[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Aug 18 11:22:47 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e1b2db3d by Moritz Muehlenhoff at 2025-08-18T12:22:23+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3365,6 +3365,7 @@ CVE-2025-20215 (A vulnerability in the meeting-join functionality of Cisco Webex
NOT-FOR-US: Cisco
CVE-2024-8244 (The filepath.Walk and filepath.WalkDir functions are documented as not ...)
- golang-1.24 <unfixed> (bug #1110945)
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.23 <unfixed> (bug #1110946)
- golang-1.19 <removed>
- golang-1.15 <removed>
@@ -5914,6 +5915,7 @@ CVE-2025-8182 (A vulnerability has been found in Tenda AC18 15.03.05.19 and clas
NOT-FOR-US: Tenda
CVE-2025-23286 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
- nvidia-graphics-drivers <unfixed> (bug #1109907)
+ [trixie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1109908)
- nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1109909)
@@ -5936,6 +5938,7 @@ CVE-2025-23286 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne
- nvidia-graphics-drivers-tesla-550 <unfixed> (bug #1109917)
CVE-2025-23279 (NVIDIA .run Installer for Linux and Solaris contains a vulnerability w ...)
- nvidia-graphics-drivers <unfixed> (bug #1109907)
+ [trixie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1109908)
- nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1109909)
@@ -10096,8 +10099,10 @@ CVE-2023-38327 (An issue was discovered in eGroupWare 17.1.20190111. A User Enum
CVE-2025-48924 (Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss ...)
{DLA-4262-1}
- libcommons-lang3-java <unfixed> (bug #1109125)
+ [trixie] - libcommons-lang3-java <no-dsa> (Minor issue)
[bookworm] - libcommons-lang3-java <no-dsa> (Minor issue)
- libcommons-lang-java <unfixed> (bug #1109126)
+ [trixie] - libcommons-lang-java <no-dsa> (Minor issue)
[bookworm] - libcommons-lang-java <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2025/07/11/1
NOTE: https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53 (commons-lang-3.18.0-RC1)
@@ -11314,6 +11319,7 @@ CVE-2024-56468 (IBM InfoSphere Data Replication VSAM for z/OS Remote Source 11.4
NOT-FOR-US: IBM
CVE-2025-4674 (The go command may execute unexpected commands when operating in untru ...)
- golang-1.24 <unfixed> (bug #1109109)
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.23 <unfixed> (bug #1109110)
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
@@ -22917,6 +22923,7 @@ CVE-2024-12718 (Allows modifying some file metadata (e.g. last modified) with fi
NOTE: Fixed by: https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da (v3.12.11)
CVE-2024-47081 (Requests is a HTTP library. Due to a URL parsing issue, Requests relea ...)
- requests <unfixed> (bug #1107368)
+ [trixie] - requests <postponed> (Minor issue; revisit when fixed upstream)
[bookworm] - requests <postponed> (Minor issue; revisit when fixed upstream)
[bullseye] - requests <postponed> (Minor issue; revisit when fixed upstream)
NOTE: https://www.openwall.com/lists/oss-security/2025/06/03/9
@@ -24213,6 +24220,7 @@ CVE-2025-27700 (There is a possible bypass of carrier restrictions due to an unu
NOT-FOR-US: Google devices
CVE-2025-23247 (NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the ...)
- nvidia-cuda-toolkit <unfixed> (bug #1106734)
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5643
CVE-2025-22377 (An issue was discovered in Samsung Mobile Processor, Wearable Processo ...)
@@ -25336,6 +25344,7 @@ CVE-2025-4575 (Issue summary: Use of -addreject option with the openssl x509 app
NOTE: https://github.com/openssl/openssl/commit/e96d22446e633d117e6c9904cb15b4693e956eaa (openssl-3.5)
CVE-2025-5024 (A flaw was found in gnome-remote-desktop. Once gnome-remote-desktop li ...)
- gnome-remote-desktop <unfixed> (bug #1106527)
+ [trixie] - gnome-remote-desktop <no-dsa> (Minor issue)
[bookworm] - gnome-remote-desktop <no-dsa> (Minor issue)
[bullseye] - gnome-remote-desktop <postponed> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2367717
@@ -31395,6 +31404,7 @@ CVE-2025-4316 (Improper access control in PAM feature in Devolutions Server allo
NOT-FOR-US: Devolutions
CVE-2025-4287 (A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as ...)
- pytorch <unfixed> (bug #1104931)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/150836
NOTE: https://github.com/pytorch/pytorch/pull/150923
@@ -36763,6 +36773,7 @@ CVE-2025-43703 (An issue was discovered in Ankitects Anki through 25.02. A craft
NOTE: Issue exists because of an incomplete fix for CVE-2024-32484
CVE-2025-3730 (A vulnerability, which was classified as problematic, was found in PyT ...)
- pytorch <unfixed> (bug #1103455)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue; DoS)
NOTE: https://github.com/pytorch/pytorch/issues/150835
@@ -40322,6 +40333,7 @@ CVE-2025-31672 (Improper Input Validation vulnerability in Apache POI. The issue
NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=69620
CVE-2025-31344 (Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. ...)
- giflib <unfixed> (bug #1102520)
+ [trixie] - giflib <no-dsa> (Minor issue)
[bookworm] - giflib <no-dsa> (Minor issue)
[bullseye] - giflib <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://www.openwall.com/lists/oss-security/2025/04/07/3
@@ -41929,6 +41941,7 @@ CVE-2025-3137 (A vulnerability, which was classified as critical, was found in P
NOT-FOR-US: PHPGurukul
CVE-2025-3136 (A vulnerability, which was classified as problematic, has been found i ...)
- pytorch <unfixed> (bug #1102203)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/149821
@@ -41948,6 +41961,7 @@ CVE-2025-3122 (A vulnerability classified as problematic was found in WebAssembl
NOTE: https://github.com/WebAssembly/wabt/issues/2565
CVE-2025-3121 (A vulnerability classified as problematic has been found in PyTorch 2. ...)
- pytorch <unfixed> (bug #1102236)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/149800
@@ -43923,11 +43937,13 @@ CVE-2025-3002 (A vulnerability, which was classified as critical, has been found
NOT-FOR-US: Digital China
CVE-2025-3001 (A vulnerability classified as critical was found in PyTorch 2.6.0. Thi ...)
- pytorch <unfixed> (bug #1102233)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/149626
CVE-2025-3000 (A vulnerability classified as critical has been found in PyTorch 2.6.0 ...)
- pytorch <unfixed> (bug #1102232)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/149623
@@ -44131,11 +44147,13 @@ CVE-2025-30004 (Xorcom CompletePBX is vulnerable to command injection in the adm
NOT-FOR-US: Xorcom CompletePBX
CVE-2025-2999 (A vulnerability was found in PyTorch 2.6.0. It has been rated as criti ...)
- pytorch <unfixed> (bug #1102231)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/149622
CVE-2025-2998 (A vulnerability was found in PyTorch 2.6.0. It has been declared as cr ...)
- pytorch <unfixed> (bug #1102230)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/149622
@@ -44321,6 +44339,7 @@ CVE-2025-2954 (A vulnerability, which was classified as problematic, was found i
NOT-FOR-US: OpenManus
CVE-2025-2953 (A vulnerability, which was classified as problematic, has been found i ...)
- pytorch <unfixed> (bug #1102229)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/149274
@@ -50424,11 +50443,13 @@ CVE-2025-2151 (A vulnerability classified as critical was found in Open Asset Im
NOTE: Fixed by: https://github.com/assimp/assimp/commit/d2c6e64a1122884570caf4aaa589d810f5351f28
CVE-2025-2149 (A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as ...)
- pytorch <unfixed> (bug #1102220)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/147818
CVE-2025-2148 (A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared ...)
- pytorch <unfixed> (bug #1102219)
+ [trixie] - pytorch <no-dsa> (Minor issue)
[bookworm] - pytorch <no-dsa> (Minor issue)
[bullseye] - pytorch <postponed> (Minor issue)
NOTE: https://github.com/pytorch/pytorch/issues/147722
@@ -82328,6 +82349,7 @@ CVE-2024-11668 (An issue has been discovered in GitLab CE/EE affecting all versi
- gitlab <not-affected> (Vulnerable code introduced later)
CVE-2024-11407 (There exists a denial of service through Data corruption in gRPC-C++ - ...)
- grpc <unfixed> (bug #1088806)
+ [trixie] - grpc <no-dsa> (Minor issue)
[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <not-affected> (vulnerable code introduced later)
NOTE: Fixed by: https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 (v1.68.0-pre1)
@@ -99405,10 +99427,12 @@ CVE-2024-0125 (NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerabilit
NOTE: Crash in CLI tool, no security impact
CVE-2024-0124 (NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerability in ...)
- nvidia-cuda-toolkit <unfixed> (bug #1084054)
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5577
CVE-2024-0123 (NVIDIA CUDA toolkit for Windows and Linux contains a vulnerability in ...)
- nvidia-cuda-toolkit <unfixed> (bug #1084054)
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5577
CVE-2023-37822 (The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicat ...)
@@ -106139,16 +106163,19 @@ CVE-2024-7717 (The WP Events Manager plugin for WordPress is vulnerable to time-
NOT-FOR-US: WordPress plugin
CVE-2024-0111 (NVIDIA CUDA Toolkit contains a vulnerability in command 'cuobjdump' wh ...)
- nvidia-cuda-toolkit <unfixed> (bug #1081905)
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bullseye] - nvidia-cuda-toolkit <ignored> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5564
CVE-2024-0110 (NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` wh ...)
- nvidia-cuda-toolkit <unfixed> (bug #1081905)
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bullseye] - nvidia-cuda-toolkit <ignored> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5564
CVE-2024-0109 (NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` wh ...)
- nvidia-cuda-toolkit <unfixed> (bug #1081905)
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bullseye] - nvidia-cuda-toolkit <ignored> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5564
@@ -112203,6 +112230,7 @@ CVE-2024-7317 (The Folders \u2013 Unlimited Folders to Organize Media Library Fo
NOT-FOR-US: WordPress plugin
CVE-2024-7246 (It's possible for a gRPC client communicating with a HTTP/2 proxy to p ...)
- grpc <unfixed> (bug #1082856)
+ [trixie] - grpc <no-dsa> (Minor issue)
[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <postponed> (Minor issue, light cache poisoning and infoleak)
NOTE: https://github.com/grpc/grpc/issues/36245
@@ -125733,6 +125761,7 @@ CVE-2024-0103 (NVIDIA Triton Inference Server for Linux contains a vulnerability
NOT-FOR-US: NVIDIA
CVE-2024-0102 (NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdi ...)
- nvidia-cuda-toolkit <unfixed> (bug #1076164)
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
[bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5548
@@ -175324,6 +175353,7 @@ CVE-2023-51363 (VR-S1000 firmware Ver. 2.37 and earlier allows a network-adjacen
NOT-FOR-US: VR-S1000 firmware
CVE-2023-50658 (The jose2go component before 1.6.0 for Go allows attackers to cause a ...)
- golang-github-dvsekhvalnov-jose2go <unfixed> (bug #1059507)
+ [trixie] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
[bookworm] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
[bullseye] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
[buster] - golang-github-dvsekhvalnov-jose2go <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
@@ -189625,6 +189655,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource
- tomcat10 10.1.14-1
- trafficserver 9.2.3+ds-1 (bug #1053801; bug #1054427)
- grpc <unfixed> (bug #1074421)
+ [trixie] - grpc <no-dsa> (Minor issue)
[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <no-dsa> (Minor issue)
[buster] - grpc <no-dsa> (Minor issue)
@@ -193486,6 +193517,7 @@ CVE-2023-4801 (An improper certification validation vulnerability in the Insider
NOT-FOR-US: Insider Threat Management (ITM) Server
CVE-2023-4785 (Lack of error handling in the TCP server in Google's gRPC starting ver ...)
- grpc <unfixed> (bug #1059281)
+ [trixie] - grpc <no-dsa> (Minor issue)
[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <no-dsa> (Minor issue)
[buster] - grpc <no-dsa> (Minor issue)
@@ -198482,6 +198514,7 @@ CVE-2023-34545 (A SQL injection vulnerability in CSZCMS 1.3.0 allows remote atta
NOT-FOR-US: CSZCMS
CVE-2023-33953 (gRPC contains a vulnerability that allows hpack table accounting error ...)
- grpc <unfixed> (bug #1059279)
+ [trixie] - grpc <no-dsa> (Minor issue)
[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <no-dsa> (Minor issue)
[buster] - grpc <postponed> (recheck when upstream patch is available/published)
@@ -206235,6 +206268,7 @@ CVE-2023-33557 (Fuel CMS v1.5.2 was discovered to contain a SQL injection vulner
NOT-FOR-US: Fuel CMS
CVE-2023-32732 (gRPC contains a vulnerability whereby a client can cause a termination ...)
- grpc <unfixed> (bug #1059280)
+ [trixie] - grpc <no-dsa> (Minor issue)
[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <no-dsa> (Minor issue)
[buster] - grpc <postponed> (Minor issue; request smuggling; recheck whether fixed or introduced by #32309 when CVE description is updated)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1b2db3d71342bae8ecd2eb116f263f6700d6348
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1b2db3d71342bae8ecd2eb116f263f6700d6348
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250818/4d5459a7/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list