[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Jul 11 10:11:37 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4ff417a9 by Moritz Muehlenhoff at 2025-07-11T11:10:54+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -935,6 +935,7 @@ CVE-2025-7208 (A vulnerability was found in 9fans plan9port up to 9da5b44. It ha
 	NOT-FOR-US: plan9port
 CVE-2025-7207 (A vulnerability, which was classified as problematic, was found in mru ...)
 	- mruby <unfixed>
+	[bookworm] - mruby <no-dsa> (Minor issue)
 	NOTE: https://github.com/mruby/mruby/issues/6509
 	NOTE: https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9
 CVE-2025-7206 (A vulnerability, which was classified as critical, has been found in D ...)
@@ -1113,6 +1114,7 @@ CVE-2025-4674
 	- golang-1.24 <unfixed>
 	- golang-1.23 <unfixed>
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	NOTE: https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
 	NOTE: https://github.com/golang/go/commit/825eeee3f789a11231ce23a4836c74ec5e34bf2a (go1.24.5)
@@ -2491,11 +2493,13 @@ CVE-2025-7074 (A vulnerability classified as problematic has been found in verce
 CVE-2025-7070 (A vulnerability has been found in IROAD Dashcam Q9 up to 20250624 and  ...)
 	NOT-FOR-US: IROAD Dashcam Q9
 CVE-2025-7069 (A vulnerability, which was classified as problematic, was found in HDF ...)
-	- hdf5 <unfixed> (bug #1108884)
+	- hdf5 <unfixed> (bug #1108884; unimportant)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5550
+	NOTE: Negligible security impact
 CVE-2025-7068 (A vulnerability, which was classified as problematic, has been found i ...)
-	- hdf5 <unfixed> (bug #1108885)
+	- hdf5 <unfixed> (bug #1108885; unimportant)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5578
+	NOTE: Negligible security impact
 CVE-2025-53605 (The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion ...)
 	- rust-protobuf <unfixed> (bug #1103833)
 	[bookworm] - rust-protobuf <no-dsa> (Minor issue)
@@ -2558,6 +2562,7 @@ CVE-2025-1735 [pgsql extension does not check for errors during escaping]
 	NOTE: Fixed by: https://github.com/php/php-src/commit/9376aeef9f8ff81f2705b8016237ec3e30bdee44 (php-8.1.33)
 CVE-2025-7067 (A vulnerability classified as problematic was found in HDF5 1.14.6. Th ...)
 	- hdf5 <unfixed> (bug #1108886)
+	[bookworm] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/HDFGroup/hdf5/issues/5577
 CVE-2025-7066 (Jirafeau normally prevents browser preview for text files due to the p ...)
 	NOT-FOR-US: Jirafeau
@@ -4937,6 +4942,7 @@ CVE-2025-29331 (An issue in MHSanaei 3x-ui before v.2.5.3 and before allows a re
 	NOT-FOR-US: MHSanaei 3x-ui
 CVE-2024-6174 (When a non-x86 platform is detected, cloud-init grants root access to  ...)
 	- cloud-init 25.1.4-1 (bug #1108403)
+	[bookworm] - cloud-init <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1 (25.1.3)
 	NOTE: https://github.com/advisories/GHSA-w8g9-wp36-fchj
 CVE-2024-56915 (Netbox Community v4.1.7 and fixed in v.4.2.2 is vulnerable to Cross Si ...)
@@ -4945,6 +4951,7 @@ CVE-2024-52928 (Arc before 1.26.1 on Windows has a bypass issue in the site sett
 	NOT-FOR-US: Arc Browser
 CVE-2024-11584 (cloud-initthrough 25.1.2 includes the systemd socket unitcloud-init-ho ...)
 	- cloud-init 25.1.4-1 (bug #1108402)
+	[bookworm] - cloud-init <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/canonical/cloud-init/commit/4839736429e9057a309ccd835cb3159fb51b1353 (25.1.3)
 	NOTE: https://github.com/canonical/cloud-init/pull/6265
 	NOTE: https://github.com/advisories/GHSA-3xmh-hrxh-fx8j
@@ -5710,6 +5717,7 @@ CVE-2025-6547 (Improper Input Validation vulnerability in pbkdf2 allows Signatur
 	NOTE: Fixed by: https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb (v3.1.3)
 CVE-2025-6545 (Improper Input Validation vulnerability in pbkdf2 allows Signature Spo ...)
 	- node-pbkdf2 <unfixed> (bug #1108283)
+	[bookworm] - node-pbkdf2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6
 	NOTE: Introduced by: https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078 (v3.0.10)
 	NOTE: Fixed by: https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb (v3.1.3)
@@ -5858,6 +5866,7 @@ CVE-2025-6494 (A vulnerability was found in sparklemotion nokogiri c29c920907366
 	NOTE: https://github.com/sparklemotion/nokogiri/pull/3524
 CVE-2025-6493 (A vulnerability was found in CodeMirror up to 5.17.0 and classified as ...)
 	- codemirror-js <unfixed> (bug #1108477)
+	[bookworm] - codemirror-js <no-dsa> (Minor issue)
 	NOTE: https://github.com/codemirror/codemirror5/issues/7128
 CVE-2025-52926 (In scan.rs in spytrap-adb before 0.3.5, matches for known stalkerware  ...)
 	- rust-spytrap-adb 0.3.5-1
@@ -37927,6 +37936,7 @@ CVE-2024-56498
 CVE-2024-40635 (containerd is an open-source container runtime. A bug was found in con ...)
 	{DLA-4153-1}
 	- containerd 1.7.24~ds1-6 (bug #1100806)
+	[bookworm] - containerd <no-dsa> (Minor issue)
 	NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg
 	NOTE: https://github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82 (v1.7.27)
 	NOTE: https://github.com/containerd/containerd/commit/9639b9625554183d0c4d8d072dccb84fedd2320f (v1.6.38)


=====================================
data/dsa-needed.txt
=====================================
@@ -15,6 +15,9 @@ If needed, specify the release by adding a slash after the name of the source pa
 amd64-microcode (carnil)
   Coordinating with maintainer DSA/bookworm-pu and sync with mitgations in src:linux
 --
+apache2
+  First have it exposed in unstable for a week or so
+--
 ark (jmm)
 --
 commons-vfs (apo)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ff417a9806ae4d8d4069fd2d8c63b9c3707a98b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ff417a9806ae4d8d4069fd2d8c63b9c3707a98b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250711/6979762e/attachment.htm>

More information about the debian-security-tracker-commits mailing list