[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2025-0009

Alberto Garcia (@berto) berto at debian.org
Thu Dec 4 15:15:49 GMT 2025 


Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker


Commits:
85bf99f3 by Alberto Garcia at 2025-12-04T16:15:14+01:00
webkit2gtk / wpewebkit upstream advisory WSA-2025-0009

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,5 +1,12 @@
 CVE-2025-66404 (MCP Server Kubernetes is an MCP Server that can connect to a Kubernete ...)
 	NOT-FOR-US: MCP Server Kubernetes
+CVE-2025-66287 [Maliciously crafted web content may lead to a process crash.]
+	- webkit2gtk 2.50.3-1
+	- wpewebkit 2.50.3-1
+	[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <end-of-life> (see #1035997)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0009.html
 CVE-2025-65868 (XML external entity (XXE) injection in eyoucms v1.7.1 allows remote at ...)
 	NOT-FOR-US: eyoucms
 CVE-2025-64055 (An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthentic ...)
@@ -140,7 +147,12 @@ CVE-2025-13949 (A vulnerability was identified in ProudMuBai GoFilm 1.0.0/1.0.1.
 CVE-2025-13948 (A vulnerability was determined in opsre go-ldap-admin up to 20251011.  ...)
 	NOT-FOR-US: opsre go-ldap-admin
 CVE-2025-13947 (A flaw was found in WebKitGTK. This vulnerability allows remote, user- ...)
-	TODO: check
+	- webkit2gtk 2.50.3-1
+	- wpewebkit 2.50.3-1
+	[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <end-of-life> (see #1035997)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0009.html
 CVE-2025-13756 (The Fluent Booking plugin for WordPress is vulnerable to unauthorized  ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-13751 (Interactive service agent in OpenVPN version 2.5.0 through 2.7_rc2 on  ...)
@@ -7690,7 +7702,12 @@ CVE-2025-43460 (A logic issue was addressed with improved checks. This issue is
 CVE-2025-43459 (An authentication issue was addressed with improved state management.  ...)
 	NOT-FOR-US: Apple
 CVE-2025-43458 (This issue was addressed through improved state management. This issue ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.50.3-1
+	- wpewebkit 2.50.3-1
+	[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <end-of-life> (see #1035997)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0009.html
 CVE-2025-43457 (A use-after-free issue was addressed with improved memory management.  ...)
 	NOT-FOR-US: Apple
 CVE-2025-43455 (A privacy issue was addressed with improved checks. This issue is fixe ...)
@@ -7808,7 +7825,12 @@ CVE-2025-43423 (A logging issue was addressed with improved data redaction. This
 CVE-2025-43422 (The issue was addressed by adding additional logic. This issue is fixe ...)
 	NOT-FOR-US: Apple
 CVE-2025-43421 (Multiple issues were addressed by disabling array allocation sinking.  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.50.3-1
+	- wpewebkit 2.50.3-1
+	[trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <end-of-life> (see #1035997)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0009.html
 CVE-2025-43420 (A race condition was addressed with improved state handling. This issu ...)
 	NOT-FOR-US: Apple
 CVE-2025-43419 (The issue was addressed with improved memory handling. This issue is f ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -76,6 +76,8 @@ tomcat11/stable (apo)
 unbound (jmm)
   Guilhem Moulin proposing an update to cover CVE-2025-11411
 --
+webkit2gtk (berto)
+--
 wordpress
   Utkarsh Gupta proposed a debdiff to review.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85bf99f3be3588e75455d83ff773637942f23bde

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85bf99f3be3588e75455d83ff773637942f23bde
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251204/51fc9bd4/attachment.htm>

More information about the debian-security-tracker-commits mailing list