[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage

Tue Aug 26 11:48:35 BST 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
511a9a04 by Moritz Muehlenhoff at 2025-08-26T12:47:54+02:00
bookworm/trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -196,6 +196,7 @@ CVE-2025-54370 (PhpOffice/PhpSpreadsheet is a pure PHP library for reading and w
 	NOT-FOR-US: PHPOffice
 CVE-2025-53510 (A memory corruption vulnerability exists in the PSD Image Decoding fun ...)
 	- sail <unfixed>
+	[trixie] - sail <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2218
 CVE-2025-53120 (A path traversal vulnerability in unauthenticated upload functionality ...)
 	NOT-FOR-US: Securden Unified PAM
@@ -205,12 +206,15 @@ CVE-2025-53118 (An authentication bypass vulnerability exists which allows an un
 	NOT-FOR-US: Securden Unified PAM
 CVE-2025-53085 (A memory corruption vulnerability exists in the PSD RLE Decoding funct ...)
 	- sail <unfixed>
+	[trixie] - sail <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2219
 CVE-2025-52930 (A memory corruption vulnerability exists in the BMPv3 RLE Decoding fun ...)
 	- sail <unfixed>
+	[trixie] - sail <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2221
 CVE-2025-52456 (A memory corruption vulnerability exists in the WebP Image Decoding fu ...)
 	- sail <unfixed>
+	[trixie] - sail <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2224
 CVE-2025-52130 (File upload vulnerability in WebErpMesv2 1.17 in the app/Http/Controll ...)
 	NOT-FOR-US: WebErpMesv2
@@ -224,11 +228,13 @@ CVE-2025-50383 (alextselegidis Easy!Appointments v1.5.1 was discovered to contai
 	NOT-FOR-US: alextselegidis Easy!Appointments
 CVE-2025-50129 (A memory corruption vulnerability exists in the PCX Image Decoding fun ...)
 	- sail <unfixed>
+	[trixie] - sail <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2220
 CVE-2025-48303 (Cross-Site Request Forgery (CSRF) vulnerability in Kevin Langley Jr. P ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-46407 (A memory corruption vulnerability exists in the BMPv3 Palette Decoding ...)
 	- sail <unfixed>
+	[trixie] - sail <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2215
 CVE-2025-45968 (An issue in System PDV v1.0 allows a remote attacker to obtain sensiti ...)
 	NOT-FOR-US: System PDV
@@ -244,9 +250,11 @@ CVE-2025-3456 (On affected platforms running Arista EOS, the global common encry
 	NOT-FOR-US: Arista Networks
 CVE-2025-35984 (A memory corruption vulnerability exists in the PCX Image Decoding fun ...)
 	- sail <unfixed>
+	[trixie] - sail <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2217
 CVE-2025-32468 (A memory corruption vulnerability exists in the BMPv3 Image Decoding f ...)
 	- sail <unfixed>
+	[trixie] - sail <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2216
 CVE-2025-29525 (DASAN GPON ONU H660WM OS version H660WMR210825 Hardware version DS-E5- ...)
 	NOT-FOR-US: DASAN GPON ONU H660WM
@@ -6597,6 +6605,8 @@ CVE-2025-50422 (Cairo through 1.18.4, as used in Poppler through 25.08.0, has an
 	NOTE: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/621
 CVE-2025-50420 (An issue in the pdfseparate utility of freedesktop poppler v25.04.0 al ...)
 	- poppler <unfixed> (bug #1110463)
+	[trixie] - poppler <no-dsa> (Minor issue)
+	[bookworm] - poppler <no-dsa> (Minor issue)
 	[bullseye] - poppler <postponed> (minor issue; Local DoS)
 	NOTE: https://github.com/Landw-hub/CVE-2025-50420
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1613
@@ -6710,6 +6720,8 @@ CVE-2025-8506 (A vulnerability was found in 495300897 wx-shop up to de1b66331368
 	NOT-FOR-US: wx-shop
 CVE-2025-54956 (The gh package before 1.5.0 for R delivers an HTTP response in a data  ...)
 	- r-cran-gh <unfixed> (bug #1110481)
+	[trixie] - r-cran-gh <no-dsa> (Minor issue)
+	[bookworm] - r-cran-gh <no-dsa> (Minor issue)
 	NOTE: https://github.com/r-lib/gh/issues/222
 	NOTE: https://github.com/r-lib/gh/commit/b575d488c71318449cc6c8c989c617db29275848 (v1.5.0)
 CVE-2024-52279 (Improper Input Validation vulnerability in Apache Zeppelin. The fix fo ...)
@@ -10749,6 +10761,7 @@ CVE-2025-7784 (A flaw was found in the Keycloak identity and access management s
 CVE-2025-7783 (Use of Insufficiently Random Values vulnerability in form-data allows  ...)
 	{DLA-4261-1}
 	- node-form-data 4.0.1-2 (bug #1109551)
+	[bookworm] - node-form-data <no-dsa> (Minor issue)
 	NOTE: https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4
 	NOTE: Fixed by: https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 (v4.0.4)
 CVE-2025-7697 (The Integration for Google Sheets and Contact Form 7, WPForms, Element ...)
@@ -23545,6 +23558,7 @@ CVE-2024-55595
 	REJECTED
 CVE-2025-5918 (A vulnerability has been identified in the libarchive library. This fl ...)
 	- libarchive <unfixed> (bug #1107624)
+	[trixie] - libarchive <no-dsa> (Minor issue)
 	[bookworm] - libarchive <no-dsa> (Minor issue)
 	[bullseye] - libarchive <postponed> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/pull/2584
@@ -55679,6 +55693,7 @@ CVE-2025-1795 (During an address list folding when a separating comma ends up on
 	[bookworm] - python3.11 3.11.2-6+deb12u6
 	- python3.9 <removed>
 	- pypy3 7.3.18+dfsg-1
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/100884
 	NOTE: Regression issue: https://github.com/python/cpython/issues/118643
@@ -89449,6 +89464,7 @@ CVE-2024-11168 (The urllib.parse.urlsplit() and urlparse() functions improperly
 	[bookworm] - python3.11 3.11.2-6+deb12u5
 	- python3.9 <removed>
 	- pypy3 7.3.18+dfsg-1
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/103848
 	NOTE: https://github.com/python/cpython/pull/103849
@@ -110349,6 +110365,7 @@ CVE-2024-8088 (There is a HIGH severity vulnerability affecting the CPython "zip
 	- python3.9 <removed>
 	- python2.7 <not-affected> (zipfile.Path introduced in v3.8)
 	- pypy3 7.3.18+dfsg-1
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <not-affected> (zipfile.Path introduced in v3.8; embedding 3.6.9)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
 	NOTE: https://github.com/python/cpython/pull/122906


=====================================
data/dsa-needed.txt
=====================================
@@ -77,7 +77,7 @@ sympa/oldstable
 --
 tomcat10
 --
-unbound
+unbound (jmm)
   Guilhem Moulin prepared an update
 --
 wordpress



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/511a9a046e20d09e830330cedb26c645132d5c58

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/511a9a046e20d09e830330cedb26c645132d5c58
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250826/f6692e5d/attachment.htm>
