[Git][security-tracker-team/security-tracker][master] dropbear, mediawiki DSAs
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Dec 19 19:23:11 GMT 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
85b715bd by Moritz Mühlenhoff at 2025-12-19T20:22:23+01:00
dropbear, mediawiki DSAs
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -4053,6 +4053,7 @@ CVE-2025-67484
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1208364 (REL1_39)
CVE-2025-67483
- mediawiki 1:1.43.6+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Vulnerable code not present, introduced in 1.40)
NOTE: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
NOTE: https://phabricator.wikimedia.org/T409226
@@ -4095,6 +4096,7 @@ CVE-2025-67478
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1217284 (REL1_39)
CVE-2025-67477
- mediawiki 1:1.43.6+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/FOY6VXTBCCHIGYGSTQBPN3UFCL6CAX6Y/
NOTE: https://phabricator.wikimedia.org/T406639
@@ -27233,11 +27235,13 @@ CVE-2025-61655 [Properly escape and parse system messages]
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VisualEditor/+/1193248
CVE-2025-61657 [Insert sticky header labels as text instead of HTML]
- mediawiki 1:1.43.5+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Vulnerable code not present)
[bullseye] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: http://phabricator.wikimedia.org/T398636
CVE-2025-61654 [Exclude deleted entries when counting thanks]
- mediawiki 1:1.43.5+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Vulnerable code not present)
[bullseye] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T397497
@@ -27309,12 +27313,14 @@ CVE-2025-11173
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OATHAuth/+/1180664
CVE-2025-11175
- mediawiki 1:1.43.5+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Vulnerable code not present)
[bullseye] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T364910
NOTE: https://phabricator.wikimedia.org/T396248
CVE-2025-61652 [In API check user read permissions before showing PageInfo]
- mediawiki 1:1.43.5+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Vulnerable code not present)
[bullseye] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T397580
@@ -27568,6 +27574,7 @@ CVE-2024-58260 (A vulnerability has been identified within Rancher Manager where
NOT-FOR-US: Rancher
CVE-2025-61642 [Escape submit button label for Codex-based HTMLForms]
- mediawiki 1:1.43.5+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Vulnerable code not present)
[bullseye] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T402313
@@ -27596,18 +27603,21 @@ CVE-2025-61638 [Sanitize data- attributes]
NOTE: The fix needs changes in embedded parsoid too: https://gerrit.wikimedia.org/r/c/mediawiki/services/parsoid/+/1192154 (v0.16.6)
CVE-2025-61637 [Escape three system messages used by live preview]
- mediawiki 1:1.43.5+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Vulnerable code not present)
[bullseye] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T394856
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193171
CVE-2025-61636 [Escape rawElement $content]
- mediawiki 1:1.43.5+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Vulnerable code not present)
[bullseye] - mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://phabricator.wikimedia.org/T394396
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1193170
CVE-2025-61634 [REST: Set cache-control value of max-age=60 for redirects]
- mediawiki 1:1.43.5+dfsg-1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[bookworm] - mediawiki <not-affected> (Redirect introduced in 1.40)
[bullseye] - mediawiki <not-affected> (Redirect introduced in 1.40)
NOTE: https://phabricator.wikimedia.org/T387478
=====================================
data/DSA/list
=====================================
@@ -1,3 +1,10 @@
+[19 Dec 2025] DSA-6086-1 dropbear - security update
+ {CVE-2025-14282}
+ [trixie] - dropbear 2025.89-1~deb13u1
+[19 Dec 2025] DSA-6085-1 mediawiki - security update
+ {CVE-2025-11173 CVE-2025-11261 CVE-2025-61635 CVE-2025-61638 CVE-2025-61639 CVE-2025-61640 CVE-2025-61641 CVE-2025-61643 CVE-2025-61646 CVE-2025-61653 CVE-2025-61655 CVE-2025-61656 CVE-2025-67475 CVE-2025-67478 CVE-2025-67479 CVE-2025-67480 CVE-2025-67481 CVE-2025-67482 CVE-2025-67484}
+ [bookworm] - mediawiki 1:1.39.17-1~deb12u1
+ [trixie] - mediawiki 1:1.43.6+dfsg-1~deb13u1
[18 Dec 2025] DSA-6084-1 c-ares - security update
{CVE-2025-62408}
[trixie] - c-ares 1.34.5-1+deb13u1
=====================================
data/dsa-needed.txt
=====================================
@@ -20,9 +20,6 @@ chromium (dilinger)
cpp-httplib
Maintainer preparing updates, waiting for feedback on bookworm status
--
-dropbear (jmm)
- Guilhem Moulin prepared an update
---
frr/oldstable
coordination with the maintainer ongoing, Daniel Baumann proposing an update
--
@@ -43,8 +40,6 @@ linux (carnil)
mbedtls
Adrian Bunk posted debdiff for review for trixie-security
--
-mediawiki (jmm)
---
netty
Bastien Roucaries proposing an update
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85b715bdc8c6a8f31c3f9c139f28bb7c779126b4
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85b715bdc8c6a8f31c3f9c139f28bb7c779126b4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251219/8c8a3e79/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list