[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2025-26519/musl: reference patches

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dc4eca2b by Sylvain Beucler at 2025-02-17T10:32:10+01:00
CVE-2025-26519/musl: reference patches

- - - - -
e9771800 by Sylvain Beucler at 2025-02-17T10:35:08+01:00
CVE-2020-28928/musl: reference patch

- - - - -
0bee82bd by Sylvain Beucler at 2025-02-17T11:01:42+01:00
dla: add musl

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -426,6 +426,8 @@ CVE-2025-26519 (musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds
 	- musl <unfixed>
 	[bookworm] - musl <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/02/13/2
+	NOTE: https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659 (master)
+	NOTE: https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da (master)
 CVE-2025-26473 (The Mojave Inverter uses the GET method for sensitive information.)
 	NOT-FOR-US: Mojave Inverter
 CVE-2025-25281 (An attacker may modify the URL to discover sensitive information about ...)
@@ -337380,6 +337382,7 @@ CVE-2020-28928 (In musl libc through 1.2.1, wcsnrtombs mishandles particular com
 	- musl 1.2.2-1 (bug #975365)
 	[buster] - musl <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/20/4
+	NOTE: https://git.musl-libc.org/cgit/musl/commit/?id=3ab2a4e02682df1382955071919d8aa3c3ec40d4 (v1.2.2)
 CVE-2020-28927 (There is a Stored XSS in Magicpin v2.1 in the User Registration sectio ...)
 	NOT-FOR-US: Magicpin
 CVE-2020-28926 (ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code exe ...)


=====================================
data/dla-needed.txt
=====================================
@@ -162,6 +162,9 @@ mosquitto
   NOTE: 20241126: Backported https://people.debian.org/~abhijith/upload/gss/CVE-2024-3935.patch (abhijith)
   NOTE: 20241217: Backporting CVE-2024-8376 (abhijith)
 --
+musl
+  NOTE: 20250217: Added by Front-Desk (Beuc)
+--
 nagvis
   NOTE: 20250117: Added by Front-Desk (rouca)
   NOTE: 20250119: Also check/fix https://bugs.debian.org/1061044



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59cb5e8e420523b5c4d3948794955974570f08c4...0bee82bd8b4e52bd4ffd666a46351e34e57d2401

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59cb5e8e420523b5c4d3948794955974570f08c4...0bee82bd8b4e52bd4ffd666a46351e34e57d2401
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250217/0d439898/attachment-0001.htm>