[Git][security-tracker-team/security-tracker][master] CVE-2025-54869

[Bastien Roucariès (@rouca)]

Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5668eb43 by Bastien Roucariès at 2025-08-08T00:55:55+02:00
CVE-2025-54869

icingaweb2-module-pdfexport include FPDI for pdf handling.

The import module of FPDI is vulnerable to DoS

However the export function likely does not need import path.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -456,9 +456,11 @@ CVE-2025-54872 (onion-site-template is a complete, scalable tor hidden service s
 	NOT-FOR-US: onion-site-template
 CVE-2025-54869 (FPDI is a collection of PHP classes that facilitate reading pages from ...)
 	- icingaweb2-module-pdfexport <unfixed>
+	[bullseye] - icingaweb2-module-pdfexport <postponed> (minor; DoS)
 	NOTE: https://github.com/Setasign/FPDI/security/advisories/GHSA-jxhh-4648-vpp3
 	NOTE: https://github.com/Setasign/FPDI/commit/ba671ba9221cffd32c2dda87316c19f522a1c5f0
 	NOTE: icingaweb2-module-pdfexport embedds FPDI
+	NOTE: Likely not affected CVE is on import PDF module, likely not used by codepath of pdfexport
 CVE-2025-54801 (Fiber is an Express inspired web framework written in Go. In versions  ...)
 	NOT-FOR-US: Fiber
 CVE-2025-54655 (Race condition vulnerability in the virtualization base module. Succes ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5668eb43a8ce4fa06014f08414885ee71d7d7038

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5668eb43a8ce4fa06014f08414885ee71d7d7038
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250807/2ac30a56/attachment.htm>