[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Aug 15 14:47:11 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3c0acad2 by Moritz Muehlenhoff at 2025-08-15T15:46:50+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -18072,6 +18072,7 @@ CVE-2025-6069 (The html.parser.HTMLParser class had worse-case quadratic complex
- pypy3 <unfixed>
[bullseye] - pypy3 <postponed> (Minor issue; DoS)
- jython <unfixed> (bug #1109376)
+ [trixie] - jython <no-dsa> (Minor issue)
[bookworm] - jython <no-dsa> (Minor issue)
[bullseye] - jython <end-of-life> (EOL in bullseye LTS)
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/
@@ -22695,6 +22696,7 @@ CVE-2025-49113 (Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows r
CVE-2025-49112 (setDeferredReply in networking.c in Valkey through 8.1.1 has an intege ...)
- redict 7.3.5+ds-1 (bug #1107212)
- redis <unfixed> (bug #1107211)
+ [trixie] - redis <postponed> (Minor issue; can be fixed along with next DSA)
[bookworm] - redis <postponed> (Minor issue; can be fixed along with next DSA)
[bullseye] - redis <postponed> (Minor issue; can be fixed along with next DLA)
- valkey 8.1.1+dfsg1-2 (bug #1107210)
@@ -25073,6 +25075,7 @@ CVE-2025-4969 (A vulnerability was found in the libsoup package. This flaw stems
- libsoup3 3.6.5-2 (bug #1106248)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1106325)
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/447
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467
@@ -25712,6 +25715,7 @@ CVE-2025-4948 (A flaw was found in the soup_multipart_new_from_message() functio
- libsoup3 3.6.5-2 (bug #1106204)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1106337)
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463
@@ -25719,6 +25723,7 @@ CVE-2025-4945 (A flaw was found in the cookie parsing logic of the libsoup HTTP
- libsoup3 3.6.5-2 (bug #1106205)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1106375)
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
CVE-2025-4941 (A vulnerability, which was classified as critical, was found in PHPGur ...)
@@ -27296,6 +27301,7 @@ CVE-2025-4476 (A denial-of-service vulnerability has been identified in the libs
- libsoup3 3.6.5-2 (bug #1105887)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1107757)
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/440
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/457
@@ -33623,8 +33629,10 @@ CVE-2024-10635 (Enterprise Protection contains an improper input validation vuln
NOT-FOR-US: Proofpoint
CVE-2025-4035 (A flaw was found in libsoup. When handling cookies, libsoup clients mi ...)
- libsoup3 <unfixed> (bug #1104414)
+ [trixie] - libsoup3 <no-dsa> (Minor issue)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1104415)
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2362651
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/443
@@ -34372,6 +34380,7 @@ CVE-2025-46421 (A flaw was found in libsoup. When libsoup clients encounter an H
- libsoup3 3.6.5-1
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1104054)
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436
@@ -38063,6 +38072,7 @@ CVE-2025-32907 (A flaw was found in libsoup. The implementation of HTTP range re
- libsoup3 3.6.5-2 (bug #1103264)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1103518)
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/428
NOTE: See also https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/452
@@ -41118,8 +41128,10 @@ CVE-2025-32050 (A flaw was found in libsoup. The libsoup append_param_quoted() f
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9bb0a55de55c6940ced811a64fbca82fe93a9323 (3.6.1)
CVE-2025-32049 (A flaw was found in libsoup. The SoupWebsocketConnection may accept a ...)
- libsoup3 <unfixed> (bug #1102067)
+ [trixie] - libsoup3 <no-dsa> (Minor issue)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed> (bug #1102211)
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/390
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/408
@@ -46618,6 +46630,7 @@ CVE-2024-44199 (An out-of-bounds read was addressed with improved input validati
NOT-FOR-US: Apple
CVE-2024-13903 (A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has be ...)
- quickjs <unfixed> (bug #1100987)
+ [trixie] - quickjs <no-dsa> (Minor issue)
NOTE: https://github.com/quickjs-ng/quickjs/issues/775
NOTE: https://github.com/quickjs-ng/quickjs/commit/99c02eb45170775a9a679c32b45dd4000ea67aff (v0.9.0)
CVE-2025-30160 (Redlib is an alternative private front-end to Reddit. A vulnerability ...)
@@ -78789,6 +78802,7 @@ CVE-2024-55634 (A vulnerability in Drupal Core allows Privilege Escalation.This
- drupal7 <not-affected> (Only affects Drupal 8 and later)
CVE-2024-55601 (Hugo is a static site generator. Starting in version 0.123.0 and prior ...)
- hugo <unfixed> (bug #1089683)
+ [trixie] - hugo <no-dsa> (Minor issue)
[bookworm] - hugo <not-affected> (Vulnerable code introduced later)
[bullseye] - hugo <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx
@@ -96037,6 +96051,7 @@ CVE-2024-45271 (An unauthenticated local attacker can gain admin privileges by d
NOT-FOR-US: MB connect line GmbH
CVE-2024-44337 (The package `github.com/gomarkdown/markdown` is a Go library for parsi ...)
- golang-github-gomarkdown-markdown <unfixed> (bug #1085377)
+ [trixie] - golang-github-gomarkdown-markdown <no-dsa> (Minor issue)
[bookworm] - golang-github-gomarkdown-markdown <no-dsa> (Minor issue)
NOTE: https://github.com/Brinmon/CVE-2024-44337
NOTE: https://github.com/gomarkdown/markdown/commit/a2a9c4f76ef5a5c32108e36f7c47f8d310322252
@@ -106978,7 +106993,8 @@ CVE-2024-42852 (Cross Site Scripting vulnerability in AcuToWeb server v.10.5.0.7
NOT-FOR-US: AcuToWeb server
CVE-2024-42845 (An eval Injection vulnerability in the component invesalius/reader/dic ...)
- invesalius <unfixed> (bug #1082875)
- [bookworm] - invesalius <postponed> (Minor issue, revisit when fixed upstream)
+ [trixie] - invesalius <no-dsa> (Minor issue)
+ [bookworm] - invesalius <no-dsa> (Minor issue)
[bullseye] - invesalius <postponed> (Minor issue)
NOTE: https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845
NOTE: https://github.com/invesalius/invesalius3/commit/020cd6056c30105a870cfea99939282b6ec5640b
@@ -159369,6 +159385,7 @@ CVE-2024-1979 (A vulnerability was found in Quarkus. In certain conditions relat
NOT-FOR-US: Quarkus
CVE-2023-5685 (A flaw was found in XNIO. The XNIO NotifierState that can cause a Stac ...)
- jboss-xnio <unfixed> (bug #1065847)
+ [trixie] - jboss-xnio <ignored> (Minor issue)
[bookworm] - jboss-xnio <ignored> (Minor issue)
[bullseye] - jboss-xnio <no-dsa> (Minor issue)
[buster] - jboss-xnio <no-dsa> (Minor issue)
@@ -174239,6 +174256,7 @@ CVE-2023-50837 (Improper Neutralization of Special Elements used in an SQL Comma
NOT-FOR-US: WordPress plugin
CVE-2023-50572 (An issue in the component GroovyEngine.execute of jline-groovy v3.24.1 ...)
- jline3 <unfixed> (bug #1059726)
+ [trixie] - jline3 <ignored> (Minor issue)
[bookworm] - jline3 <ignored> (Minor issue)
[bullseye] - jline3 <no-dsa> (Minor issue)
- jline2 <not-affected> (Only affects 3.x)
@@ -188114,6 +188132,7 @@ CVE-2023-5072 (Denial of Service in JSON-Java versions up to and including 2023
[bullseye] - libjson-java <no-dsa> (Minor issue)
[buster] - libjson-java <no-dsa> (Minor issue)
- jenkins-json <unfixed> (bug #1053883)
+ [trixie] - jenkins-json <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - jenkins-json <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - jenkins-json <no-dsa> (Minor issue)
[buster] - jenkins-json <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c0acad29d97d5a76449d7978f992be7e1015a92
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c0acad29d97d5a76449d7978f992be7e1015a92
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250815/41e71518/attachment.htm>
More information about the debian-security-tracker-commits
mailing list