[Git][security-tracker-team/security-tracker][master] CVE-2025-49809/mtr: bullseye postponed

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f371b2f4 by Sylvain Beucler at 2025-07-14T15:41:46+02:00
CVE-2025-49809/mtr: bullseye postponed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3090,7 +3090,13 @@ CVE-2025-49866 (Improper Neutralization of Input During Web Page Generation ('Cr
 	NOT-FOR-US: WordPress plugin
 CVE-2025-49809 (mtr through 0.95, in certain privileged contexts, mishandles execution ...)
 	- mtr <unfixed>
+	[bullseye] - mtr <postponed> (Minor issue, unlikely scenario for Debian)
+	NOTE: In Debian, mtr runs unprivileged and exec-s mtr-packet (or env[MTR_PACKAGE])
+	NOTE: which has cap_net_raw.
+	NOTE: Mitigation: if running mtr through sudo (typically MacOSX), requires
+	NOTE: touching /etc/mtr.is.run.under.sudo to disable ENV[MTR_PACKET] fallback.
 	NOTE: Fixed by: https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6
+	NOTE: Introduced by: https://github.com/traviscross/mtr/commit/fcda9e8b82ca354049fa0ee9cfcb2eaaae623ee0 (v0.88)
 CVE-2025-49601 (In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not  ...)
 	- mbedtls 3.6.4-1 (bug #1108788)
 	[bookworm] - mbedtls <not-affected> (Vulnerable code not present)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f371b2f408b22f3c39c21c6c6332eacfbe8305e0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f371b2f408b22f3c39c21c6c6332eacfbe8305e0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250714/3adcacb3/attachment.htm>