[Git][security-tracker-team/security-tracker][master] 2 commits: Track fixed version for CVE-2024-41147/miniaudio

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
12c7b934 by Salvatore Bonaccorso at 2025-03-09T15:28:02+01:00
Track fixed version for CVE-2024-41147/miniaudio

- - - - -
9c57f3ad by Salvatore Bonaccorso at 2025-03-09T15:29:26+01:00
Revert "CVE-2025-22870"

This reverts commit 1d5f791d005926a07e6546d299235274558e7b88.

No need to duplicate this information which is plaintext from the
advisory from go.

Instread add a tempoary description until the CVE feed get an update.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1050,7 +1050,7 @@ CVE-2024-0141 (NVIDIA Hopper HGX for 8-GPU contains a vulnerability in the GPU v
 	NOT-FOR-US: NVIDIA
 CVE-2024-0114 (NVIDIA Hopper HGX for 8-GPU contains a vulnerability in the HGX Manage ...)
 	NOT-FOR-US: NVIDIA
-CVE-2025-22870
+CVE-2025-22870 [Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component]
 	- golang-1.24 1.24.1-1
 	- golang-1.23 1.23.7-1
 	- golang-1.19 <removed>
@@ -1059,8 +1059,6 @@ CVE-2025-22870
 	NOTE: https://github.com/golang/go/issues/71984
 	NOTE: Fixed by: https://github.com/golang/go/commit/334de7982f8ec959c74470dd709ceedfd6dbd50a (go1.24.1)
 	NOTE: Fixed by: https://github.com/golang/go/commit/25177ecde0922c50753c043579d17828b7ee88e7 (go1.23.7)
-	NOTE: Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID as a hostname component.
-	NOTE: For example, when the NO_PROXY environment variable was set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly match and not be proxied.
 CVE-2025-1923 (Inappropriate implementation in Permission Prompts in Google Chrome pr ...)
 	{DSA-5875-1}
 	- chromium 134.0.6998.35-1
@@ -1189,7 +1187,7 @@ CVE-2024-50705 (Unauthenticated reflected cross-site scripting (XSS) vulnerabili
 CVE-2024-50704 (Unauthenticated remote code execution vulnerability in Uniguest Triple ...)
 	NOT-FOR-US: Uniguest Tripleplay
 CVE-2024-41147 (An out-of-bounds write vulnerability exists in the ma_dr_flac__decode_ ...)
-	- miniaudio <unfixed> (bug #1099609)
+	- miniaudio 0.11.22+dfsg-1 (bug #1099609)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2063
 	NOTE: https://github.com/mackron/miniaudio/issues/961
 	NOTE: Fixed by: https://github.com/mackron/miniaudio/commit/ee506b17ea25c6bcb58d79700cf0c015a2ad1b3e (0.11.22)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1d5f791d005926a07e6546d299235274558e7b88...9c57f3ad24735acf394f6d1631084ad175938654

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1d5f791d005926a07e6546d299235274558e7b88...9c57f3ad24735acf394f6d1631084ad175938654
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250309/447a4810/attachment.htm>