[Git][security-tracker-team/security-tracker][master] 4 commits: Process some NFUs
Maytham Alsudany (@Maytha8)
maytham at debian.org
Sat Aug 9 09:47:37 BST 2025
Maytham Alsudany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b92713e1 by Maytham Alsudany at 2025-08-09T16:40:28+08:00
Process some NFUs
- - - - -
6c00c56e by Maytham Alsudany at 2025-08-09T16:41:16+08:00
Add CVE-2025-45512/u-boot
- - - - -
114ed8c8 by Maytham Alsudany at 2025-08-09T16:43:13+08:00
Add CVE-2024-8244/golang-1.{24,23,19,15}
- - - - -
a8be0c07 by Maytham Alsudany at 2025-08-09T16:43:42+08:00
Add CVE-2025-50340/sogo
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -39,7 +39,7 @@ CVE-2025-8355 (In Xerox FreeFlow Core version 8.0.4, improper handling of XML in
CVE-2025-8284 (By default, the Packet Power Monitoring and Control Web Interface do n ...)
NOT-FOR-US: Packet Power
CVE-2025-8088 (A path traversal vulnerability affecting the Windows version of WinRAR ...)
- TODO: check
+ NOT-FOR-US: WinRAR on Windows
CVE-2025-5095 (Burk Technology ARC Solo's password change mechanism can be utilized w ...)
NOT-FOR-US: Burk Technology
CVE-2025-53606 (Deserialization of Untrusted Data vulnerability in Apache Seata (incub ...)
@@ -143,7 +143,7 @@ CVE-2025-54949 (A heap buffer overflow vulnerability in the loading of ExecuTorc
CVE-2025-54940 (An HTML injection vulnerability exists in WordPress plugin "Advanced C ...)
NOT-FOR-US: WordPress plugin
CVE-2025-54887 (jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) ...)
- TODO: check
+ NOT-FOR-US: jwe ruby gem
CVE-2025-54886 (skops is a Python library which helps users share and ship their sciki ...)
NOT-FOR-US: Skops
CVE-2025-54793 (Astro is a web framework for content-driven websites. In versions 5.2. ...)
@@ -542,7 +542,11 @@ CVE-2025-20331 (A vulnerability in the web-based management interface of Cisco I
CVE-2025-20215 (A vulnerability in the meeting-join functionality of Cisco Webex Meeti ...)
NOT-FOR-US: Cisco
CVE-2024-8244 (The filepath.Walk and filepath.WalkDir functions are documented as not ...)
- TODO: check
+ - golang-1.24 <unfixed>
+ - golang-1.23 <unfixed>
+ - golang-1.19 <removed>
+ - golang-1.15 <removed>
+ NOTE: https://github.com/golang/go/issues/70007
CVE-2024-52885 (The Mobile Access Portal's File Share application is vulnerable to a d ...)
NOT-FOR-US: Mobile Access Portal
CVE-2025-8656 (Kenwood DMX958XR Protection Mechanism Failure Software Downgrade Vulne ...)
@@ -973,7 +977,8 @@ CVE-2025-46958 (Adobe Experience Manager versions 6.5.22 and earlier are affecte
CVE-2025-46658 (An issue was discovered in ExonautWeb in 4C Strategies Exonaut 21.6. T ...)
NOT-FOR-US: 4C Strategies Exonaut
CVE-2025-45512 (A lack of signature verification in the bootloader of DENX Software En ...)
- TODO: check
+ - u-boot <undetermined>
+ NOTE: https://github.com/AzhariRamadhan/CVE-2025-45512
CVE-2025-44964 (A lack of SSL certificate validation in BlueStacks v5.20 allows attack ...)
NOT-FOR-US: BlueStacks
CVE-2025-43980 (An issue was discovered on FIRSTNUM JC21A-04 devices through 2.01ME/FN ...)
@@ -1245,7 +1250,8 @@ CVE-2025-50420 (An issue in the pdfseparate utility of freedesktop poppler v25.0
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1849
NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/08d7894e4dd0e313c179e30f06ad8f546619b1b3
CVE-2025-50340 (An Insecure Direct Object Reference (IDOR) vulnerability was discovere ...)
- TODO: check
+ - sogo 5.7.0-1
+ NOTE: https://github.com/millad7/SOGo_web_mail-vulnerability-CVE-2025-50340
CVE-2025-46206 (An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to c ...)
- mupdf 1.25.1+ds1-7 (bug #1110482)
[trixie] - mupdf <no-dsa> (Minor issue)
@@ -1499,7 +1505,7 @@ CVE-2025-54790 (Files is a module for managing files inside spaces and user prof
CVE-2025-54789 (Files is a module for managing files inside spaces and user profiles. ...)
NOT-FOR-US: Files (a module for managing files inside spaces and user profiles)
CVE-2025-54782 (Nest is a framework for building scalable Node.js server-side applicat ...)
- TODO: check
+ NOT-FOR-US: nest nodejs module
CVE-2025-54781 (Himmelblau is an interoperability suite for Microsoft Azure Entra ID a ...)
NOT-FOR-US: Himmelblau
CVE-2025-54424 (1Panel is a web interface and MCP Server that manages websites, files, ...)
@@ -1873,7 +1879,7 @@ CVE-2025-37109 (Cross-site scripting vulnerability has been identified in HPE Te
CVE-2025-37108 (Cross-site scripting vulnerability has been identified in HPE Telco Se ...)
NOT-FOR-US: HPE
CVE-2025-34146 (A prototype pollution vulnerability exists in @nyariv/sandboxjs versio ...)
- TODO: check
+ NOT-FOR-US: @nyariv/sandboxjs nodejs module
CVE-2025-2813 (An unauthenticated remote attacker can cause a Denial of Service by se ...)
NOT-FOR-US: PHOENIX
CVE-2025-29557 (ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control ...)
@@ -1929,7 +1935,7 @@ CVE-2013-10033 (An unauthenticated SQL injection vulnerability exists in Kimai v
CVE-2012-10021 (A stack-based buffer overflow vulnerability exists in D-Link DIR-605L ...)
NOT-FOR-US: D-Link
CVE-2011-10008 (A stack-based buffer overflow vulnerability exists in MPlayer Lite r33 ...)
- TODO: check
+ NOT-FOR-US: MPlayer WW
CVE-2025-8373 (A vulnerability was found in code-projects Vehicle Management 1.0. It ...)
NOT-FOR-US: code-projects Vehicle Management
CVE-2025-8372 (A vulnerability was found in code-projects Exam Form Submission 1.0 an ...)
@@ -2522,7 +2528,7 @@ CVE-2025-33092 (IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to
CVE-2025-31965 (Improper access restrictions in HCL BigFix Remote Control Server WebUI ...)
NOT-FOR-US: HCL
CVE-2025-2928 (SQL Injection affecting the Archiver role.)
- TODO: check
+ NOT-FOR-US: Genetec Security Center
CVE-2025-2533 (IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to a denial ...)
NOT-FOR-US: IBM
CVE-2025-2179 (An incorrect privilege assignment vulnerability in the Palo Alto Netwo ...)
@@ -3417,7 +3423,7 @@ CVE-2016-15046 (A client-side remote code execution vulnerability exists in Hanw
CVE-2015-10142 (Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 1 ...)
NOT-FOR-US: Sitecore
CVE-2014-125119 (A filename spoofing vulnerability exists in WinRAR when opening specia ...)
- TODO: check
+ NOT-FOR-US: WinRAR
CVE-2014-125118 (A command injection vulnerability exists in the eScan Web Management C ...)
NOT-FOR-US: eScan Web Management Console
CVE-2014-125117 (A stack-based buffer overflow vulnerability in the my_cgi.cgi componen ...)
@@ -4199,7 +4205,7 @@ CVE-2018-25113 (An unauthenticated path traversal vulnerability exists in Dicoog
CVE-2017-20198 (The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deplo ...)
NOT-FOR-US: Marathon UI in DC/OS
CVE-2016-15045 (A local privilege escalation vulnerability exists in lastore-daemon, t ...)
- TODO: check
+ NOT-FOR-US: lastore-daemon in Deepin Linux
CVE-2015-10141 (An unauthenticated OS command injection vulnerability exists within Xd ...)
- xdebug <unfixed> (unimportant)
NOTE: https://kirtixs.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/55eda87984ccc825a654477530c7c914bb621bb9...a8be0c07bb783feee8b3110f25d76e3726557571
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/55eda87984ccc825a654477530c7c914bb621bb9...a8be0c07bb783feee8b3110f25d76e3726557571
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250809/aa6c93e3/attachment.htm>
More information about the debian-security-tracker-commits
mailing list