[Git][security-tracker-team/security-tracker][master] 4 commits: lts: mark pdns-recursor as EOL in Bullseye for new CVEs

[Daniel Leidert (@dleidert)]

Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8ca5b5ac by Daniel Leidert at 2025-12-08T22:21:06+01:00
lts: mark pdns-recursor as EOL in Bullseye for new CVEs

- - - - -
5ce327a2 by Daniel Leidert at 2025-12-08T22:21:07+01:00
lts: add patch link for python-urllib3/CVE-2025-66471

- - - - -
a426bdc7 by Daniel Leidert at 2025-12-08T22:21:08+01:00
lts: add patch link for python-urllib3/CVE-2025-66418

- - - - -
7fa0203b by Daniel Leidert at 2025-12-08T22:21:08+01:00
dla: add python-urllib3

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -247,9 +247,11 @@ CVE-2025-12956 (A reflected Cross-site Scripting (XSS) vulnerability affecting E
 	NOT-FOR-US: Dassault Systemes
 CVE-2025-59030 [Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor]
 	- pdns-recursor <unfixed> (bug #1122197)
+	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html
 CVE-2025-59029 [Internal logic flaw in cache management can lead to a denial of service in Recursor]
 	- pdns-recursor <unfixed> (bug #1122196)
+	[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html
 CVE-2025-66321 (Multi-thread race condition vulnerability in the camera framework modu ...)
 	NOT-FOR-US: Huawei
@@ -935,10 +937,12 @@ CVE-2025-66471 (urllib3 is a user-friendly HTTP client library for Python. Start
 	- python-urllib3 <unfixed> (bug #1122029)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/12/05/4
 	NOTE: https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37
+	NOTE: Fixed by: https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7 (2.6.0)
 CVE-2025-66418 (urllib3 is a user-friendly HTTP client library for Python. Starting in ...)
 	- python-urllib3 <unfixed> (bug #1122030)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/12/05/4
 	NOTE: https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
+	NOTE: Fixed by: https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8 (2.6.0)
 CVE-2025-65897 (zdh_web is a data collection, processing, monitoring, scheduling, and  ...)
 	NOT-FOR-US: zdh_web
 CVE-2025-65879 (Warehouse Management System 1.2 contains an authenticated arbitrary fi ...)


=====================================
data/dla-needed.txt
=====================================
@@ -341,6 +341,10 @@ python-django (Chris Lamb)
 python-mechanize (dleidert)
   NOTE: 20251206: Added by Front-Desk. Avoid a regression from buster (rouca)
 --
+python-urllib3
+  NOTE: 20251208: Added by Front-Desk (dleidert)
+  NOTE: 20251208: wait for secteam's triage of CVE-2025-66418 and CVE-2025-66471 (dleidert/front-desk)
+--
 rails (rouca)
   NOTE: 20250105: Added by Front-Desk (apo)
   NOTE: 20250305: Utkarsh uploaded the CVE fixes to unstable via rails/7.2.2.1. (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2b9a0e078fe39955044db693747a0991840b8507...7fa0203b339069abf12e978de91681df9cea60ba

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2b9a0e078fe39955044db693747a0991840b8507...7fa0203b339069abf12e978de91681df9cea60ba
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251208/c4f791b1/attachment-0001.htm>