[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Dec 21 12:57:38 GMT 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d7c43e95 by Moritz Muehlenhoff at 2025-12-21T13:56:56+01:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -180,6 +180,8 @@ CVE-2025-53922 (Galette is a membership management web application for non profi
 	- galette <removed>
 CVE-2025-50681 (igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a ...)
 	- igmpproxy <unfixed> (bug #1123741)
+	[trixie] - igmpproxy <no-dsa> (Minor issue)
+	[bookworm] - igmpproxy <no-dsa> (Minor issue)
 	NOTE: https://github.com/pali/igmpproxy/issues/97
 	NOTE: Fixed by: https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab7687984484c
 CVE-2025-34433 (AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote ...)
@@ -232,6 +234,7 @@ CVE-2025-14950 (A weakness has been identified in code-projects Scholars Trackin
 	NOT-FOR-US: code-projects
 CVE-2025-14946 (A flaw was found in libnbd. A malicious actor could exploit this by co ...)
 	- libnbd 1.22.5-1
+	[trixie] - libnbd <no-dsa> (Minor issue)
 	[bookworm] - libnbd <not-affected> (Vulnerable code introduced later)
 	NOTE: https://libguestfs.org/libnbd-release-notes-1.24.1.html#Security
 	NOTE: https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/YZMBF3SJRWTRVT5L3KWSNHITFTRMQNTT/
@@ -392,6 +395,8 @@ CVE-2025-62000 (BullWall Ransomware Containment does not entirely inspect a file
 	NOT-FOR-US: BullWall
 CVE-2025-59529 (Avahi is a system which facilitates service discovery on a local netwo ...)
 	- avahi <unfixed> (bug #1123671)
+	[trixie] - avahi <postponed> (Minor issue, revisit when fixed upstream)
+	[bookworm] - avahi <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q
 	NOTE: https://github.com/avahi/avahi/pull/808
 CVE-2025-53710 (Due to a product misconfiguration in certain deployment types, it was  ...)
@@ -481,6 +486,8 @@ CVE-2025-7047 (Missing Authorization vulnerability in Utarit Informatics Service
 	NOT-FOR-US: SoliClub
 CVE-2025-68469 (ImageMagick is free and open-source software used for editing and mani ...)
 	- imagemagick 8:6.9.12.98+dfsg1-2
+	[trixie] - imagemagick <no-dsa> (Minor issue)
+	[bookworm] - imagemagick <no-dsa> (Minor issue)
 	NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fff3-4rp7-px97
 	NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/a531d28e31309676ce8168c3b6dbbb5374b78790 (7.1.1-13)
 	NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/ac1f7ca1d88e14d30e5ae9bd30aad150bdbec20e (7.1.1-13)
@@ -9729,6 +9736,8 @@ CVE-2025-66036 (Retro is an online platform providing items of vintage collectio
 	NOT-FOR-US: Retro
 CVE-2025-66034 (fontTools is a library for manipulating fonts, written in Python. In v ...)
 	- fonttools <unfixed> (bug #1121605)
+	[trixie] - fonttools <no-dsa> (Minor issue)
+	[bookworm] - fonttools <no-dsa> (Minor issue)
 	NOTE: https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
 	NOTE: Fixed by: https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32 (4.61.0)
 CVE-2025-66027 (Rallly is an open-source scheduling and collaboration tool. Prior to v ...)
@@ -221413,13 +221422,10 @@ CVE-2023-37520 (UnauthenticatedStored Cross-Site Scripting (XSS) vulnerability i
 CVE-2023-37519 (Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This  ...)
 	NOT-FOR-US: HCL
 CVE-2023-42465 (Sudo before 1.9.15 might allow row hammer attacks (for authentication  ...)
-	- sudo 1.9.15p2-2
-	[bookworm] - sudo <no-dsa> (Minor issue)
-	[bullseye] - sudo <no-dsa> (Minor issue)
-	[buster] - sudo <no-dsa> (Minor issue)
+	- sudo 1.9.15p2-2 (unimportant)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/9
 	NOTE: https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f (SUDO_1_9_15p1)
-	NOTE: it is more an hardening against hardware bug (rowhammer) than a security fix per se
+	NOTE: Hardening against a hardware bug (rowhammer), not a security fix per se
 	NOTE: part of the code in the fix commit are not built because debian use PAM: plugins/sudoers/auth/sudo_auth.[ch]
 	NOTE: plugins/sudoers/lookup.c part was added in version 1.9.15
 	NOTE: plugins/sudoers/match.c, part was added in 1.8.21



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c43e958ba7f8a5a79de0edb72fe638af318682

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c43e958ba7f8a5a79de0edb72fe638af318682
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251221/65849166/attachment.htm>

More information about the debian-security-tracker-commits mailing list