the ...)
- python-flask-cors <unfixed> (bug #1100988)
+ [trixie] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6
CVE-2024-6863 (In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom Encryptio ...)
NOT-FOR-US: h2oai/h2o-3
@@ -11793,13 +11797,18 @@ CVE-2024-6851 (In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup
NOT-FOR-US: aimhubio/aim
CVE-2024-6844 (A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inc ...)
- python-flask-cors <unfixed> (bug #1100988)
+ [trixie] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://huntr.com/bounties/731a6cd4-d05f-4fe6-8f5b-fe088d7b34e0
+ NOTE: https://github.com/corydolphin/flask-cors/issues/385
CVE-2024-6842 (In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` ...)
NOT-FOR-US: mintplex-labs/anything-llm
CVE-2024-6841 (A Cross-Site Request Forgery (CSRF) vulnerability exists in the latest ...)
NOT-FOR-US: Vanna-ai
CVE-2024-6839 (corydolphin/flask-cors version 4.0.1 contains an improper regex path m ...)
- python-flask-cors <unfixed> (bug #1100988)
+ [trixie] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://huntr.com/bounties/403eb1fc-86f4-4820-8eba-0f3dfae9f2b4
CVE-2024-6838 (In mlflow/mlflow version v2.13.2, a vulnerability exists that allows t ...)
NOT-FOR-US: mlflow
@@ -13020,7 +13029,8 @@ CVE-2022-49737 (In X.Org X server 20.11 through 21.1.16, when a client applicati
[bookworm] - xorg-server <postponed> (Minor issue, can be fixed along in future DSA)
[bullseye] - xorg-server <postponed> (Minor issue)
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260
- NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0
+ NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0 (master)
+ NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba830583e6a8e9a78f09e2d723813c03142b11f6 (server-21.1-branch)
CVE-2025-2333
REJECTED
CVE-2025-2323 (A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6 ...)
@@ -15607,7 +15617,7 @@ CVE-2025-2003 (Incorrect authorization in PAM vaults in Devolutions Server 2024.
CVE-2025-27517 (Volt is an elegantly crafted functional API for Livewire. Malicious, u ...)
NOT-FOR-US: Volt API for Livewire
CVE-2025-27515 (Laravel is a web application framework. When using wildcard validation ...)
- - php-laravel-framework <unfixed>
+ - php-laravel-framework <unfixed> (bug #1103881)
NOTE: https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4
NOTE: https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5 (v12.1.1)
CVE-2025-27513 (OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability ...)
@@ -45141,7 +45151,7 @@ CVE-2024-53984 (Nanopb is a small code-size Protocol Buffers implementation. Wh
NOTE: https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r
NOTE: Fixed by: https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378
CVE-2024-53981 (python-multipart is a streaming multipart parser for Python. When pars ...)
- - python-multipart <unfixed> (bug #1088991)
+ - python-multipart 0.0.20-1 (bug #1088991)
[bookworm] - python-multipart <no-dsa> (Minor issue)
[bullseye] - python-multipart <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/Kludex/python-multipart/security/advisories/GHSA-59g5-xgcq-4qw3
@@ -71737,6 +71747,7 @@ CVE-2024-45201 (An issue was discovered in llama_index before 0.10.38. download/
NOT-FOR-US: llama_index
CVE-2024-45193 (An issue was discovered in Matrix libolm through 3.2.16. There is Ed25 ...)
- olm <unfixed> (bug #1079487)
+ [trixie] - olm <ignored> (Minor issue, libolm is deprecated and won't be fixed)
[bookworm] - olm <ignored> (Minor issue, libolm is deprecated and won't be fixed)
[bullseye] - olm <ignored> (Minor issue; libolm deprecated upstream)
NOTE: https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/
@@ -71745,6 +71756,7 @@ CVE-2024-45193 (An issue was discovered in Matrix libolm through 3.2.16. There i
NOTE: https://matrix.org/blog/2024/08/libolm-deprecation/
CVE-2024-45192 (An issue was discovered in Matrix libolm through 3.2.16. Cache-timing ...)
- olm <unfixed> (bug #1079487)
+ [trixie] - olm <ignored> (Minor issue, libolm is deprecated and won't be fixed)
[bookworm] - olm <ignored> (Minor issue, libolm is deprecated and won't be fixed)
[bullseye] - olm <ignored> (Minor issue; libolm deprecated upstream)
NOTE: https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/
@@ -71753,6 +71765,7 @@ CVE-2024-45192 (An issue was discovered in Matrix libolm through 3.2.16. Cache-t
NOTE: https://matrix.org/blog/2024/08/libolm-deprecation/
CVE-2024-45191 (An issue was discovered in Matrix libolm through 3.2.16. The AES imple ...)
- olm <unfixed> (bug #1079487)
+ [trixie] - olm <ignored> (Minor issue, libolm is deprecated and won't be fixed)
[bookworm] - olm <ignored> (Minor issue, libolm is deprecated and won't be fixed)
[bullseye] - olm <ignored> (Minor issue; libolm deprecated upstream)
NOTE: https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/
@@ -83445,6 +83458,7 @@ CVE-2024-39697 (phonenumber is a library for parsing, formatting and validating
NOT-FOR-US: Rust crate phonenumber
CVE-2024-39684 (Tencent RapidJSON is vulnerable to privilege escalation due to an inte ...)
- rapidjson <unfixed> (bug #1083187)
+ [trixie] - rapidjson <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - rapidjson <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - rapidjson <postponed> (Minor issue)
NOTE: https://github.com/Tencent/rapidjson/issues/2289
@@ -83479,6 +83493,7 @@ CVE-2024-38517 (Tencent RapidJSON is vulnerable to privilege escalation due to a
[bookworm] - rapidjson <no-dsa> (Minor issue)
[bullseye] - rapidjson <postponed> (Minor issue)
NOTE: https://github.com/Tencent/rapidjson/pull/1261
+ NOTE: https://github.com/Tencent/rapidjson/commit/8269bc2bc289e9d343bae51cdf6d23ef0950e001
CVE-2024-38363 (Airbyte is a data integration platform for ELT pipelines. Airbyte conn ...)
NOT-FOR-US: Airbyte
CVE-2024-38278 (A vulnerability has been identified in RUGGEDCOM RMC8388 V5.X (All ver ...)
@@ -144864,6 +144879,7 @@ CVE-2023-49652 (Incorrect permission checks in Jenkins Google Compute Engine Plu
NOT-FOR-US: Jenkins plugin
CVE-2023-49092 (RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a ...)
- rust-rsa <unfixed> (bug #1057096)
+ [trixie] - rust-rsa <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr
NOTE: https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0071.html
@@ -160881,7 +160897,7 @@ CVE-2022-48522 (In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-b
NOTE: https://github.com/Perl/perl5/issues/19147
NOTE: Fixed by: https://github.com/Perl/perl5/commit/23cca2d1f4544cb47f1124d98c308ce1f31f09a6 (v5.35.5)
CVE-2023-XXXX [RUSTSEC-2023-0053: rustls-webpki: CPU denial of service in certificate path building]
- - rust-rustls-webpki 0.104.4-1 (bug #1050298)
+ - rust-rustls-webpki 0.101.4-1 (bug #1050298)
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0053.html
NOTE: https://github.com/briansmith/webpki/issues/69
CVE-2023-XXXX [RUSTSEC-2023-0052 webpki: CPU denial of service in certificate path building]
@@ -168189,6 +168205,7 @@ CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client c
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62 (v8.0.4)
CVE-2023-3432 (Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plant ...)
- plantuml <unfixed> (bug #1040000)
+ [trixie] - plantuml <no-dsa> (Minor issue)
[bookworm] - plantuml <no-dsa> (Minor issue)
[bullseye] - plantuml <no-dsa> (Minor issue)
[buster] - plantuml <no-dsa> (Minor issue)
@@ -168196,6 +168213,7 @@ CVE-2023-3432 (Server-Side Request Forgery (SSRF) in GitHub repository plantuml/
NOTE: https://github.com/plantuml/plantuml/commit/b32500bb61ae617bb312496d6d832e4be8190797 (v1.2023.9)
CVE-2023-3431 (Improper Access Control in GitHub repository plantuml/plantuml prior t ...)
- plantuml <unfixed> (bug #1039999)
+ [trixie] - plantuml <no-dsa> (Minor issue)
[bookworm] - plantuml <no-dsa> (Minor issue)
[bullseye] - plantuml <no-dsa> (Minor issue)
[buster] - plantuml <no-dsa> (Minor issue)
@@ -188614,7 +188632,7 @@ CVE-2023-26485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
[bookworm] - r-cran-commonmark <ignored> (Minor issue)
[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
[buster] - r-cran-commonmark <no-dsa> (Minor issue)
- - ruby-commonmarker <unfixed> (bug #1034174)
+ - ruby-commonmarker 0.23.10-1 (bug #1034174)
[bookworm] - ruby-commonmarker <ignored> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -193811,7 +193829,7 @@ CVE-2023-24824 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
[bookworm] - r-cran-commonmark <ignored> (Minor issue)
[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
[buster] - r-cran-commonmark <no-dsa> (Minor issue)
- - ruby-commonmarker <unfixed> (bug #1034174)
+ - ruby-commonmarker 0.23.10-1 (bug #1034174)
[bookworm] - ruby-commonmarker <ignored> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -201530,7 +201548,7 @@ CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
[bookworm] - r-cran-commonmark <ignored> (Minor issue)
[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
[buster] - r-cran-commonmark <no-dsa> (Minor issue)
- - ruby-commonmarker <unfixed> (bug #1033113)
+ - ruby-commonmarker 0.23.10-1 (bug #1033113)
[bookworm] - ruby-commonmarker <ignored> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -201551,7 +201569,7 @@ CVE-2023-22485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
[bookworm] - r-cran-commonmark <ignored> (Minor issue)
[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
[buster] - r-cran-commonmark <no-dsa> (Minor issue)
- - ruby-commonmarker <unfixed> (bug #1033113)
+ - ruby-commonmarker 0.23.10-1 (bug #1033113)
[bookworm] - ruby-commonmarker <no-dsa> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -201571,7 +201589,7 @@ CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
[bookworm] - r-cran-commonmark <ignored> (Minor issue)
[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
[buster] - r-cran-commonmark <no-dsa> (Minor issue)
- - ruby-commonmarker <unfixed> (bug #1033113)
+ - ruby-commonmarker 0.23.10-1 (bug #1033113)
[bookworm] - ruby-commonmarker <ignored> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -201591,7 +201609,7 @@ CVE-2023-22483 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
[bookworm] - r-cran-commonmark <ignored> (Minor issue)
[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
[buster] - r-cran-commonmark <no-dsa> (Minor issue)
- - ruby-commonmarker <unfixed> (bug #1033113)
+ - ruby-commonmarker 0.23.10-1 (bug #1033113)
[bookworm] - ruby-commonmarker <ignored> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -211724,6 +211742,7 @@ CVE-2022-4056
RESERVED
CVE-2022-4055 (When xdg-mail is configured to use thunderbird for mailto URLs, improp ...)
- xdg-utils <unfixed> (bug #1027160)
+ [trixie] - xdg-utils <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - xdg-utils <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - xdg-utils <no-dsa> (Minor issue)
[buster] - xdg-utils <no-dsa> (Minor issue)
@@ -229224,6 +229243,7 @@ CVE-2022-3168
REJECTED
CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...)
- openvswitch <unfixed> (bug #1021740)
+ [trixie] - openvswitch <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openvswitch <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openvswitch <no-dsa> (Minor issue)
[buster] - openvswitch <no-dsa> (Minor issue)
@@ -231792,7 +231812,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
[bullseye] - python-cmarkgfm <no-dsa> (Minor issue)
[buster] - python-cmarkgfm <no-dsa> (Minor issue)
- ghostwriter 2.1.6+ds-1 (unimportant)
- - ruby-commonmarker <unfixed> (bug #1034888)
+ - ruby-commonmarker 0.23.10-1 (bug #1034888)
[bookworm] - ruby-commonmarker <ignored> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -288691,7 +288711,7 @@ CVE-2021-44505 (An issue was discovered in FIS GT.M through V7.0-000 (related to
NOTE: http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html
NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828
CVE-2021-44504 (An issue was discovered in FIS GT.M through V7.0-000 (related to the Y ...)
- - fis-gtm <unfixed> (bug #1034805)
+ - fis-gtm 7.1-006-1 (bug #1034805)
[bookworm] - fis-gtm <ignored> (Minor issue)
[bullseye] - fis-gtm <ignored> (Minor issue)
[buster] - fis-gtm <ignored> (Minor issue)
@@ -288748,7 +288768,7 @@ CVE-2021-44497 (An issue was discovered in FIS GT.M through V7.0-000 (related to
NOTE: http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html
NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828
CVE-2021-44496 (An issue was discovered in FIS GT.M through V7.0-000 (related to the Y ...)
- - fis-gtm <unfixed> (bug #1034805)
+ - fis-gtm 7.1-006-1 (bug #1034805)
[bookworm] - fis-gtm <ignored> (Minor issue)
[bullseye] - fis-gtm <ignored> (Minor issue)
[buster] - fis-gtm <ignored> (Minor issue)
@@ -324952,7 +324972,8 @@ CVE-2021-31880
RESERVED
CVE-2021-31879 (GNU Wget through 1.21.1 does not omit the Authorization header upon a ...)
- wget <unfixed> (bug #988209)
- [bookworm] - wget <no-dsa> (Minor issue)
+ [trixie] - wget <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - wget <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - wget <no-dsa> (Minor issue)
[buster] - wget <no-dsa> (Minor issue)
[stretch] - wget <postponed> (Minor issue; can be fixed in next update)
@@ -367485,6 +367506,7 @@ CVE-2020-27749 (A flaw was found in grub2 in versions prior to 2.06. Variable na
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
CVE-2020-27748 (A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and ...)
- xdg-utils <unfixed> (bug #975370)
+ [trixie] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
[bookworm] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
[bullseye] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
[buster] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
@@ -381953,12 +381975,14 @@ CVE-2020-21725 (OpenSNS v6.1.0 contains a blind SQL injection vulnerability in /
NOT-FOR-US: OpenSNS
CVE-2020-21724 (Buffer Overflow vulnerability in ExtractorInformation function in stre ...)
- oggvideotools <unfixed> (bug #1050836)
+ [trixie] - oggvideotools <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - oggvideotools <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - oggvideotools <no-dsa> (Minor issue)
[buster] - oggvideotools <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/oggvideotools/bugs/9/
CVE-2020-21723 (A Segmentation Fault issue discovered StreamSerializer::extractStreams ...)
- oggvideotools <unfixed> (bug #1050836; unimportant)
+ [trixie] - oggvideotools <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - oggvideotools <no-dsa> (Minor issue)
[bullseye] - oggvideotools <no-dsa> (Minor issue)
[buster] - oggvideotools <no-dsa> (Minor issue)
@@ -468845,6 +468869,7 @@ CVE-2019-9546 (SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege
NOT-FOR-US: SolarWinds Orion Platform
CVE-2019-9545 (An issue was discovered in Poppler 0.74.0. A recursive function call, ...)
- poppler <unfixed> (low; bug #923552)
+ [trixie] - poppler <ignored> (Minor issue)
[bookworm] - poppler <ignored> (Minor issue)
[bullseye] - poppler <ignored> (Minor issue)
[buster] - poppler <ignored> (Minor issue)
@@ -468855,6 +468880,7 @@ CVE-2019-9544 (An issue was discovered in Bento4 1.5.1-628. An out of bounds wri
NOT-FOR-US: Bento4
CVE-2019-9543 (An issue was discovered in Poppler 0.74.0. A recursive function call, ...)
- poppler <unfixed> (low; bug #923553)
+ [trixie] - poppler <ignored> (Minor issue)
[bookworm] - poppler <ignored> (Minor issue)
[bullseye] - poppler <ignored> (Minor issue)
[buster] - poppler <ignored> (Minor issue)
@@ -567870,6 +567896,7 @@ CVE-2017-1000048 (the web framework using ljharb's qs module older than v6.3.2,
NOT-FOR-US: ljharb
CVE-2017-1000047 (rbenv (all current versions) is vulnerable to Directory Traversal in t ...)
- rbenv <unfixed> (bug #869702)
+ [trixie] - rbenv <ignored> (Minor issue)
[bookworm] - rbenv <ignored> (Minor issue)
[bullseye] - rbenv <no-dsa> (Minor issue)
[buster] - rbenv <no-dsa> (Minor issue)
@@ -622696,7 +622723,7 @@ CVE-2016-2782 (The treo_attach function in drivers/usb/serial/visor.c in the Lin
- linux-2.6 <removed>
NOTE: Upstream commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cac9b50b0d75a1d50d6c056ff65c005f3224c8e0 (v4.5-rc2)
CVE-2016-2781 (chroot in GNU coreutils, when used with --userspec, allows local users ...)
- - coreutils <unfixed> (low; bug #816320)
+ - coreutils 9.4-1 (low; bug #816320)
[bookworm] - coreutils <ignored> (Minor issue)
[bullseye] - coreutils <ignored> (Minor issue)
[buster] - coreutils <ignored> (Minor issue)
@@ -622706,6 +622733,9 @@ CVE-2016-2781 (chroot in GNU coreutils, when used with --userspec, allows local
NOTE: Restricting ioctl on the kernel side seems the better approach, but rejected by Linux upstream
NOTE: Fixing this issue via setsid() would introduce regressions:
NOTE: https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes
+ NOTE: Since Linux 6.4.4-1 (uploaded on 23 Jul 2023), TIOCSTI is disabled on the
+ NOTE: kernel side, marking the first coreutils upload after that date (9.4-1) as the
+ NOTE: fixed version
CVE-2016-2779 (runuser in util-linux allows local users to escape to the parent sessi ...)
- util-linux 2.31.1-0.1 (bug #815922)
[stretch] - util-linux <no-dsa> (Minor issue)
@@ -701058,17 +701088,11 @@ CVE-2013-0343 (The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the L
[wheezy] - linux 3.2.51-1
- linux-2.6 <removed> (low)
CVE-2013-0342 (The CreateID function in packet.py in pyrad before 2.1 uses sequential ...)
- - pyrad <unfixed> (low; bug #701151)
- [bookworm] - pyrad <ignored> (Minor issue)
- [bullseye] - pyrad <ignored> (Minor issue)
- [buster] - pyrad <ignored> (Minor issue)
- [stretch] - pyrad <ignored> (Minor issue)
- [jessie] - pyrad <no-dsa> (Minor issue)
- [wheezy] - pyrad <no-dsa> (Minor issue)
- [squeeze] - pyrad <no-dsa> (Minor issue)
+ - pyrad <unfixed> (unimportant; bug #701151)
NOTE: this is initially related to #700669
NOTE: The issue is not fixed in 2.1 upstream, see details in
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=911685#c5
+ NOTE: Negligible security impact, not exploitable by itself
CVE-2013-0341
REJECTED
CVE-2013-0340 (expat 2.1.0 and earlier does not properly handle entities expansion un ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6375f7860b50696923f6625200621352a541b088
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6375f7860b50696923f6625200621352a541b088
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250422/11816427/attachment.htm>
More information about the debian-security-tracker-commits
mailing list