[Git][security-tracker-team/security-tracker][master] Reserve DLA-4287-1 for libsndfile

Sun Aug 31 23:06:28 BST 2025


Paride Legovini pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8e5d5d7f by Paride Legovini at 2025-08-31T23:56:12+02:00
Reserve DLA-4287-1 for libsndfile

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -96585,7 +96585,6 @@ CVE-2024-50613 (libsndfile through 1.2.2 has a reachable assertion, that may lea
 CVE-2024-50612 (libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out ...)
 	- libsndfile 1.2.2-2 (bug #1088692)
 	[bookworm] - libsndfile <no-dsa> (Minor issue)
-	[bullseye] - libsndfile <postponed> (Minor issue, CLI DoS)
 	NOTE: https://github.com/libsndfile/libsndfile/issues/1035
 	NOTE: Fixed by: https://github.com/libsndfile/libsndfile/commit/4755f5bd7854611d92ad0f1295587b439f9950ba
 CVE-2024-50611 (CycloneDX cdxgen through 10.10.7, when run against an untrusted codeba ...)
@@ -289449,7 +289448,6 @@ CVE-2022-33066
 CVE-2022-33065 (Multiple signed integers overflow in function au_read_header in src/au ...)
 	- libsndfile 1.2.2-2 (bug #1051891)
 	[bookworm] - libsndfile <no-dsa> (Minor issue)
-	[bullseye] - libsndfile <postponed> (Minor issue)
 	[buster] - libsndfile <no-dsa> (Minor issue)
 	NOTE: https://github.com/libsndfile/libsndfile/issues/833
 	NOTE: https://github.com/libsndfile/libsndfile/issues/789


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[31 Aug 2025] DLA-4287-1 libsndfile - security update
+	{CVE-2022-33065 CVE-2024-50612}
+	[bullseye] - libsndfile 1.0.31-2+deb11u1
 [31 Aug 2025] DLA-4286-1 libcommons-lang3-java - security update
 	{CVE-2025-48924}
 	[bullseye] - libcommons-lang3-java 3.11-1+deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -212,13 +212,6 @@ libphp-adodb (abhijith)
   NOTE: 20250807: Added by Front-Desk (rouca)
   NOTE: 20250807: Fix other CVEs and try to propose a PU (rouca)
 --
-libsndfile (paride)
-  NOTE: 20250824: Added by Front-Desk (dleidert)
-  NOTE: 20250824: Follow OSPU (#1111987) and update Bullseye and fix open no-dsa (dleidert/FD)
-  NOTE: 20250830: Postponed CVE-2025-52194, rationale in commit message. (paride)
-  NOTE: 20250830: Now looking at Bookworm OSPU, debbug #1111987. (paride)
-  NOTE: 20250830: Fixes for CVE-2022-33065 and CVE-2024-50612 are backported, testing in progress. (paride)
---
 libsoup2.4
   NOTE: 20250408: Added by Front-Desk (Beuc)
   NOTE: 20250427: libsoup2.4 2.72.0-2+deb11u2 (bullseye) uploaded ...



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e5d5d7f9bc49b2836501b22f5a57cf75f1cd297

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e5d5d7f9bc49b2836501b22f5a57cf75f1cd297
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250831/e57ee69f/attachment-0001.htm>
