[Git][security-tracker-team/security-tracker][master] bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a1ec9624 by Moritz Muehlenhoff at 2025-08-29T20:31:21+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -31910,6 +31910,7 @@ CVE-2025-4478 (A flaw was found in the FreeRDP used by Anaconda's remote install
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/a4bb702aa62e4fad91ca99142de075265555ec18
 CVE-2025-23165 (In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a  ...)
 	- nodejs 20.19.2+dfsg-1 (bug #1105832)
+	[bookworm] - nodejs <not-affected> (Vulnerable code not present)
 	[bullseye] - nodejs <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
 	NOTE: https://github.com/nodejs/node/issues/57800
@@ -76169,19 +76170,21 @@ CVE-2023-6605 (A flaw was found in FFmpeg's DASH playlist support. This vulnerab
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334336
 	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/4c96d6bf75357ab13808efc9f08c1b41b1bf5bdf (master)
 	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/c3c7ecfe48d464a0b06564f2e92504b1d9c91d69 (n7.1.1)
+	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/097131a6474bd6294ff337fa92025df60dff907a (n5.1.7)
 CVE-2023-6604 (A flaw was found in FFmpeg. This vulnerability allows unexpected addit ...)
 	{DLA-4241-1}
 	- ffmpeg 7:7.1.1-1
-	[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334337
 	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/91d96dc8ddaebe0b6cb393f672085e6bfaf15a31 (master)
 	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/b753bac08f6881b2d3dea8f1ab84c81550f35897 (n7.1.1)
+	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 (n5.1.7)
 CVE-2023-6601 (A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows by ...)
 	{DLA-4241-1}
-	- ffmpeg <unfixed>
-	[trixie] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 7.1 branch)
-	[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
+	- ffmpeg 7:7.1.1-1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2253172
+	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/91d96dc8ddaebe0b6cb393f672085e6bfaf15a31 (master)
+	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/b753bac08f6881b2d3dea8f1ab84c81550f35897 (n7.1.1)
+	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 (n5.1.7)
 CVE-2024-56769 (In the Linux kernel, the following vulnerability has been resolved:  m ...)
 	{DLA-4076-1 DLA-4075-1}
 	- linux 6.12.8-1
@@ -77387,17 +77390,17 @@ CVE-2023-50850 (Missing Authorization vulnerability in Woo WooCommerce Subscript
 CVE-2023-48775 (Missing Authorization vulnerability in Gfazioli WP Cleanfix allows Exp ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2023-6603 (A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability  ...)
-	- ffmpeg <unfixed>
-	[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
+	- ffmpeg 7:5.0.1-2
 	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed upstream)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334335
+	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/28c83584e8f3cd747c1476a74cc2841d3d1fa7f3 (n5.0)
 CVE-2023-6602 (A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows po ...)
 	{DLA-4241-1}
 	- ffmpeg 7:7.1.1-1
-	[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334338
 	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/91d96dc8ddaebe0b6cb393f672085e6bfaf15a31 (master)
 	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/b753bac08f6881b2d3dea8f1ab84c81550f35897 (n7.1.1)
+	NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/9803800e0e8cd8e1e7695f77cfbf4e0db0abfe57 (n5.1.7)
 CVE-2024-45497 (A flaw was found in the OpenShift build process, where the docker-buil ...)
 	NOT-FOR-US: OpenShift
 CVE-2024-13058 (An issue exists in SoftIron HyperCloud  where authenticated, but non-a ...)


=====================================
data/DSA/list
=====================================
@@ -21,7 +21,7 @@
 	[bookworm] - node-cipher-base 1.0.4-6+deb12u1
 	[trixie] - node-cipher-base 1.0.4-6+deb13u1
 [25 Aug 2025] DSA-5985-1 ffmpeg - security update
-	{CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2024-31582 CVE-2024-35367 CVE-2024-35368 CVE-2025-0518 CVE-2025-7700 CVE-2025-22919}
+	{CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2024-31582 CVE-2024-35367 CVE-2024-35368 CVE-2025-0518 CVE-2025-7700 CVE-2025-22919 CVE-2023-6605 CVE-2023-6602 CVE-2023-6604 CVE-2023-6601}
 	[bookworm] - ffmpeg 7:5.1.7-0+deb12u1
 [24 Aug 2025] DSA-5984-1 thunderbird - security update
 	{CVE-2025-9179 CVE-2025-9180 CVE-2025-9181 CVE-2025-9185}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1ec9624da36e9ed68d266bb9bbef0932ed973bb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1ec9624da36e9ed68d266bb9bbef0932ed973bb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250829/d8338f26/attachment.htm>