[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2025-14946/libnbd: bullseye not-affected

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Tue Dec 30 18:40:50 GMT 2025 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
89edc562 by Sylvain Beucler at 2025-12-30T19:09:35+01:00
CVE-2025-14946/libnbd: bullseye not-affected

- - - - -
af28a8e5 by Sylvain Beucler at 2025-12-30T19:13:43+01:00
CVE-2025-67746/composer: bullseye postponed

- - - - -
aeda9962 by Sylvain Beucler at 2025-12-30T19:34:32+01:00
CVE-2025-2486/edk2: bullseye also has the CVE-2023-48733-related local patch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2,6 +2,7 @@ CVE-2025-67746
 	- composer 2.9.3-1
 	[trixie] - composer <no-dsa> (Minor issue)
 	[bookworm] - composer <no-dsa> (Minor issue)
+	[bullseye] - composer <postponed> (Minor issue, terminal control characters sanitization)
 	NOTE: https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
 	NOTE: Fixed by: https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71 (2.9.3)
 	NOTE: Fixed by: https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917 (2.2.26)
@@ -4338,6 +4339,7 @@ CVE-2025-14946 (A flaw was found in libnbd. A malicious actor could exploit this
 	- libnbd 1.22.5-1
 	[trixie] - libnbd <no-dsa> (Minor issue)
 	[bookworm] - libnbd <not-affected> (Vulnerable code introduced later)
+	[bullseye] - libnbd <not-affected> (Vulnerable code introduced later)
 	NOTE: https://libguestfs.org/libnbd-release-notes-1.24.1.html#Security
 	NOTE: https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/YZMBF3SJRWTRVT5L3KWSNHITFTRMQNTT/
 	NOTE: Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/fffd87a3ba216cf2f9c212e5db96b13b98985edf (v1.23.9)
@@ -14348,11 +14350,11 @@ CVE-2025-3747
 CVE-2025-2486 (The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI S ...)
 	- edk2 2023.11-7
 	[bookworm] - edk2 2022.11-6+deb12u1
-	[bullseye] - edk2 <postponed> (Can be piggyback'd with future DLA but be careful about possible regression)
+	[bullseye] - edk2 2020.11-2+deb11u2
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797
 	NOTE: To address CVE-2023-48733 in Debian a local patch disabled the built-in Shell
 	NOTE: when SecureBoot is enabled fixing CVE-2025-2486.
-	NOTE: Be cautious of possible regression when backporting patches to stable releases -
+	NOTE: Be cautious of possible regression when backporting patches to stable releases
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797/comments/9
 CVE-2025-26155 (NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client ...)
 	NOT-FOR-US: NCP



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/985d841546c34f02d6b862642e1fbd91dbee3aa1...aeda99629fe72d21c4da4b5d7cad9a2971975038

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/985d841546c34f02d6b862642e1fbd91dbee3aa1...aeda99629fe72d21c4da4b5d7cad9a2971975038
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251230/b452e839/attachment.htm>

More information about the debian-security-tracker-commits mailing list