[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Aug 29 10:25:58 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ef76374f by Moritz Muehlenhoff at 2025-08-29T11:25:47+02:00
bookworm/trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -526,6 +526,8 @@ CVE-2018-25115 (Multiple D-Link DIR-series routers, including DIR-110, DIR-412,
NOT-FOR-US: D-Link
CVE-2025-XXXX [RUSTSEC-2025-0051]
- rust-xcb <unfixed>
+ [trixie] - rust-xcb <no-dsa> (Minor issue)
+ [bookworm] - rust-xcb <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2025-0051.html
NOTE: https://github.com/rust-x-bindings/rust-xcb/issues/282
NOTE: https://github.com/rust-x-bindings/rust-xcb/issues/167
@@ -1123,54 +1125,80 @@ CVE-2025-55301 (The Scratch Channel is a news website. In version 1, it is possi
NOT-FOR-US: Scratch Channel
CVE-2025-54493 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54492 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54491 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54490 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54489 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54488 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54487 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54486 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54485 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54484 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54483 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54482 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54481 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54370 (PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing ...)
@@ -1273,46 +1301,68 @@ CVE-2023-47799 (Mahara before 22.10.4 and 23.x before 23.04.4 allows information
- mahara <removed>
CVE-2025-53518 (An integer overflow vulnerability exists in the ABF parsing functional ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/d7d146b70b9b261b132dac7f9293271a4e8d481d/
CVE-2025-53853 (A heap-based buffer overflow vulnerability exists in the ISHNE parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/bd1ed634059db8312ce521931bb90785723e5af9/
CVE-2025-52581 (An integer overflow vulnerability exists in the GDF parsing functional ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/0211292419ad9f1bf9693563692548a39491dad0/
CVE-2025-54480 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-54494 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-53557 (A heap-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-46411 (A stack-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-53511 (A heap-based buffer overflow vulnerability exists in the MFER parsing ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/ba2f1c381b10f5ab50c94be3291b2560af0f7a96/
CVE-2025-52461 (An out-of-bounds read vulnerability exists in the Nex parsing function ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/6c6be44f302156c53a1c305d54ea1705e5f9054d/
CVE-2025-54462 (A heap-based buffer overflow vulnerability exists in the Nex parsing f ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/6c6be44f302156c53a1c305d54ea1705e5f9054d/
CVE-2025-48005 (A heap-based buffer overflow vulnerability exists in the RHS2000 parsi ...)
- biosig <unfixed> (bug #1112133)
+ [trixie] - biosig <no-dsa> (Minor issue)
+ [bookworm] - biosig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/biosig/mailman/message/59224259/
NOTE: https://sourceforge.net/p/biosig/code/ci/cc49acf59adac883e1a4fadacc3e095de091eadd/
CVE-2025-9406 (A weakness has been identified in xuhuisheng lemon up to 1.13.0. This ...)
@@ -2052,6 +2102,8 @@ CVE-2025-9309 (A vulnerability was found in Tenda AC10 16.03.10.13. Affected is
NOT-FOR-US: Tenda
CVE-2025-9308 (A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This imp ...)
- node-yarnpkg <unfixed>
+ [trixie] - node-yarnpkg <no-dsa> (Minor issue)
+ [bookworm] - node-yarnpkg <no-dsa> (Minor issue)
[bullseye] - node-yarnpkg <postponed> (minor issue; DoS)
NOTE: https://github.com/yarnpkg/yarn/pull/9203
CVE-2025-9307 (A flaw has been found in PHPGurukul Online Course Registration 3.1. Th ...)
@@ -2224,7 +2276,11 @@ CVE-2024-45438 (An issue was discovered in TitanHQ SpamTitan Email Security Gate
NOT-FOR-US: TitanHQ SpamTitan Email Security Gateway
CVE-2025-XXXX [OSSN-0094]
- nova 2:31.0.0-7 (bug #1111689)
+ [trixie] - nova <no-dsa> (Will be fixed via point release)
+ [bookworm] - nova <no-dsa> (Will be fixed via point release)
- watcher 14.0.0-3 (bug #1111692)
+ [trixie] - watcher <no-dsa> (Will be fixed via point release)
+ [bookworm] - watcher <no-dsa> (Will be fixed via point release)
NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0094
NOTE: https://bugs.launchpad.net/nova/+bug/2112187
NOTE: The swap volume, live migration and all Watcher APIs are admin only so with
@@ -4957,6 +5013,7 @@ CVE-2025-8918 (A vulnerability was found in Portabilis i-Educar up to 2.10. This
NOT-FOR-US: Portabilis
CVE-2025-8916 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
- bouncycastle 1.80-1
+ [bookworm] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <postponed> (minor issue; DoS)
NOTE: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916
NOTE: Fixed by: https://github.com/bcgit/bc-java/commit/310b30a4fbf36d13f6cc201ffa7771715641e67e (r1rv79)
@@ -5373,6 +5430,7 @@ CVE-2025-8879 (Heap buffer overflow in libaom in Google Chrome prior to 139.0.72
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2025-8885 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
- bouncycastle 1.80-1
+ [bookworm] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <postponed> (minor vulnerability; DoS)
NOTE: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908885
NOTE: Fixed by: https://github.com/bcgit/bc-java/commit/3790993df5d28f661a64439a8664343437ed3865 (r1rv78v1)
@@ -100892,6 +100950,7 @@ CVE-2024-49193 (Zendesk before 2024-07-02 allows remote attackers to read ticket
NOT-FOR-US: Zendesk
CVE-2024-6519 (A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI H ...)
- qemu <unfixed> (bug #1085299)
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <postponed> (Minor issue; can be fixed in next update)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2292089
@@ -105381,6 +105440,7 @@ CVE-2024-8375 (There exists a use after free vulnerability in Reverb.Reverb supp
NOT-FOR-US: Google Reverb
CVE-2024-8354 (A flaw was found in QEMU. An assertion failure was present in the usb_ ...)
- qemu <unfixed> (bug #1082377)
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <postponed> (Minor issue; can be fixed in next update)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2313497
@@ -223267,6 +223327,7 @@ CVE-2023-1387 (Grafana is an open-source platform for monitoring and observabili
- grafana <removed>
CVE-2023-1386 (A flaw was found in the 9p passthrough filesystem (9pfs) implementatio ...)
- qemu <unfixed> (bug #1055174)
+ [trixie] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <no-dsa> (Minor issue)
@@ -253340,6 +253401,7 @@ CVE-2022-3873 (Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/draw
NOT-FOR-US: jgraph/drawio
CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of QEMU. ...)
- qemu <unfixed> (bug #1024022)
+ [trixie] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <postponed> (Minor issue, DoS, waiting for sanctioned patch)
@@ -412731,6 +412793,7 @@ CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer der
NOTE: No sanctioned upstream patch as of 2025-04-19
CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL p ...)
- qemu <unfixed> (bug #971390)
+ [trixie] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch)
@@ -412740,6 +412803,7 @@ CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a
NOTE: No sanctioned upstream patch as of 2024-08-06
CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer d ...)
- qemu <unfixed> (bug #970939)
+ [trixie] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch)
@@ -500676,6 +500740,7 @@ CVE-2019-12068 (In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.
NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08
CVE-2019-12067 (The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to ...)
- qemu <unfixed> (low; bug #972099)
+ [trixie] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch)
=====================================
data/dsa-needed.txt
=====================================
@@ -35,6 +35,8 @@ intel-microcode (carnil)
--
jackson-core
--
+jetty12/stable
+--
libreswan/oldstable
Waiting on feedback from maintainer
--
@@ -68,7 +70,9 @@ sogo/oldstable
--
sympa/oldstable
--
-tomcat10
+tomcat10/oldstable
+--
+tomcat11/stable
--
wordpress
Utkarsh Gupta proposed to work on an update
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef76374f9ba254bb52c5c81b4350d0a160008c92
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef76374f9ba254bb52c5c81b4350d0a160008c92
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250829/ca783e5a/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list