[Git][security-tracker-team/security-tracker][master] trixie triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Aug 14 16:14:42 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cc60bb14 by Moritz Muehlenhoff at 2025-08-14T17:14:03+02:00
trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7878,6 +7878,7 @@ CVE-2025-2799 (The WP Event Manager \u2013 Events Calendar, Registrations, Sell
 	NOT-FOR-US: WordPress plugin
 CVE-2025-53906 (Vim is an open source, command line text editor. Prior to version 9.1. ...)
 	- vim <unfixed> (bug #1109374)
+	[trixie] - vim <no-dsa> (Minor issue)
 	[bookworm] - vim <no-dsa> (Minor issue)
 	[bullseye] - vim <postponed> (Minor issue; path traversal requiring direct user interaction)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/07/15/2
@@ -7885,6 +7886,7 @@ CVE-2025-53906 (Vim is an open source, command line text editor. Prior to versio
 	NOTE: https://github.com/vim/vim/security/advisories/GHSA-r2fw-9cw4-mj86
 CVE-2025-53905 (Vim is an open source, command line text editor. Prior to version 9.1. ...)
 	- vim <unfixed> (bug #1109374)
+	[trixie] - vim <no-dsa> (Minor issue)
 	[bookworm] - vim <no-dsa> (Minor issue)
 	[bullseye] - vim <postponed> (Minor issue; path traversal requiring direct user interaction)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/07/15/1
@@ -26728,6 +26730,7 @@ CVE-2025-47285 (Vyper is the Pythonic Programming Language for the Ethereum Virt
 	NOT-FOR-US: Vyper
 CVE-2025-47279 (Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6. ...)
 	- node-undici <unfixed> (bug #1105860)
+	[trixie] - node-undici <no-dsa> (Minor issue)
 	[bookworm] - node-undici <no-dsa> (Minor issue)
 	NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
 	NOTE: https://github.com/nodejs/undici/issues/3895
@@ -26890,6 +26893,7 @@ CVE-2025-23165 (In Node.js, the `ReadFileUtf8` internal binding leaks memory due
 	NOTE: Introduced by: https://github.com/nodejs/node/commit/938471ef556f2d64257059b60889a8c84621eea6 (v20.8.0)
 CVE-2025-23167 (A flaw in Node.js 20's HTTP parser allows improper termination of HTTP ...)
 	- node-undici <unfixed> (bug #1105919)
+	[trixie] - node-undici <no-dsa> (Minor issue)
 	[bookworm] - node-undici <no-dsa> (Minor issue)
 	- llhttp <itp> (bug #977716)
 	NOTE: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium
@@ -33252,6 +33256,7 @@ CVE-2025-46654 (CodiMD through 2.2.0 has a CSP-based protection mechanism agains
 	NOT-FOR-US: CodiMD
 CVE-2025-46653 (Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies ...)
 	- node-formidable <unfixed> (bug #1104246)
+	[trixie] - node-formidable <ignored> (Minor issue)
 	[bookworm] - node-formidable <ignored> (Minor issue)
 	[bullseye] - node-formidable <ignored> (Minor issue)
 	NOTE: Fixed by: https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5 (v3.5.3)
@@ -65883,6 +65888,7 @@ CVE-2025-23208 (zot is a production-ready vendor-neutral OCI image registry. The
 	NOT-FOR-US: zot
 CVE-2025-23207 (KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering ...)
 	- node-katex <unfixed> (bug #1093446)
+	[trixie] - node-katex <no-dsa> (Minor issue)
 	[bookworm] - node-katex <no-dsa> (Minor issue)
 	[bullseye] - node-katex <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546
@@ -74874,12 +74880,14 @@ CVE-2024-37962 (Improper Neutralization of Input During Web Page Generation ('Cr
 	NOT-FOR-US: Agency Dominion Fusion
 CVE-2024-12801 (Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logba ...)
 	- logback <unfixed> (bug #1091320)
+	[trixie] - logback <no-dsa> (Minor issue)
 	[bookworm] - logback <no-dsa> (Minor issue)
 	[bullseye] - logback <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://logback.qos.ch/news.html#1.5.13
 	NOTE: Fixed by: https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d (v_1.5.13)
 CVE-2024-12798 (ACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core      ...)
 	- logback <unfixed> (bug #1091319)
+	[trixie] - logback <no-dsa> (Minor issue)
 	[bookworm] - logback <no-dsa> (Minor issue)
 	[bullseye] - logback <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://logback.qos.ch/news.html#1.5.13
@@ -89574,6 +89582,7 @@ CVE-2024-7883 (When using Arm Cortex-M Security Extensions (CMSE), Secure stack
 	[bookworm] - llvm-toolchain-16 <ignored> (Minor issue, doesn't affect the default build flags in Debian and no backport into release branches planned)
 	[bullseye] - llvm-toolchain-16 <ignored> (Minor issue, doesn't affect the default build flags in Debian and no backport into release branches planned)
 	- llvm-toolchain-17 <unfixed> (bug #1104017)
+	[trixie] - llvm-toolchain-17 <ignored> (Minor issue, doesn't affect the default build flags in Debian and no backport into release branch 17 planned)
 	- llvm-toolchain-18 <unfixed> (bug #1104016)
 	[trixie] - llvm-toolchain-18 <ignored> (Minor issue, doesn't affect the default build flags in Debian and no backport into release branch 18 planned)
 	- llvm-toolchain-19 <unfixed> (bug #1104015)
@@ -96766,6 +96775,7 @@ CVE-2024-46307 (A loop hole in the payment logic of Sparkshop v1.16 allows attac
 	NOT-FOR-US: Sparkshop
 CVE-2024-46304 (A NULL pointer dereference in libcoap v4.3.5-rc2 and below allows a re ...)
 	- libcoap3 <unfixed> (bug #1084981)
+	[trixie] - libcoap3 <ignored> (Minor issue, no reverse deps in trixie)
 	[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in Bookworm)
 	- libcoap2 <removed>
 	[bullseye] - libcoap2 <postponed> (Minor issue; can be fixed in next update)
@@ -126878,6 +126888,7 @@ CVE-2023-6491 (The Strong Testimonials plugin for WordPress is vulnerable to una
 	NOT-FOR-US: WordPress plugin
 CVE-2023-51847 (An issue in obgm and Libcoap v.a3ed466 allows a remote attacker to cau ...)
 	- libcoap3 <unfixed> (bug #1084981)
+	[trixie] - libcoap3 <ignored> (Minor issue, no reverse deps in trixie)
 	[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in Bookworm)
 	- libcoap2 <removed>
 	[bullseye] - libcoap2 <postponed> (Minor issue; can be fixed in next update)
@@ -145015,6 +145026,7 @@ CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to ca
 	- libcoap <not-affected> (Vulnerable code not present)
 	- libcoap2 <not-affected> (Vulnerable code not present)
 	- libcoap3 <unfixed> (bug #1070362)
+	[trixie] - libcoap3 <ignored> (Minor issue, no reverse deps in trixie)
 	[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in Bookworm)
 	NOTE: https://github.com/obgm/libcoap/issues/1351
 	NOTE: https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 (v4.3.5-rc1)
@@ -167791,6 +167803,7 @@ CVE-2024-23738 (An issue in Postman version 10.22 and before on macOS allows a r
 	NOT-FOR-US: Postman on MacOS
 CVE-2024-0962 (A vulnerability was found in obgm libcoap 4.3.4. It has been rated as  ...)
 	- libcoap3 <unfixed> (bug #1061704)
+	[trixie] - libcoap3 <ignored> (Minor issue, no reverse deps in trixie)
 	[bookworm] - libcoap3 <not-affected> (Vulnerable code not present)
 	- libcoap2 <not-affected> (Vulnerable code not present)
 	- libcoap <not-affected> (Vulnerable code not present)
@@ -185666,6 +185679,7 @@ CVE-2023-46602 (In International Color Consortium DemoIccMAX 79ecb74, there is a
 	NOT-FOR-US: International Color Consortium DemoIccMAX
 CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataS ...)
 	- wabt <unfixed> (bug #1055299)
+	[trixie] - wabt <no-dsa> (Minor issue)
 	[bookworm] - wabt <no-dsa> (Minor issue)
 	[bullseye] - wabt <no-dsa> (Minor issue)
 	[buster] - wabt <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc60bb1499968da27a7acfacf641ef8c91828c50

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc60bb1499968da27a7acfacf641ef8c91828c50
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250814/4e794422/attachment.htm>

More information about the debian-security-tracker-commits mailing list