[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Thu Aug 21 15:12:32 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2f8ff5ad by Moritz Muehlenhoff at 2025-08-21T16:11:59+02:00
bookworm/trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -420,10 +420,13 @@ CVE-2025-54551 (Synapse Mobility 8.0, 8.0.1, 8.0.2, 8.1, and 8.1.1 contain a pri
NOT-FOR-US: Synapse Mobility
CVE-2025-54364 (Microsoft Knack 0.12.0 allows Regular expression Denial of Service (Re ...)
- knack <unfixed>
- TODO: check upstream details
+ [trixie] - knack <no-dsa> (Minor issue)
+ [bookworm] - knack <no-dsa> (Minor issue)
+ NOTE: https://github.com/microsoft/knack/issues/281
CVE-2025-54363 (Microsoft Knack 0.12.0 allows Regular expression Denial of Service (Re ...)
- knack <unfixed>
- TODO: check upstream details
+ [trixie] - knack <no-dsa> (Minor issue)
+ [bookworm] - knack <no-dsa> (Minor issue)
CVE-2025-54145 (The QR scanner could allow arbitrary websites to be opened if a user w ...)
NOT-FOR-US: Firefox for iOS
CVE-2025-54144 (The URL scheme used by Firefox to facilitate searching of text queries ...)
@@ -8087,9 +8090,11 @@ CVE-2025-8115 (A vulnerability has been found in PHPGurukul Taxi Stand Managemen
NOT-FOR-US: PHPGurukul
CVE-2025-8114 (A flaw was found in libssh, a library that implements the SSH protocol ...)
- libssh <unfixed> (bug #1109860)
+ [trixie] - libssh <no-dsa> (Minor issue)
+ [bookworm] - libssh <no-dsa> (Minor issue)
[bullseye] - libssh <postponed> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2383220
- TODO: check upstream details
+ NOTE: https://gitlab.com/libssh/libssh-mirror/-/issues/317
CVE-2025-8071 (Mine CloudVod plugin for WordPress is vulnerable to Stored Cross-Site ...)
NOT-FOR-US: WordPress plugin
CVE-2025-7966 (The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cros ...)
@@ -8204,6 +8209,8 @@ CVE-2025-53942 (authentik is an open-source Identity Provider that emphasizes fl
NOT-FOR-US: authentik
CVE-2025-53537 (LibHTP is a security-aware parser for the HTTP protocol and its relate ...)
- libhtp 1:0.5.51-1 (bug #1109838)
+ [trixie] - libhtp <no-dsa> (Minor issue)
+ [bookworm] - libhtp <no-dsa> (Minor issue)
NOTE: https://github.com/OISF/libhtp/security/advisories/GHSA-v3qq-h8mh-vph7
NOTE: Fixed by: https://github.com/OISF/libhtp/commit/9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7 (0.5.51)
CVE-2025-4976 (An issue has been discovered in GitLab EE affecting all versions from ...)
@@ -8803,6 +8810,8 @@ CVE-2025-7962 (In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection
[bookworm] - jakarta-mail <no-dsa> (Minor issue)
[bullseye] - jakarta-mail <postponed> (Minor issue)
- javamail <unfixed> (bug #1109824)
+ [trixie] - javamail <no-dsa> (Minor issue)
+ [bookworm] - javamail <no-dsa> (Minor issue)
[bullseye] - javamail <postponed> (Minor issue)
NOTE: https://gitlab.eclipse.org/security/cve-assignement/-/issues/67
NOTE: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/290
@@ -9387,12 +9396,11 @@ CVE-2025-7855 (A vulnerability classified as critical was found in Tenda FH451 1
CVE-2025-7854 (A vulnerability classified as critical has been found in Tenda FH451 1 ...)
NOT-FOR-US: Tenda
CVE-2025-54314 (Thor before 1.4.0 can construct an unsafe shell command from library i ...)
- - ruby-thor <unfixed> (bug #1109679)
- [bullseye] - ruby-thor <postponed> (Minor issue)
+ NOTE: Disputed security issue for src:ruby-thor (was also bug #1109679)
+ NOTE: https://github.com/rails/thor/pull/897#issuecomment-3169147633
NOTE: https://hackerone.com/reports/3260153
NOTE: https://github.com/rails/thor/pull/897
NOTE: Fixed by: https://github.com/rails/thor/commit/f7418232b167cbb5c8071b7d0491aef82948feff (v1.4.0)
- TODO: check security impact of embedded copies (e.g. ruby3.3, ruby-foreman, rubygems)
CVE-2025-53770 (Deserialization of untrusted data in on-premises Microsoft SharePoint ...)
NOT-FOR-US: Microsoft
CVE-2025-XXXX [exposes .zip passwords while (un)archiving]
@@ -19951,6 +19959,8 @@ CVE-2025-6069 (The html.parser.HTMLParser class had worse-case quadratic complex
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <postponed> (Minor issue; DoS)
- jython <unfixed> (bug #1109376)
[trixie] - jython <no-dsa> (Minor issue)
@@ -24059,6 +24069,8 @@ CVE-2025-4517 (Allows arbitrary filesystem writes outside the extraction directo
- python2.7 <not-affected> (Vulnerable code introduced in 3.12)
[experimental] - pypy3 7.3.20+dfsg-1
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <not-affected> (Vulnerable code backported down to stdlib-3.9.17; embedding 3.6.9)
- jython <not-affected> (Vulnerable code introduced in 3.12)
NOTE: https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f
@@ -24080,6 +24092,8 @@ CVE-2025-4435 (When using a TarFile.errorlevel = 0and extracting with a filter t
- python2.7 <not-affected> (Vulnerable code introduced in 3.12)
[experimental] - pypy3 7.3.20+dfsg-1
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <not-affected> (Vulnerable code backported down to stdlib-3.9.17; embedding 3.6.9)
- jython <not-affected> (Vulnerable code introduced in 3.12)
NOTE: https://github.com/python/cpython/issues/135034
@@ -24104,6 +24118,8 @@ CVE-2025-4330 (Allows the extraction filter to be ignored, allowing symlink targ
- python2.7 <not-affected> (Vulnerable code introduced in 3.12)
[experimental] - pypy3 7.3.20+dfsg-1
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <not-affected> (Vulnerable code backported down to stdlib-3.9.17; embedding 3.6.9)
- jython <not-affected> (Vulnerable code introduced in 3.12)
NOTE: https://github.com/python/cpython/issues/135034
@@ -24126,6 +24142,8 @@ CVE-2025-4138 (Allows the extraction filter to be ignored, allowing symlink targ
- python2.7 <not-affected> (Vulnerable code introduced in 3.12)
[experimental] - pypy3 7.3.20+dfsg-1
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <not-affected> (Vulnerable code backported down to stdlib-3.9.17; embedding 3.6.9)
- jython <not-affected> (Vulnerable code introduced in 3.12)
NOTE: https://github.com/python/cpython/issues/135034
@@ -24233,6 +24251,8 @@ CVE-2024-12718 (Allows modifying some file metadata (e.g. last modified) with fi
- python2.7 <not-affected> (Vulnerable code introduced in 3.12)
[experimental] - pypy3 7.3.20+dfsg-1
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <not-affected> (Vulnerable code backported down to stdlib-3.9.17; embedding 3.6.9)
- jython <not-affected> (Vulnerable code introduced in 3.12)
NOTE: https://github.com/python/cpython/issues/135034
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f8ff5add360c60acd3d65b2f001664581d61d3a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f8ff5add360c60acd3d65b2f001664581d61d3a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250821/fc0a6c21/attachment.htm>
More information about the debian-security-tracker-commits
mailing list