[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Tue Aug 26 13:21:19 BST 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
905b9996 by Moritz Muehlenhoff at 2025-08-26T14:20:56+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1927,13 +1927,11 @@ CVE-2025-9132 (Out of bounds write in V8 in Google Chrome prior to 139.0.7258.13
 	- chromium 139.0.7258.138-1
 	[bullseye] - chromium <end-of-life> (see #1061268)
 CVE-2025-9165 (A flaw has been found in LibTIFF 4.7.0. This affects the function _TIF ...)
-	- tiff 4.7.0-4 (bug #1111878)
-	[trixie] - tiff <no-dsa> (Minor issue)
-	[bookworm] - tiff <no-dsa> (Minor issue)
-	[bullseye] - tiff <ignored> (No security impact, CVE disputed)
+	- tiff 4.7.0-4 (bug #1111878; unimportant)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/728
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/747
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/ed141286a37f6e5ddafb5069347ff5d587e7a4e0
+	NOTE: Memory leak in CLI tool, no security impact
 CVE-2025-9157 (A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2. ...)
 	- tcpreplay <unfixed> (unimportant)
 	NOTE: Crash in CLI tool, no security impact
@@ -2827,6 +2825,7 @@ CVE-2025-38502 (In the Linux kernel, the following vulnerability has been resolv
 	NOTE: https://git.kernel.org/linus/abad3d0bad72a52137e0c350c59542d75ae4f513 (6.17-rc1)
 CVE-2025-8959 (HashiCorp's go-getter library subdirectory download feature is vulnera ...)
 	- golang-github-hashicorp-go-getter <unfixed> (bug #1111318)
+	[bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
 CVE-2025-8898 (The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress  ...)
 	NOT-FOR-US: WordPress plugin
@@ -3445,6 +3444,7 @@ CVE-2025-50861 (The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 c
 	NOT-FOR-US: Lotus Cars Android app (com.lotus.carsdomestic.intl)
 CVE-2025-50817 (A vulnerability in the Python-Future 1.0.0 module allows for arbitrary ...)
 	- python-future <removed>
+	[bookworm] - python-future <no-dsa> (Minor issue)
 	NOTE: https://medium.com/@abcd_68700/cve-2025-50817-python-future-module-arbitrary-code-execution-via-unintended-import-of-test-py-f0818ea93cf4
 	NOTE: https://github.com/PythonCharmers/python-future/issues/268
 CVE-2025-50518 (A use-after-free vulnerability exists in the coap_delete_pdu_lkd funct ...)
@@ -3885,6 +3885,7 @@ CVE-2025-8754 (Missing Authentication for Critical Function vulnerability in ABB
 	NOT-FOR-US: ABB group
 CVE-2025-8671 (A mismatch caused by client-triggered server-sent stream resets betwee ...)
 	- h2o <removed>
+	[bookworm] - h2o <no-dsa> (Minor issue)
 	- haproxy <not-affected> (Performs stream management correctly)
 	- varnish 7.7.2-1
 	NOTE: https://kb.cert.org/vuls/id/767506
@@ -5895,6 +5896,7 @@ CVE-2024-8244 (The filepath.Walk and filepath.WalkDir functions are documented a
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.23 <unfixed> (bug #1110946)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	NOTE: https://github.com/golang/go/issues/70007
 CVE-2024-52885 (The Mobile Access Portal's File Share application is vulnerable to a d ...)
@@ -6260,6 +6262,7 @@ CVE-2012-10023 (A stack-based buffer overflow vulnerability exists in FreeFloat
 	NOT-FOR-US: FreeFloat FTP Server
 CVE-2025-8556 (A flaw was found in CIRCL's implementation of the FourQ elliptic curve ...)
 	- golang-github-cloudflare-circl 1.6.1-1
+	[bookworm] - golang-github-cloudflare-circl <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2371624
 	NOTE: https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
 CVE-2025-8586 (A vulnerability, which was classified as problematic, was found in lib ...)
@@ -10313,6 +10316,7 @@ CVE-2025-5681 (Authorization Bypass Through User-Controlled Key vulnerability in
 	NOT-FOR-US: Turtek Software Eyotek
 CVE-2025-54121 (Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface ...)
 	- starlette 0.46.1-3 (bug #1109805)
+	[bookworm] - starlette <no-dsa> (Minor issue)
 	[bullseye] - starlette <postponed> (minor issue; Dos can be fixed in next update)
 	NOTE: https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73
 	NOTE: Fixed by: https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1 (0.47.2)
@@ -71167,6 +71171,7 @@ CVE-2024-50857 (The ip_do_job request in GestioIP v3.5.7 is vulnerable to Cross-
 	- gestioip <itp> (bug #742110)
 CVE-2024-4227 (In Genivia gSOAP with a specific configuration an unauthenticated remo ...)
 	- gsoap 2.8.135-1
+	[bookworm] - gsoap <no-dsa> (Minor issue)
 	NOTE: https://www.genivia.com/advisory.html#Upgrade_recommendation_when_option_-c++11_is_used_to_generate_C++11_source_code
 	NOTE: https://www.genivia.com/changelog.html#Version_2.8.133_(03/21/2024)
 	NOTE: Fixed by: https://sourceforge.net/p/gsoap2/code/222/
@@ -108510,6 +108515,7 @@ CVE-2024-6232 (There is a MEDIUM severity vulnerability affecting CPython.
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
 	- pypy3 7.3.18+dfsg-1
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue; ReDoS)
 	NOTE: https://github.com/python/cpython/issues/121285
 	NOTE: https://github.com/python/cpython/pull/121286
@@ -111634,6 +111640,7 @@ CVE-2024-7592 (There is a LOW severity vulnerability affecting CPython, specific
 	[bookworm] - python3.11 3.11.2-6+deb12u5
 	- python3.9 <removed>
 	- pypy3 7.3.18+dfsg-1
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue; DoS)
 	NOTE: https://github.com/python/cpython/pull/123075
 	NOTE: https://github.com/python/cpython/issues/123067
@@ -115948,6 +115955,7 @@ CVE-2024-6923 (There is a MEDIUM severity vulnerability affecting CPython.  The
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
 	- pypy3 7.3.18+dfsg-1
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/121650
 	NOTE: https://github.com/python/cpython/pull/122233
@@ -127706,6 +127714,7 @@ CVE-2024-4032 (The \u201cipaddress\u201d module contained incorrect information
 	- python3.7 <removed>
 	- python2.7 <not-affected> (ipaddress module added in 3.3)
 	- pypy3 7.3.18+dfsg-1
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/advisories/GHSA-mh6q-v4mp-2cc7
 	NOTE: https://github.com/python/cpython/issues/113171



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/905b999663b4cc97bcf2c5fc61f7bffada315d42

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/905b999663b4cc97bcf2c5fc61f7bffada315d42
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250826/a5b73ee0/attachment.htm>
