[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jun 18 10:37:44 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1a9f9080 by Moritz Muehlenhoff at 2025-06-18T11:37:24+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -66,15 +66,18 @@ CVE-2025-6199 (A flaw was found in the GIF parser of GdkPixbuf\u2019s LZW decode
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/c4986342b241cdc075259565f3fa7a7597d32a32 (2.43.2)
 CVE-2025-6196 (A flaw was found in libgepub, a library used to read EPUB files. The s ...)
 	- libgepub 0.7.3-1
+	[bookworm] - libgepub <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libgepub/-/issues/18
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libgepub/-/commit/70895c45364ef4ee827b39b2ed1c33723410e94c (0.7.2)
 CVE-2025-6069 (The html.parser.HTMLParser class had worse-case quadratic complexity w ...)
 	- python3.13 <unfixed>
 	- python3.12 <unfixed>
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	- python2.7 <removed>
 	- jython <unfixed>
+	[bookworm] - jython <no-dsa> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/
 	NOTE: https://github.com/python/cpython/issues/135462
 	NOTE: https://github.com/python/cpython/pull/135464
@@ -418,6 +421,7 @@ CVE-2025-6142 (A vulnerability was found in Intera InHire up to 20250530. It has
 	NOT-FOR-US: Intera InHire
 CVE-2025-6141 (A vulnerability has been found in GNU ncurses up to 6.5-20250322 and c ...)
 	- ncurses <unfixed> (bug #1107937)
+	[bookworm] - ncurses <no-dsa> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00107.html
 	NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2025-03/msg00109.html
 	NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20250329
@@ -472,10 +476,12 @@ CVE-2025-32800 (Conda-build contains commands and tools to build conda packages.
 CVE-2025-32799 (Conda-build contains commands and tools to build conda packages. Prior ...)
 	NOT-FOR-US: Conda-build
 CVE-2025-27587 (OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable  ...)
-	- openssl 3.5.0-1
+	- openssl 3.5.0-1 (unimportant)
 	NOTE: https://github.com/openssl/openssl/issues/24253
 	NOTE: https://github.com/openssl/openssl/commit/85cabd94958303859b1551364a609d4ff40b67a5 (master)
 	NOTE: https://github.com/openssl/openssl/commit/080c6be0b102934bf66daeac70f0863f209f8d0f (openssl-3.5.0-beta1)
+	NOTE: https://github.com/openssl/openssl/issues/24253#issuecomment-2144391562
+	NOTE: Not considered a vulnerability by OpenSSL upstream
 CVE-2024-45380
 	REJECTED
 CVE-2024-45069
@@ -4980,9 +4986,10 @@ CVE-2025-47697 (Client-side enforcement of server-side security issue exists in
 CVE-2025-46352 (The CS5000 Fire Panel is vulnerable due to a hard-coded password that  ...)
 	NOT-FOR-US: CS5000 Fire Panel
 CVE-2025-44906 (jhead v3.08 was discovered to contain a heap-use-after-free via the Pr ...)
-	- jhead <unfixed>
+	- jhead <undetermined>
 	NOTE: https://github.com/madao123123/crash_report/blob/main/jhead/jhead.md
 	NOTE: https://github.com/Matthias-Wandel/jhead/issues/90
+	NOTE: Not reproducible by upstream
 CVE-2025-44905 (hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the  ...)
 	- hdf5 <unfixed> (unimportant)
 	NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc5.md
@@ -6973,6 +6980,7 @@ CVE-2025-4969 (A vulnerability was found in the libsoup package. This flaw stems
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467
 CVE-2025-4949 (In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestP ...)
 	- jgit <unfixed> (bug #1106287)
+	[bookworm] - jgit <no-dsa> (Minor issue)
 	NOTE: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281
 	NOTE: https://gitlab.eclipse.org/security/cve-assignement/-/issues/64
 CVE-2025-4524 (The Madara \u2013 Responsive and modern WordPress theme for manga site ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -25,6 +25,8 @@ commons-vfs (apo)
 frr
   coordination with the maintainer ongoing, Daniel Baumann proposing an update
 --
+gdk-pixbuf (jmm)
+--
 gh
   Santiago Vila might work on preparing an update
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a9f908055369ab59d147abb00855c23fe783fd6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a9f908055369ab59d147abb00855c23fe783fd6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250618/20117d8e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list