[Git][security-tracker-team/security-tracker][master] trixie triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Aug 13 12:29:22 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
739097c3 by Moritz Muehlenhoff at 2025-08-13T13:27:37+02:00
trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5143,6 +5143,7 @@ CVE-2015-10143 (The Platform theme for WordPress is vulnerable to unauthorized m
 CVE-2025-54567 (hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable bi ...)
 	[experimental] - qemu 1:10.1.0~rc1+ds-2
 	- qemu 1:10.0.3+ds-1 (bug #1109989)
+	[trixie] - qemu <no-dsa> (Minor issue)
 	[bookworm] - qemu <not-affected> (Vulnerable code not present)
 	[bullseye] - qemu <not-affected> (Vulnerable code not present)
 	NOTE: https://lore.kernel.org/qemu-devel/20250713-wmask-v1-1-4c744cdb32c0@rsg.ci.i.u-tokyo.ac.jp/
@@ -5151,6 +5152,7 @@ CVE-2025-54567 (hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Ena
 CVE-2025-54566 (hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state incon ...)
 	[experimental] - qemu 1:10.1.0~rc1+ds-2
 	- qemu 1:10.0.3+ds-1 (bug #1109989)
+	[trixie] - qemu <no-dsa> (Minor issue)
 	[bookworm] - qemu <not-affected> (Vulnerable code not present)
 	[bullseye] - qemu <not-affected> (Vulnerable code not present)
 	NOTE: https://lore.kernel.org/qemu-devel/20250713-wmask-v1-1-4c744cdb32c0@rsg.ci.i.u-tokyo.ac.jp/
@@ -14720,6 +14722,7 @@ CVE-2025-6393 (A vulnerability was found in TOTOLINK A702R, A3002R, A3002RU and
 	NOT-FOR-US: TOTOLINK
 CVE-2025-6375 (A vulnerability was found in poco up to 1.14.1. It has been rated as p ...)
 	- poco <unfixed> (bug #1108157)
+	[trixie] - poco <no-dsa> (Minor issue)
 	[bookworm] - poco <no-dsa> (Minor issue)
 	[bullseye] - poco <postponed> (Minor issue)
 	NOTE: https://github.com/pocoproject/poco/issues/4915
@@ -17879,6 +17882,7 @@ CVE-2025-4227 (An improper access control vulnerability in the  Endpoint Traffic
 	NOT-FOR-US: Palo Alto Networks
 CVE-2025-49589 (PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. A stack- ...)
 	- pcsx2 <unfixed> (bug #1107756)
+	[trixie] - pcsx2 <no-dsa> (Minor issue)
 	[bookworm] - pcsx2 <no-dsa> (Minor issue)
 	[bullseye] - pcsx2 <postponed> (Minor issue)
 	NOTE: https://github.com/PCSX2/pcsx2/security/advisories/GHSA-f494-4xf7-xj35
@@ -19212,11 +19216,13 @@ CVE-2025-5900 (A vulnerability, which was classified as problematic, was found i
 	NOT-FOR-US: Tenda
 CVE-2025-5899 (A vulnerability classified as critical was found in GNU PSPP 82fb509fb ...)
 	- pspp <unfixed> (bug #1107819)
+	[trixie] - pspp <no-dsa> (Minor issue)
 	[bookworm] - pspp <no-dsa> (Minor issue)
 	[bullseye] - pspp <postponed> (Minor issue)
 	NOTE: https://savannah.gnu.org/bugs/index.php?67072
 CVE-2025-5898 (A vulnerability classified as critical has been found in GNU PSPP 82fb ...)
 	- pspp <unfixed> (bug #1107818)
+	[trixie] - pspp <no-dsa> (Minor issue)
 	[bookworm] - pspp <no-dsa> (Minor issue)
 	[bullseye] - pspp <postponed> (Minor issue)
 	NOTE: https://savannah.gnu.org/bugs/index.php?67071
@@ -23982,10 +23988,17 @@ CVE-2025-4969 (A vulnerability was found in the libsoup package. This flaw stems
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467
 CVE-2025-4949 (In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestP ...)
 	- jgit <unfixed> (bug #1106287)
+	[trixie] - jgit <no-dsa> (Minor issue)
 	[bookworm] - jgit <no-dsa> (Minor issue)
 	[bullseye] - jgit <postponed> (Minor issue)
 	NOTE: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281
 	NOTE: https://gitlab.eclipse.org/security/cve-assignement/-/issues/64
+	NOTE: https://eclipse.gerrithub.io/c/eclipse-jgit/jgit/+/1215019
+	NOTE: https://eclipse.gerrithub.io/c/eclipse-jgit/jgit/+/1215020
+	NOTE: Fixed in:
+	NOTE: 6.10.1.202505221210-r
+	NOTE: 7.0.1.202505221510-r
+	NOTE: 7.1.1.202505221757-r
 CVE-2025-4524 (The Madara \u2013 Responsive and modern WordPress theme for manga site ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-4436
@@ -27764,11 +27777,13 @@ CVE-2025-47816 (libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cau
 	NOTE: https://savannah.gnu.org/bugs/?67073
 CVE-2025-47815 (libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause a h ...)
 	- pspp <unfixed> (bug #1105105)
+	[trixie] - pspp <no-dsa> (Minor issue)
 	[bookworm] - pspp <no-dsa> (Minor issue)
 	[bullseye] - pspp <postponed> (Minor issue, no patch)
 	NOTE: https://savannah.gnu.org/bugs/?67075
 CVE-2025-47814 (libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause a h ...)
 	- pspp <unfixed> (bug #1105106)
+	[trixie] - pspp <no-dsa> (Minor issue)
 	[bookworm] - pspp <no-dsa> (Minor issue)
 	[bullseye] - pspp <postponed> (Minor issue, no patch)
 	NOTE: https://savannah.gnu.org/bugs/?67074
@@ -36784,6 +36799,7 @@ CVE-2025-3573 (Versions of the package jquery-validation before 1.20.0 are vulne
 	- znuny <unfixed> (bug #1104135)
 	[bookworm] - znuny <no-dsa> (Minor issue)
 	- phpmyadmin <unfixed> (bug #1104136)
+	[trixie] - phpmyadmin <no-dsa> (Minor issue)
 	[bookworm] - phpmyadmin <no-dsa> (Minor issue)
 	[bullseye] - phpmyadmin <postponed> (Minor Issue; barely an issue in the phpmyadmin package XSS)
 	- node-jquery-validation <not-affected> (Fixed before initial upload to Debian)
@@ -83951,6 +83967,7 @@ CVE-2024-52523 (Nextcloud Server is a self hosted personal cloud system. After s
 	- nextcloud-server <itp> (bug #941708)
 CVE-2024-52522 (Rclone is a command-line program to sync files and directories to and  ...)
 	- rclone <unfixed> (bug #1088107)
+	[trixie] - rclone <no-dsa> (Minor issue)
 	[bookworm] - rclone <no-dsa> (Minor issue)
 	[bullseye] - rclone <not-affected> (--metadata added in 1.59.0)
 	NOTE: https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv
@@ -416462,11 +416479,9 @@ CVE-2020-21723 (A Segmentation Fault issue discovered StreamSerializer::extractS
 	NOTE: https://sourceforge.net/p/oggvideotools/bugs/10/
 	NOTE: Crash in CLI tool, no security impact
 CVE-2020-21722 (Buffer Overflow vulnerability in oggvideotools 0.9.1 allows remote att ...)
-	- oggvideotools <unfixed> (bug #1050836)
-	[bookworm] - oggvideotools <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - oggvideotools <no-dsa> (Minor issue)
-	[buster] - oggvideotools <no-dsa> (Minor issue)
+	- oggvideotools <unfixed> (bug #1050836; unimportant)
 	NOTE: https://sourceforge.net/p/oggvideotools/bugs/11/
+	NOTE: Bogus report, was done on a very old ubuntu version and no PoC ever provided
 CVE-2020-21721
 	RESERVED
 CVE-2020-21720



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/739097c3caa07d12ee7c0401e91cc625412225e3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/739097c3caa07d12ee7c0401e91cc625412225e3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250813/2c83c4d0/attachment.htm>

More information about the debian-security-tracker-commits mailing list