[Git][security-tracker-team/security-tracker][master] 9 commits: CVE-2024-6174,CVE-2024-11584,cloud-init: bullseye is postponed
Markus Koschany (@apo)
apo at debian.org
Sun Jul 13 22:47:39 BST 2025
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
aa958e91 by Markus Koschany at 2025-07-13T23:47:13+02:00
CVE-2024-6174,CVE-2024-11584,cloud-init: bullseye is postponed
Minor issues
- - - - -
c5c90f6e by Markus Koschany at 2025-07-13T23:47:14+02:00
CVE-2025-6493,codemirror-js: bullseye is postponed
Minor issue
- - - - -
f3b6a222 by Markus Koschany at 2025-07-13T23:47:16+02:00
CVE-2025-5024,gnome-remote-desktop: bullseye is postponed
Minor issue
- - - - -
ad305952 by Markus Koschany at 2025-07-13T23:47:17+02:00
CVE-2025-7207,mruby: bullseye is postponed
Minor issue
- - - - -
664dbee9 by Markus Koschany at 2025-07-13T23:47:19+02:00
CVE-2025-6545,node-pbkdf2: bullseye is postponed
Minor issue
- - - - -
6b366e5d by Markus Koschany at 2025-07-13T23:47:19+02:00
Add gdk-pixbuf to dla-needed.txt
- - - - -
263d4969 by Markus Koschany at 2025-07-13T23:47:20+02:00
CVE-2025-52886,poppler: bullseye is postponed
Minor issue
- - - - -
830cb1f3 by Markus Koschany at 2025-07-13T23:47:21+02:00
Add rabbitmq-server to dla-needed.
Please help finding more information. Has been in "triaging" status since June.
Link to upstream issue tracker follows.
- - - - -
81255755 by Markus Koschany at 2025-07-13T23:47:22+02:00
CVE-2025-4674,golang-1.15: bullseye is postponed
Minor issue
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -134,6 +134,7 @@ CVE-2025-7465 (A vulnerability classified as critical was found in Tenda FH1201
NOT-FOR-US: Tenda
CVE-2025-7464 (A vulnerability classified as problematic has been found in osrg GoBGP ...)
- gobgp <unfixed>
+ [bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: Fixed by: https://github.com/osrg/gobgp/commit/e748f43496d74946d14fed85c776452e47b99d64
CVE-2025-7463 (A vulnerability was found in Tenda FH1201 1.2.0.14. It has been declar ...)
NOT-FOR-US: Tenda
@@ -1260,6 +1261,7 @@ CVE-2025-7208 (A vulnerability was found in 9fans plan9port up to 9da5b44. It ha
CVE-2025-7207 (A vulnerability, which was classified as problematic, was found in mru ...)
- mruby <unfixed>
[bookworm] - mruby <no-dsa> (Minor issue)
+ [bullseye] - mruby <postponed> (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/6509
NOTE: https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9
CVE-2025-7206 (A vulnerability, which was classified as critical, has been found in D ...)
@@ -1440,6 +1442,7 @@ CVE-2025-4674
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
NOTE: https://github.com/golang/go/commit/825eeee3f789a11231ce23a4836c74ec5e34bf2a (go1.24.5)
NOTE: https://github.com/golang/go/commit/e9d2c032b14c17083be0f8f0c822565199d2994f (go1.23.11)
@@ -3815,6 +3818,7 @@ CVE-2025-52891 (ModSecurity is an open source, cross platform web application fi
NOTE: Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/8879413abf507b1921f6feb292ee91e0f0064b01 (v2.9.11)
CVE-2025-52886 (Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std ...)
- poppler <unfixed> (bug #1108784)
+ [bullseye] - poppler <postponed> (Minor issue)
NOTE: https://securitylab.github.com/advisories/GHSL-2025-054_poppler/
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1828
@@ -5269,6 +5273,7 @@ CVE-2025-29331 (An issue in MHSanaei 3x-ui before v.2.5.3 and before allows a re
CVE-2024-6174 (When a non-x86 platform is detected, cloud-init grants root access to ...)
- cloud-init 25.1.4-1 (bug #1108403)
[bookworm] - cloud-init <no-dsa> (Minor issue)
+ [bullseye] - cloud-init <postponed> (Minor issue)
NOTE: Fixed by: https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1 (25.1.3)
NOTE: https://github.com/advisories/GHSA-w8g9-wp36-fchj
CVE-2024-56915 (Netbox Community v4.1.7 and fixed in v.4.2.2 is vulnerable to Cross Si ...)
@@ -5278,6 +5283,7 @@ CVE-2024-52928 (Arc before 1.26.1 on Windows has a bypass issue in the site sett
CVE-2024-11584 (cloud-initthrough 25.1.2 includes the systemd socket unitcloud-init-ho ...)
- cloud-init 25.1.4-1 (bug #1108402)
[bookworm] - cloud-init <no-dsa> (Minor issue)
+ [bullseye] - cloud-init <postponed> (Minor issue)
NOTE: Fixed by: https://github.com/canonical/cloud-init/commit/4839736429e9057a309ccd835cb3159fb51b1353 (25.1.3)
NOTE: https://github.com/canonical/cloud-init/pull/6265
NOTE: https://github.com/advisories/GHSA-3xmh-hrxh-fx8j
@@ -6044,6 +6050,7 @@ CVE-2025-6547 (Improper Input Validation vulnerability in pbkdf2 allows Signatur
CVE-2025-6545 (Improper Input Validation vulnerability in pbkdf2 allows Signature Spo ...)
- node-pbkdf2 <unfixed> (bug #1108283)
[bookworm] - node-pbkdf2 <no-dsa> (Minor issue)
+ [bullseye] - node-pbkdf2 <postponed> (Minor issue)
NOTE: https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6
NOTE: Introduced by: https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078 (v3.0.10)
NOTE: Fixed by: https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb (v3.1.3)
@@ -6193,6 +6200,7 @@ CVE-2025-6494 (A vulnerability was found in sparklemotion nokogiri c29c920907366
CVE-2025-6493 (A vulnerability was found in CodeMirror up to 5.17.0 and classified as ...)
- codemirror-js <unfixed> (bug #1108477)
[bookworm] - codemirror-js <no-dsa> (Minor issue)
+ [bullseye] - codemirror-js <postponed> (Minor issue)
NOTE: https://github.com/codemirror/codemirror5/issues/7128
CVE-2025-52926 (In scan.rs in spytrap-adb before 0.3.5, matches for known stalkerware ...)
- rust-spytrap-adb 0.3.5-1
@@ -15225,6 +15233,7 @@ CVE-2025-4575 (Issue summary: Use of -addreject option with the openssl x509 app
CVE-2025-5024 (A flaw was found in gnome-remote-desktop. Once gnome-remote-desktop li ...)
- gnome-remote-desktop <unfixed> (bug #1106527)
[bookworm] - gnome-remote-desktop <no-dsa> (Minor issue)
+ [bullseye] - gnome-remote-desktop <postponed> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2367717
NOTE: Fixed by https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/merge_requests/321
CVE-2025-5062 (The WooCommerce plugin for WordPress is vulnerable to PostMessage-Base ...)
=====================================
data/dla-needed.txt
=====================================
@@ -108,6 +108,9 @@ freeimage
NOTE: 20240922: Many postponed CVE.
NOTE: 20241202: still WIP (santiago)
--
+gdk-pixbuf
+ NOTE: 20250713: Added by Front-Desk (apo)
+--
gimp
NOTE: 20250410: Added by Front-Desk (Beuc)
NOTE: 20250410: CVE-2025-2760 may need a custom patch as upstream now focuses on gimp3,
@@ -319,6 +322,11 @@ qtbase-opensource-src
NOTE: 20250520: Follow fixes from bookworm 12.11 (CVE-2024-39936)
NOTE: 20250520: We don't seem affected by the non-CVE crash fix #1081682 (Beuc/front-desk)
--
+rabbitmq-server
+ NOTE: 20250713: Added by Front-Desk (apo)
+ NOTE: 20250713: Unsufficient information but looks like a genuine security problem.
+ NTOE: 20250713: Please double-check and follow-up with upstream.
+--
rails
NOTE: 20250105: Added by Front-Desk (apo)
NOTE: 20250305: Utkarsh uploaded the CVE fixes to unstable via rails/7.2.2.1. (utkarsh)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/94d12e282db11a33b247407316f6269250d39e66...8125575535ce72a2c3347511a21ce6cf0184d39d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/94d12e282db11a33b247407316f6269250d39e66...8125575535ce72a2c3347511a21ce6cf0184d39d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250713/cc4fa56a/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list