[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Dec 7 16:07:00 GMT 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5b44b89b by Moritz Muehlenhoff at 2025-12-07T17:06:37+01:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -350,12 +350,10 @@ CVE-2025-13682 (The Trail Manager plugin for WordPress is vulnerable to Stored C
 CVE-2025-13678 (The Thai Lottery Widget plugin for WordPress is vulnerable to Stored C ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-13654 (A stack buffer overflow vulnerability exists in the buffer_get functio ...)
-	- duc 1.4.6-1 (bug #1122057)
-	[trixie] - duc <no-dsa> (Minor issue)
-	[bookworm] - duc <no-dsa> (Minor issue)
-	[bullseye] - duc <postponed> (Minor issue)
+	- duc 1.4.6-1 (bug #1122057; unimportant)
 	NOTE: Fixed by: https://github.com/zevv/duc/commit/8638c4365ffd9e1966bdef8af6339dbee8c17e66 (1.4.6)
 	NOTE: https://hackingbydoing.wixsite.com/hackingbydoing/post/stack-buffer-overflow-in-duc
+	NOTE: Crash in CLI tool, no security impact
 CVE-2025-13620 (The Wp Social Login and Register Social Counter plugin for WordPress i ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-13614 (The Cool Tag Cloud plugin for WordPress is vulnerable to Stored Cross- ...)
@@ -396,6 +394,7 @@ CVE-2025-66571 (UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object inj
 	NOT-FOR-US: UNA CMS
 CVE-2025-66564 (Sigstore Timestamp Authority is a service for issuing RFC 3161 timesta ...)
 	- golang-github-sigstore-timestamp-authority <unfixed> (bug #1122060)
+	[trixie] - golang-github-sigstore-timestamp-authority <no-dsa> (Minor issue)
 	NOTE: https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh
 	NOTE: Fixed by: https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421 (v2.0.3)
 CVE-2025-66563 (Monkeytype is a minimalistic and customizable typing test. In 25.49.0  ...)
@@ -428,6 +427,7 @@ CVE-2025-66509 (LaraDashboard is an all-In-one solution to start a Laravel Appli
 	NOT-FOR-US: LaraDashboard
 CVE-2025-66506 (Fulcio is a free-to-use certificate authority for issuing code signing ...)
 	- golang-github-sigstore-fulcio <unfixed> (bug #1122059)
+	[trixie] - golang-github-sigstore-fulcio <no-dsa> (Minor issue)
 	NOTE: https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw
 	NOTE: Fixed by: https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a (v1.8.3)
 CVE-2025-66479 (Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforci ...)
@@ -633,6 +633,8 @@ CVE-2025-65806 (The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly
 	NOT-FOR-US: E-POINT CMS
 CVE-2025-65637 (A denial-of-service vulnerability exists in github.com/sirupsen/logrus ...)
 	- golang-logrus 1.9.3-1
+	[trixie] - golang-logrus <no-dsa> (Minor issue)
+	[bookworm] - golang-logrus <no-dsa> (Minor issue)
 	[bullseye] - golang-logrus <postponed> (Limited support, can be fixed later - not serious enough to require an immediate update)
 	NOTE: https://github.com/mjuanxd/logrus-dos-poc
 	NOTE: https://github.com/sirupsen/logrus/issues/1370
@@ -1213,8 +1215,14 @@ CVE-2025-12744 (A flaw was found in the ABRT daemon\u2019s handling of user-supp
 	NOT-FOR-US: abrt is Red Hat / Fedora specific
 CVE-2025-12385 (Allocation of Resources Without Limits or Throttling, Improper Validat ...)
 	- qt6-declarative <unfixed> (bug #1122054)
+	[trixie] - qt6-declarative <no-dsa> (Minor issue)
+	[bookworm] - qt6-declarative <no-dsa> (Minor issue)
 	- qtdeclarative-opensource-src <unfixed> (bug #1122055)
+	[trixie] - qtdeclarative-opensource-src <no-dsa> (Minor issue)
+	[bookworm] - qtdeclarative-opensource-src <no-dsa> (Minor issue)
 	- qtdeclarative-opensource-src-gles <unfixed> (bug #1122056)
+	[trixie] - qtdeclarative-opensource-src-gles <no-dsa> (Minor issue)
+	[bookworm] - qtdeclarative-opensource-src-gles <no-dsa> (Minor issue)
 	NOTE: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239
 	NOTE: https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766
 CVE-2025-12358 (The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPres ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -63,10 +63,12 @@ ruby-saml/oldstable
 --
 runc
 --
-sogo/oldstable
+sogo
 --
 sympa/oldstable
 --
+tika
+--
 tomcat10/oldstable (apo)
 --
 tomcat11/stable (apo)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b44b89bbcee7f5b052fe3b108ba44e046194215

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b44b89bbcee7f5b052fe3b108ba44e046194215
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251207/7a5cc603/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list