[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Jun 15 15:50:23 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3fca0ec8 by Moritz Muehlenhoff at 2025-06-15T16:49:15+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -77,7 +77,7 @@ CVE-2025-24311 (An out-of-bounds read vulnerability exists in the cv_send_blockd
 CVE-2025-2843
 	NOT-FOR-US: Red Hat Observability observability-operator
 CVE-2025-6052 (A flaw was found in how GLib\u2019s GString manages memory when adding ...)
-	- glib2.0 <unfixed> (bug #1107797)
+	- glib2.0 <unfixed> (bug #1107797; unimportant)
 	[bookworm] - glib2.0 <not-affected> (Vulnerable code introduced later)
 	[bullseye] - glib2.0 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2372666
@@ -86,6 +86,7 @@ CVE-2025-6052 (A flaw was found in how GLib\u2019s GString manages memory when a
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/glib/-/commit/33d9ba2fcc907b4f9a6c0540f9976b64b6f59db2 (2.85.1)
 	NOTE: Backport: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4656
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/glib/-/commit/987309f23ada52592bffdb5db0d8a5d58bd8097b (2.84.3)
+	NOTE: Negligible security impact
 CVE-2025-6035 (A flaw was found in GIMP. An integer overflow vulnerability exists in  ...)
 	- gimp 3.0.4-2
 	NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/13518
@@ -220,6 +221,7 @@ CVE-2025-4227 (An improper access control vulnerability in the  Endpoint Traffic
 	NOT-FOR-US: Palo Alto Networks
 CVE-2025-49589 (PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. A stack- ...)
 	- pcsx2 <unfixed> (bug #1107756)
+	[bookworm] - pcsx2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/PCSX2/pcsx2/security/advisories/GHSA-f494-4xf7-xj35
 	NOTE: https://github.com/PCSX2/pcsx2/commit/1aa922f7007afe71e0b58b0c3bd0833a53cb945c (v2.3.411)
 	NOTE: https://github.com/PCSX2/pcsx2/commit/8eb46b5a4c0380d59cb540f8b5f59daf8e609bd7 (v2.3.414)
@@ -2895,6 +2897,7 @@ CVE-2025-4673 (Proxy-Authorization and Proxy-Authenticate headers persisted on c
 	- golang-1.24 <unfixed> (bug #1107364)
 	- golang-1.23 <unfixed> (bug #1107390)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	NOTE: https://github.com/golang/go/issues/73816
 	NOTE: Fixed by: https://github.com/golang/go/commit/85897ca220a149333a88b1e4d63f3b751f1141f5 (go1.24.4)
@@ -3651,8 +3654,10 @@ CVE-2025-5455 (An issue was found in the private API function qDecodeDataUrl() i
 	- qt6-base <unfixed>
 	[bookworm] - qt6-base <no-dsa> (Minor issue)
 	- qtbase-opensource-src <unfixed>
+	[bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
 	[bullseye] - qtbase-opensource-src <postponed> (Minor issue; DoS for local user)
 	- qtbase-opensource-src-gles <unfixed>
+	[bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
 	[bullseye] - qtbase-opensource-src-gles <postponed> (Minor issue; DoS for local user)
 	NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/642006
 CVE-2025-5447 (A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, R ...)
@@ -6085,6 +6090,7 @@ CVE-2025-48063 (XWiki is a generic wiki platform. In XWiki 16.10.0, required rig
 	NOT-FOR-US: XWiki
 CVE-2025-48060 (jq is a command-line JSON processor. In versions up to and including 1 ...)
 	- jq 1.8.0-1 (bug #1106288)
+	[bookworm] - jq <no-dsa> (Minor issue)
 	[bullseye] - jq <postponed> (Minor issue; revisit when fixed upstream)
 	NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w
 CVE-2025-48012 (Authentication Bypass by Capture-replay vulnerability in Drupal One Ti ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
+--
+ark (jmm)
 --
 catdoc (carnil)
   Maintainer is preparing own updates; same version across all supported versions and



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fca0ec89c1ec24691e16b2fdbcb2cce4d077617

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fca0ec89c1ec24691e16b2fdbcb2cce4d077617
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250615/6ab04a6d/attachment.htm>

More information about the debian-security-tracker-commits mailing list