[Git][security-tracker-team/security-tracker][master] bookworm triage

Wed Jul 16 14:22:43 BST 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
832e5b01 by Moritz Muehlenhoff at 2025-07-16T15:22:29+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -70,9 +70,11 @@ CVE-2025-2799 (The WP Event Manager \u2013 Events Calendar, Registrations, Sell
 	NOT-FOR-US: WordPress plugin
 CVE-2025-53906 (Vim is an open source, command line text editor. Prior to version 9.1. ...)
 	- vim <unfixed> (bug #1109374)
+	[bookworm] - vim <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/07/15/2
 CVE-2025-53905 (Vim is an open source, command line text editor. Prior to version 9.1. ...)
 	- vim <unfixed> (bug #1109374)
+	[bookworm] - vim <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/07/15/1
 CVE-2025-30761 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...)
 	- openjdk-8 <unfixed>
@@ -98,6 +100,7 @@ CVE-2025-6971 (Use After Free vulnerability exists in the CATPRODUCT file readin
 	NOT-FOR-US: Dassault Systemes
 CVE-2025-6965 (There exists a vulnerability in SQLite versions before 3.50.2 where th ...)
 	- sqlite3 <unfixed> (bug #1109379)
+	[bookworm] - sqlite3 <no-dsa> (Minor issue)
 	NOTE: https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
 CVE-2025-6558 (Insufficient validation of untrusted input in ANGLE and GPU in Google  ...)
 	- chromium 138.0.7204.157-1
@@ -428,6 +431,7 @@ CVE-2025-3621 (Vulnerabilities* in ActADUR local server product, developed and m
 	NOT-FOR-US: ActADUR
 CVE-2025-53643 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp <unfixed> (bug #1109336)
+	[bookworm] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj
 	NOTE: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a (v3.12.14)
 CVE-2025-7628 (A vulnerability was found in YiJiuSmile kkFileViewOfficeEdit up to 5fb ...)
@@ -501,11 +505,10 @@ CVE-2025-7588 (A vulnerability classified as critical has been found in PHPGuruk
 CVE-2025-7587 (A vulnerability was found in code-projects Online Appointment Booking  ...)
 	NOT-FOR-US: code-projects
 CVE-2025-7519 (A flaw was found in polkit. When processing an XML policy with 32 or m ...)
-	- policykit-1 <unfixed> (bug #1109334)
-	[bookworm] - policykit-1 <no-dsa> (Minor issue; needs high privilege account to place malicious policy file)
-	[bullseye] - policykit-1 <postponed> (Minor issue; needs high privilege account to place malicious policy file)
+	- policykit-1 <unfixed> (bug #1109334; unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2379675
 	NOTE: Fixed by: https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245
+	NOTE: Negligible security impact
 CVE-2025-53689 (Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-cor ...)
 	- jackrabbit <unfixed> (bug #1109335)
 	NOTE: https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
@@ -892,6 +895,7 @@ CVE-2025-53636 (Open OnDemand is an open-source HPC portal. Users can flood logs
 CVE-2025-24294 (The attack vector is a potential Denial of Service (DoS). The vulnerab ...)
 	- ruby3.3 <unfixed> (bug #1109337)
 	- ruby3.1 <removed>
+	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
 	NOTE: https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/
 	NOTE: https://github.com/ruby/resolv/commit/4c2f71b5e80826506f78417d85b38481c058fb25 (v0.6.2)
@@ -1036,7 +1040,9 @@ CVE-2023-38327 (An issue was discovered in eGroupWare 17.1.20190111. A User Enum
 	- egroupware <removed>
 CVE-2025-48924 (Uncontrolled Recursion vulnerability in Apache Commons Lang.  This iss ...)
 	- libcommons-lang3-java <unfixed> (bug #1109125)
+	[bookworm] - libcommons-lang3-java <no-dsa> (Minor issue)
 	- libcommons-lang-java <unfixed> (bug #1109126)
+	[bookworm] - libcommons-lang-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/07/11/1
 CVE-2025-7442 (The WPGYM - Wordpress Gym Management System plugin for WordPress is vu ...)
 	NOT-FOR-US: WordPress plugin
@@ -1082,6 +1088,7 @@ CVE-2025-6068 (The FooGallery \u2013 Responsive Photo Gallery, Image Viewer, Jus
 	NOT-FOR-US: WordPress plugin
 CVE-2025-5992 (When passing values outside of the expected range to QColorTransferGen ...)
 	- qt6-base <unfixed> (bug #1109299)
+	[bookworm] - qt6-base <no-dsa> (Minor issue)
 	NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/647919
 	NOTE: https://github.com/qt/qtbase/commit/f12d046383decf8f468de62732c9cff7d4303cbf
 CVE-2025-5530 (The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerab ...)
@@ -3696,14 +3703,14 @@ CVE-2025-49867 (Incorrect Privilege Assignment vulnerability in InspiryThemes Re
 CVE-2025-49866 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-49809 (mtr through 0.95, in certain privileged contexts, mishandles execution ...)
-	- mtr <unfixed>
-	[bullseye] - mtr <postponed> (Minor issue, unlikely scenario for Debian)
+	- mtr <unfixed> (unimportant)
 	NOTE: In Debian, mtr runs unprivileged and exec-s mtr-packet (or env[MTR_PACKAGE])
 	NOTE: which has cap_net_raw.
 	NOTE: Mitigation: if running mtr through sudo (typically MacOSX), requires
 	NOTE: touching /etc/mtr.is.run.under.sudo to disable ENV[MTR_PACKET] fallback.
 	NOTE: Fixed by: https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6
 	NOTE: Introduced by: https://github.com/traviscross/mtr/commit/fcda9e8b82ca354049fa0ee9cfcb2eaaae623ee0 (v0.88)
+	NOTE: Negligible security impact on Debian
 CVE-2025-49601 (In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not  ...)
 	- mbedtls 3.6.4-1 (bug #1108788)
 	[bookworm] - mbedtls <not-affected> (Vulnerable code not present)
@@ -4556,6 +4563,7 @@ CVE-2025-52891 (ModSecurity is an open source, cross platform web application fi
 	NOTE: Fixed by: https://github.com/owasp-modsecurity/ModSecurity/commit/8879413abf507b1921f6feb292ee91e0f0064b01 (v2.9.11)
 CVE-2025-52886 (Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std ...)
 	- poppler <unfixed> (bug #1108784)
+	[bookworm] - poppler <no-dsa> (Minor issue)
 	[bullseye] - poppler <postponed> (Minor issue)
 	NOTE: https://securitylab.github.com/advisories/GHSL-2025-054_poppler/
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
@@ -5179,10 +5187,12 @@ CVE-2025-53076 (Improper Input Validation vulnerability in Samsung Open Source r
 	NOTE: Fxied by: https://github.com/Samsung/rlottie/commit/36ddb42d78d1b13c1b1d7e1699aef8a9f339ab6f
 CVE-2025-53075 (Improper Input Validation vulnerability in Samsung Open Source rLottie ...)
 	- rlottie <unfixed> (bug #1109341)
+	[bookworm] - rlottie <no-dsa> (Minor issue)
 	NOTE: https://github.com/Samsung/rlottie/pull/571
 	NOTE: https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
 CVE-2025-53074 (Out-of-bounds Read vulnerability in Samsung Open Source rLottie allows ...)
 	- rlottie <unfixed> (bug #1109341)
+	[bookworm] - rlottie <no-dsa> (Minor issue)
 	NOTE: https://github.com/Samsung/rlottie/pull/571
 	NOTE: https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
 CVE-2025-46014 (Several services in Honor Device Co., Ltd Honor PC Manager v16.0.0.118 ...)
@@ -5209,6 +5219,7 @@ CVE-2025-38087 (In the Linux kernel, the following vulnerability has been resolv
 	NOTE: https://git.kernel.org/linus/b160766e26d4e2e2d6fe2294e0b02f92baefcec5 (6.16-rc3)
 CVE-2025-0634 (Use After Free vulnerability in Samsung Open Source rLottie allows Rem ...)
 	- rlottie <unfixed> (bug #1109341)
+	[bookworm] - rlottie <no-dsa> (Minor issue)
 	NOTE: https://github.com/Samsung/rlottie/pull/571
 	NOTE: https://github.com/Samsung/rlottie/commit/507ea027e47d3e1dc7ddbd9994621215eae7ebb9
 CVE-2015-20112 (RLPx 5 has two CTR streams based on the same key, IV, and nonce. This  ...)
@@ -5255,6 +5266,7 @@ CVE-2025-6854 (A vulnerability classified as problematic was found in chatchat-s
 	NOT-FOR-US: Langchain-Chatchat
 CVE-2025-5878 (A vulnerability was found in ESAPI esapi-java-legacy and classified as ...)
 	- libowasp-esapi-java <unfixed> (bug #1109378)
+	[bookworm] - libowasp-esapi-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/ESAPI/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512 (esapi-2.7.0.0)
 	NOTE: https://github.com/ESAPI/esapi-java-legacy/commit/e2322914304d9b1c52523ff24be495b7832f6a56 (esapi-2.7.0.0)
 CVE-2025-24292 (A misconfigured query in UniFi Network (v9.1.120 and earlier) could al ...)
@@ -6190,6 +6202,7 @@ CVE-2025-6444 (ServiceStack GetErrorResponse Improper Input Validation NTLM Rela
 	NOT-FOR-US: ServiceStack
 CVE-2025-6442 (Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vu ...)
 	- ruby-webrick 1.9.1-1
+	[bookworm] - ruby-webrick <no-dsa> (Minor issue)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-414/
 	NOTE: Fixed by: https://github.com/ruby/webrick/commit/ee60354bcb84ec33b9245e1d1aa6e1f7e8132101 (v1.8.2)
 CVE-2025-5927 (The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrar ...)
@@ -6828,6 +6841,7 @@ CVE-2025-52937 (Vulnerability in PointCloudLibrary PCL (surface/src/3rdparty/ope
 CVE-2025-52936 (Improper Link Resolution Before File Access ('Link Following') vulnera ...)
 	{DLA-4238-1}
 	- sslh <unfixed> (bug #1108284)
+	[bookworm] - sslh <no-dsa> (Minor issue)
 	NOTE: https://github.com/yrutschle/sslh/pull/494
 	NOTE: Fixed by: https://github.com/yrutschle/sslh/commit/0fe9bd5a956a123342ff12352b25bff8025dac69 (v2.2.2)
 CVE-2025-52935 (Integer Overflow or Wraparound vulnerability in dragonflydb dragonfly  ...)
@@ -13738,6 +13752,7 @@ CVE-2025-47272 (The CE Phoenix eCommerce platform, starting in version 1.0.9.7 a
 	NOT-FOR-US: CE Phoenix
 CVE-2025-46807 (A Allocation of Resources Without Limits or Throttling vulnerability i ...)
 	- sslh <unfixed> (bug #1107213)
+	[bookworm] - sslh <no-dsa> (Minor issue)
 	[bullseye] - sslh <ignored> (Minor issue; too intrusive to backport)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1243122
 	NOTE: Fixed by: https://github.com/yrutschle/sslh/commit/ff8206f7c8a47f901b78a1b78db5a4c788f6aa6f (v2.2.4)
@@ -26282,19 +26297,23 @@ CVE-2025-25228 (A SQL injection in VirtueMart component 1.0.0 - 4.4.7 for Joomla
 	NOT-FOR-US: Joomla
 CVE-2025-43973 (An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go  ...)
 	- gobgp 3.35.0-1
+	[bookworm] - gobgp <no-dsa> (Minor issue)
 	[bullseye] - gobgp <postponed> (Limited support, minor issue, DoS, follow bookworm DSAs/point-releases)
 	NOTE: Fixed by: https://github.com/osrg/gobgp/commit/5693c58a4815cc6327b8d3b6980f0e5aced28abe (v3.35.0)
 CVE-2025-43972 (An issue was discovered in GoBGP before 3.35.0. An attacker can cause  ...)
 	- gobgp 3.35.0-1
+	[bookworm] - gobgp <no-dsa> (Minor issue)
 	[bullseye] - gobgp <postponed> (Limited support, minor issue, DoS, follow bookworm DSAs/point-releases)
 	NOTE: Fixed by: https://github.com/osrg/gobgp/commit/ca7383f450f7b296c5389feceef2467de5ab6e5a (v3.35.0)
 CVE-2025-43971 (An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go  ...)
 	- gobgp 3.35.0-1
+	[bookworm] - gobgp <no-dsa> (Minor issue)
 	[bullseye] - gobgp <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed by: https://github.com/osrg/gobgp/commit/08a001e06d90e8bcc190084c66992f46f62c0986 (v3.35.0)
 	NOTE: Introduced by: https://github.com/osrg/gobgp/commit/c556ca4f8d6ed1d31a1a257af338abede79a321e (v3.11.0)
 CVE-2025-43970 (An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go  ...)
 	- gobgp 3.35.0-1
+	[bookworm] - gobgp <no-dsa> (Minor issue)
 	[bullseye] - gobgp <postponed> (Limited support, minor issue, DoS, follow bookworm DSAs/point-releases)
 	NOTE: Fixed by: https://github.com/osrg/gobgp/commit/5153bafbe8dbe1a2f02a70bbf0365e98b80e47b0 (v3.35.0)
 CVE-2025-43967 (libheif before 1.19.6 has a NULL pointer dereference in ImageItem_Grid ...)
@@ -59314,6 +59333,7 @@ CVE-2025-21312 (Windows Smart Card Reader Information Disclosure Vulnerability)
 	NOT-FOR-US: Microsoft
 CVE-2025-21311 (Windows NTLM V1 Elevation of Privilege Vulnerability)
 	- squid 7.1-1
+	[bookworm] - squid <no-dsa> (Minor issue)
 	NOTE: 7.1 removes the ntlm_smb_lm_auth module
 CVE-2025-21310 (Windows Digital Media Elevation of Privilege Vulnerability)
 	NOT-FOR-US: Microsoft


=====================================
data/dsa-needed.txt
=====================================
@@ -30,7 +30,9 @@ frr
 gh
   Santiago Vila might work on preparing an update
 --
-gnutls28
+git
+--
+gnutls28 (jmm)
   Maintainer prepared updates
 --
 guix
@@ -40,15 +42,22 @@ jackson-core
 libreswan
   Waiting on feedback from maintainer
 --
+libxslt
+  We should wait until the patches are merged upstream
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+mbedtls
+--
 netty
 --
 nodejs
   Bastien Roucaries (rouca) showed interest to prepare an update and is working on it
 --
+openjdk-17 (jmm)
+--
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
@@ -56,11 +65,15 @@ pagure
 --
 pgpool2 (aron)
 --
+php8.2
+--
 php-laravel-framework
 --
 python-django
   Chris is working on it
 --
+redis
+--
 ruby-rack
 --
 ruby-saml



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/832e5b0170d7aab7383df5d4d3d8498ece41bb58

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/832e5b0170d7aab7383df5d4d3d8498ece41bb58
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250716/4d83bb95/attachment-0001.htm>
