[Git][security-tracker-team/security-tracker][master] bookworm triage

Mon Jun 2 08:57:43 BST 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5736b6b4 by Moritz Muehlenhoff at 2025-06-02T09:57:20+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -337,13 +337,13 @@ CVE-2025-44906 (jhead v3.08 was discovered to contain a heap-use-after-free via
 	NOTE: https://github.com/madao123123/crash_report/blob/main/jhead/jhead.md
 	NOTE: https://github.com/Matthias-Wandel/jhead/issues/90
 CVE-2025-44905 (hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the  ...)
-	- hdf5 <unfixed>
+	- hdf5 <unfixed> (unimportant)
 	NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc5.md
-	TODO: reported upstream?
+	NOTE: Negligible security impact
 CVE-2025-44904 (hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the  ...)
-	- hdf5 <unfixed>
+	- hdf5 <unfixed> (unimportant)
 	NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc1.md
-	TODO: reported upstream?
+	NOTE: Negligible security impact
 CVE-2025-44619 (Tinxy WiFi Lock Controller v1 RF was discovered to be configured to tr ...)
 	NOT-FOR-US: Tinxy
 CVE-2025-44614 (Tinxy WiFi Lock Controller v1 RF was discovered to store users' sensit ...)
@@ -497,7 +497,8 @@ CVE-2024-51392 (An issue in OpenKnowledgeMaps Headstart v7 allows a remote attac
 CVE-2024-49350 (IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 ...)
 	NOT-FOR-US: IBM
 CVE-2024-22654 (tcpreplay v4.4.4 was discovered to contain an infinite loop via the tc ...)
-	- tcpreplay 4.5.1-1
+	- tcpreplay 4.5.1-1 (unimportant)
+	NOTE: Hang in CLI tool, no security impact
 	NOTE: https://github.com/appneta/tcpreplay/issues/827
 	NOTE: https://github.com/appneta/tcpreplay/pull/842
 	NOTE: https://github.com/appneta/tcpreplay/pull/859
@@ -2273,9 +2274,9 @@ CVE-2025-5003 (A vulnerability has been found in projectworlds Online Time Table
 CVE-2025-5002 (A vulnerability, which was classified as critical, was found in Source ...)
 	NOT-FOR-US: SourceCodester
 CVE-2025-5001 (A vulnerability was found in GNU PSPP 82fb509fb2fedd33e7ac0c46ca99e108 ...)
-	- pspp <unfixed> (bug #1106251)
-	[bullseye] - pspp <postponed> (Minor issue, DoS)
+	- pspp <unfixed> (bug #1106251; unimportant)
 	NOTE: https://savannah.gnu.org/bugs/index.php?67069
+	NOTE: Crash in CLI tool, no security impact
 CVE-2025-5000 (A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1 ...)
 	NOT-FOR-US: Linksys
 CVE-2025-4999 (A vulnerability was found in Linksys FGW3000-AH and FGW3000-HK up to 1 ...)
@@ -11513,12 +11514,14 @@ CVE-2025-46435 (Cross-Site Request Forgery (CSRF) vulnerability in Yash Binani T
 CVE-2025-46421 (A flaw was found in libsoup. When libsoup clients encounter an HTTP re ...)
 	- libsoup3 3.6.5-1
 	- libsoup2.4 <unfixed> (bug #1104054)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/439
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/436
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/3e5c26415811f19e7737238bb23305ffaf96f66b (3.6.5)
 CVE-2025-46420 (A flaw was found in libsoup. It is vulnerable to memory leaks in the s ...)
 	- libsoup3 3.6.4-1
 	- libsoup2.4 2.74.3-10.1 (bug #1104055)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/438
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/421
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e (3.6.2)
@@ -15122,6 +15125,7 @@ CVE-2025-32914 (A flaw was found in libsoup, where the soup_multipart_new_from_m
 	{DLA-4140-1}
 	- libsoup3 <unfixed> (bug #1103267)
 	- libsoup2.4 2.74.3-10.1 (bug #1103512)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/436
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf
@@ -15129,6 +15133,7 @@ CVE-2025-32913 (A flaw was found in libsoup, where the soup_message_headers_get_
 	{DLA-4140-1}
 	- libsoup3 3.6.4-1
 	- libsoup2.4 2.74.3-10.1 (bug #1103515)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/435
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 (3.6.2)
@@ -15136,6 +15141,7 @@ CVE-2025-32912 (A flaw was found in libsoup, where SoupAuthDigest is vulnerable
 	{DLA-4140-1}
 	- libsoup3 3.6.5-1
 	- libsoup2.4 2.74.3-10.1 (bug #1103516)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/434
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 (3.6.2)
@@ -15146,6 +15152,7 @@ CVE-2025-32911 (A use-after-free type vulnerability was found in libsoup, in the
 	{DLA-4140-1}
 	- libsoup3 3.6.4-1
 	- libsoup2.4 2.74.3-10.1 (bug #1103515)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/433
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/422
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0 (3.6.2)
@@ -15153,6 +15160,7 @@ CVE-2025-32910 (A flaw was found in libsoup, where soup_auth_digest_authenticate
 	{DLA-4140-1}
 	- libsoup3 3.6.4-1
 	- libsoup2.4 2.74.3-10.1 (bug #1103516)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/432
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832 (3.6.2)
@@ -15160,6 +15168,7 @@ CVE-2025-32909 (A flaw was found in libsoup. SoupContentSniffer may be vulnerabl
 	{DLA-4140-1}
 	- libsoup3 3.6.4-1
 	- libsoup2.4 2.74.3-10.1 (bug #1103517)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/431
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/ba4c3a6f988beff59e45801ab36067293d24ce92 (3.6.2)
 CVE-2025-32908 (A flaw was found in libsoup. The HTTP/2 server in libsoup may not full ...)
@@ -51714,6 +51723,7 @@ CVE-2024-56522 (An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFt
 	NOTE: Fixed by: https://github.com/tecnickcom/TCPDF/commit/d54b97cec33f4f1a5ad81119a82085cad93cec89 (6.8.0)
 CVE-2024-56521 (An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CUR ...)
 	- tcpdf 6.8.0+dfsg-1 (bug #1091687)
+	[bookworm] - tcpdf <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/tecnickcom/TCPDF/commit/aab43ab0a824e956276141a28a24c7c0be20f554 (6.8.0)
 CVE-2024-56520 (An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TC ...)
 	{DSA-5933-1 DLA-4199-1}
@@ -458351,6 +458361,7 @@ CVE-2019-16537
 	RESERVED
 CVE-2019-16536 (Stack overflow leading to DoS can be triggered by a malicious authenti ...)
 	- clickhouse <removed>
+	[bookworm] - clickhouse <no-dsa> (Minor issue)
 CVE-2019-16535 (In all versions of ClickHouse before 19.14, an OOB read, OOB write and ...)
 	NOT-FOR-US: ClickHouse
 CVE-2019-16534 (On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a c ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5736b6b46da60db6d471f6df81f43124b738aa4d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5736b6b46da60db6d471f6df81f43124b738aa4d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250602/95d08af1/attachment-0001.htm>
