[Git][security-tracker-team/security-tracker][master] trixie triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Aug 20 22:29:06 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
978809cc by Moritz Muehlenhoff at 2025-08-20T23:28:28+02:00
trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7009,6 +7009,7 @@ CVE-2023-53157 (The rosenpass crate before 0.2.1 for Rust allows remote attacker
 	NOT-FOR-US: rosenpass rust crate
 CVE-2023-53156 (The transpose crate before 0.2.3 for Rust allows an integer overflow v ...)
 	- rust-transpose 0.2.3-1 (bug #1110260)
+	[trixie] - rust-transpose <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0080.html
 	NOTE: https://github.com/ejmahler/transpose/issues/11
 	NOTE: Fixed by: https://github.com/ejmahler/transpose/commit/c4bcd39fabca9a31a401d0cc42d4090869b5a37a (v0.2.3)
@@ -9466,6 +9467,7 @@ CVE-2025-53945 (apko allows users to build and publish OCI container images buil
 	NOT-FOR-US: apko
 CVE-2025-53901 (Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0. ...)
 	- rust-wasmtime <unfixed> (bug #1109548)
+	[trixie] - rust-wasmtime <no-dsa> (Minor issue)
 	NOTE: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc
 CVE-2025-53888 (RIOT-OS, an operating system that supports Internet of Things devices, ...)
 	NOT-FOR-US: RIOT-OS
@@ -17298,6 +17300,7 @@ CVE-2025-52937 (Vulnerability in PointCloudLibrary PCL (surface/src/3rdparty/ope
 CVE-2025-52936 (Improper Link Resolution Before File Access ('Link Following') vulnera ...)
 	{DLA-4238-1}
 	- sslh <unfixed> (bug #1108284)
+	[trixie] - sslh <no-dsa> (Minor issue)
 	[bookworm] - sslh <no-dsa> (Minor issue)
 	NOTE: https://github.com/yrutschle/sslh/pull/494
 	NOTE: Fixed by: https://github.com/yrutschle/sslh/commit/0fe9bd5a956a123342ff12352b25bff8025dac69 (v2.2.2)
@@ -24299,6 +24302,7 @@ CVE-2025-47272 (The CE Phoenix eCommerce platform, starting in version 1.0.9.7 a
 	NOT-FOR-US: CE Phoenix
 CVE-2025-46807 (A Allocation of Resources Without Limits or Throttling vulnerability i ...)
 	- sslh <unfixed> (bug #1107213)
+	[trixie] - sslh <no-dsa> (Minor issue)
 	[bookworm] - sslh <no-dsa> (Minor issue)
 	[bullseye] - sslh <ignored> (Minor issue; too intrusive to backport)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1243122
@@ -24306,6 +24310,7 @@ CVE-2025-46807 (A Allocation of Resources Without Limits or Throttling vulnerabi
 	NOTE: https://www.openwall.com/lists/oss-security/2025/06/13/1
 CVE-2025-46806 (A Use of Out-of-range Pointer Offset vulnerability in sslh leads to de ...)
 	- sslh <unfixed> (bug #1107214)
+	[trixie] - sslh <no-dsa> (Minor issue)
 	[bookworm] - sslh <not-affected> (Vulnerable code introdued later)
 	[bullseye] - sslh <not-affected> (Vulnerable code introdued later)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1243120
@@ -29866,6 +29871,7 @@ CVE-2025-3916 (CWE-121: Stack-based Buffer Overflowvulnerability existsthat coul
 	NOT-FOR-US: Schneider Electric
 CVE-2025-3757 (Versions of OpenPubkey library prior to 0.10.0  contained a vulnerabil ...)
 	- golang-github-openpubkey-openpubkey <unfixed> (bug #1105736)
+	[trixie] - golang-github-openpubkey-openpubkey <no-dsa> (Minor issue)
 	NOTE: https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq
 CVE-2025-3744 (Nomad Enterprise (\u201cNomad\u201d) jobs using the policy override op ...)
 	- nomad <not-affected> (Specific to Nomad Enterprise)
@@ -43621,6 +43627,7 @@ CVE-2024-42325 (Zabbix API user.get returns all users that share common group wi
 	NOTE: Fixed by (merge commit) https://github.com/zabbix/zabbix/commit/9edbc84251a1fb2ab75dc974c334d300d4705390 (5.0.46rc1)
 CVE-2024-39780 (A YAML deserialization vulnerability was found in the Robot Operating  ...)
 	- ros-dynamic-reconfigure <unfixed> (bug #1102010)
+	[trixie] - ros-dynamic-reconfigure <no-dsa> (Minor issue)
 	[bookworm] - ros-dynamic-reconfigure <no-dsa> (Minor issue)
 	[bullseye] - ros-dynamic-reconfigure <postponed> (Minor issue)
 	NOTE: https://github.com/ros/dynamic_reconfigure/pull/202
@@ -122930,6 +122937,7 @@ CVE-2024-38518 (BigBlueButton is an open-source virtual classroom designed to he
 	NOT-FOR-US: BigBlueButton
 CVE-2019-25211 (parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandle ...)
 	- golang-github-gin-contrib-cors <unfixed> (bug #1075962)
+	[trixie] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
 	[bookworm] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
 	[bullseye] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
 	NOTE: https://github.com/gin-contrib/cors/pull/57
@@ -123265,11 +123273,12 @@ CVE-2024-39154 (idccms v1.35 was discovered to contain a Cross-Site Request Forg
 CVE-2024-39153 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...)
 	NOT-FOR-US: idccms
 CVE-2024-39133 (Heap Buffer Overflow vulnerability in zziplib v0.13.77 allows attacker ...)
-	- zziplib <unfixed> (bug #1074417)
+	- zziplib 0.13.78+dfsg.1-0.1 (bug #1074417)
 	[bookworm] - zziplib <ignored> (Minor issue)
 	[bullseye] - zziplib <no-dsa> (Minor issue)
 	[buster] - zziplib <postponed> (Minor issue, revisi when fixed upstream)
 	NOTE: https://github.com/gdraheim/zziplib/issues/164
+	NOTE: No exact fixing commits known, but upstream concludes as fixed in v0.13.78
 CVE-2024-39130 (A NULL Pointer Dereference discovered in DumpTS v0.1.0-nightly allows  ...)
 	NOT-FOR-US: DumpTS
 CVE-2024-39129 (Heap Buffer Overflow vulnerability in DumpTS v0.1.0-nightly allows att ...)
@@ -124032,6 +124041,7 @@ CVE-2024-6160 (SQL Injection vulnerability in MegaBIP software allows attacker t
 	NOT-FOR-US: MegaBIP
 CVE-2024-6104 (go-retryablehttp prior to 0.7.7 did not sanitize urls when writing the ...)
 	- golang-github-hashicorp-go-retryablehttp <unfixed> (bug #1076773)
+	[trixie] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor issue)
 	[bookworm] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor issue)
 	[bullseye] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor issue)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027
@@ -203275,6 +203285,7 @@ CVE-2023-37463 (cmark-gfm is an extended version of the C reference implementati
 	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
 	[buster] - r-cran-commonmark <no-dsa> (Minor issue)
 	- ruby-commonmarker <unfixed> (bug #1041100)
+	[trixie] - ruby-commonmarker <ignored> (Minor issue)
 	[bookworm] - ruby-commonmarker <ignored> (Minor issue)
 	[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
 	[buster] - ruby-commonmarker <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/978809cc51991af078b803595461eb7d2329714d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/978809cc51991af078b803595461eb7d2329714d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250820/9c6b6692/attachment.htm>

More information about the debian-security-tracker-commits mailing list