[Git][security-tracker-team/security-tracker][master] 9 commits: CVE-2025-6297,dpkg: bullseye is postponed

Markus Koschany (@apo) apo at debian.org
Thu Jul 10 18:01:11 BST 2025 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
39dc087b by Markus Koschany at 2025-07-10T18:13:56+02:00
CVE-2025-6297,dpkg: bullseye is postponed

Minor issue

- - - - -
ce873d53 by Markus Koschany at 2025-07-10T18:23:01+02:00
Add erlang to dla-needed.txt

- - - - -
8692f065 by Markus Koschany at 2025-07-10T18:30:29+02:00
Add libcommons-fileupload-java to dla-needed.txt and claim it

Identical vulnerability as in tomcat9

- - - - -
1d1ed72d by Markus Koschany at 2025-07-10T18:33:45+02:00
Triage libssh CVE as postponed for bullseye

Minor issues

- - - - -
b65bc056 by Markus Koschany at 2025-07-10T18:35:22+02:00
CVE-2025-XXXX,qbittorrent: bullseye is postponed

Minor issue

- - - - -
b06af3f1 by Markus Koschany at 2025-07-10T18:37:00+02:00
CVE-2025-6140,spdlog: bullseye is postponed

Minor issue

- - - - -
84243ae0 by Markus Koschany at 2025-07-10T18:38:01+02:00
Add thunderbird to dla-needed.txt

- - - - -
e8416151 by Markus Koschany at 2025-07-10T18:47:39+02:00
Add libowasp-esapi-java to dla-needed.txt

- - - - -
ec300121 by Markus Koschany at 2025-07-10T19:00:39+02:00
Add php7.4 to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1906,6 +1906,7 @@ CVE-2023-51232 (Directory Traversal vulnerability in dagster-webserver Dagster t
 CVE-2025-XXXX [RSS/SEARCH: Prevent opening local files if web page is expected]
 	- qbittorrent 5.1.0-2 (bug #1108843)
 	[bookworm] - qbittorrent <no-dsa> (Minor issue)
+	[bullseye] - qbittorrent <postponed> (Minor issue)
 	NOTE: https://www.qbittorrent.org/news#wed-jul-02nd-2025---qbittorrent-v5.1.2-release
 	NOTE: Fixed by: https://github.com/qbittorrent/qBittorrent/commit/6ad073e0bc26c1f9d3530490ece611b49f5bfcab (release-5.1.2)
 	NOTE: Fixed by: https://github.com/qbittorrent/qBittorrent/commit/ad68813fe879ba245a4f41f105ed8d2114a92971 (release-5.1.2)
@@ -3726,6 +3727,7 @@ CVE-2025-32462 (Sudo before 1.9.17p1, when used with a sudoers file that specifi
 CVE-2025-6297 (It was discovered that dpkg-deb does not properly sanitize directory p ...)
 	- dpkg 1.22.21
 	[bookworm] - dpkg <no-dsa> (Minor issue)
+	[bullseye] - dpkg <postponed> (Minor issue)
 	NOTE: Fixed by: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82 (main)
 	NOTE: Fixed by: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=98c623c8d6814ae46a3b30ca22e584c77d47d86b (1.22.21)
 CVE-2025-6898 (A vulnerability, which was classified as critical, has been found in D ...)
@@ -5054,6 +5056,7 @@ CVE-2025-6032 (A flaw was found in Podman. The podman machine init command fails
 CVE-2025-5987 (A flaw was found in libssh when using the ChaCha20 cipher with the Ope ...)
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
+	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-5987.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57 (libssh-0.11.2)
 CVE-2025-5449
@@ -5069,27 +5072,32 @@ CVE-2025-5449
 CVE-2025-5372 (A flaw was found in libssh versions built with OpenSSL versions older  ...)
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
+	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-5372.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972 (libssh-0.11.2)
 CVE-2025-5351 (A flaw was found in the key export functionality of libssh. The issue  ...)
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
+	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-5351.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6ddb730a27338983851248af59b128b995aad256 (libssh-0.11.2)
 CVE-2025-5318 (A flaw was found in the libssh library. An out-of-bounds read can be t ...)
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
+	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-5318.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466 (libssh-0.11.2)
 CVE-2025-4878
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
+	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-4878.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 (libssh-0.11.2)
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb (libssh-0.11.2)
 CVE-2025-4877
 	- libssh 0.11.2-1 (bug #1108407)
 	[bookworm] - libssh <no-dsa> (Minor issue)
+	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2025-4877.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d (libssh-0.11.2)
 CVE-2025-5087 (Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely usin ...)
@@ -8346,6 +8354,7 @@ CVE-2024-21856
 CVE-2025-6140 (A vulnerability, which was classified as problematic, was found in spd ...)
 	- spdlog 1:1.15.2+ds-1
 	[bookworm] - spdlog <no-dsa> (Minor issue)
+	[bullseye] - spdlog <postponed> (Minor issue)
 	NOTE: https://github.com/gabime/spdlog/issues/3360
 	NOTE: Fixed by: https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094 (v1.15.2)
 CVE-2025-6179 (Permissions Bypass in Extension Management in Google ChromeOS          ...)


=====================================
data/dla-needed.txt
=====================================
@@ -82,6 +82,9 @@ epiphany-browser
   NOTE: 20250429: Changes the UI to prompt when opening URLs in external applications. (lamby)
   NOTE: 20250606: mark as ignored/end-of-life if webkit2gtk doesn't get updated (pochu)
 --
+erlang
+  NOTE: 20250710: Added by Front-Desk (apo)
+--
 fastdds
   NOTE: 20250303: Added by Front-Desk (rouca)
 --
@@ -175,6 +178,12 @@ knot-resolver
   NOTE: 20250506: Writting to upstream to get a PoC to reproduce open CVEs.
   NOTE: 20250522: Processing some tips received by upstream to try to reproduce CVE. Still working on the patches.
 --
+libcommons-fileupload-java (Markus Koschany)
+  NOTE: 20250710: Added by Front-Desk (apo)
+--
+libowasp-esapi-java
+  NOTE: 20250710: Added by Front-Desk (apo)
+--
 libsoup2.4
   NOTE: 20250408: Added by Front-Desk (Beuc)
   NOTE: 20250427: libsoup2.4 2.72.0-2+deb11u2 (bullseye) uploaded ...
@@ -295,6 +304,9 @@ php-laravel-framework
 php-league-commonmark
   NOTE: 20250609: Added by Front-Desk (rouca)
 --
+php7.4
+  NOTE: 20250710: Added by Front-Desk (apo)
+--
 pytorch (dleidert)
   NOTE: 20250422: Added by Front-Desk (rouca)
   NOTE: 20250422: CVE-2025-32434 RCE need to be fixed. DoS may be postponed (rouca/FD)
@@ -341,7 +353,10 @@ systemd (charles)
   NOTE: 20250627: Mail to mailing list with proposed fix and inquiry about
   NOTE: 20250627: buffer overflow issue (https://lists.debian.org/debian-lts/2025/06/msg00035.html)
 --
-tomcat9
+thunderbird
+  NOTE: 20250710: Added by Front-Desk (apo)
+--
+tomcat9 (Markus Koschany)
   NOTE: 20250613: Added by maintainer (apo)
 --
 trafficserver



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/267f58388f5866a7887158d59eef9e9b7540de0b...ec300121fc3fedc5229fe756e7b0313ebebf8e45

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/267f58388f5866a7887158d59eef9e9b7540de0b...ec300121fc3fedc5229fe756e7b0313ebebf8e45
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250710/559178e3/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list