[Git][security-tracker-team/security-tracker][master] bookworm triage

Mon Mar 10 14:08:42 GMT 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d6111389 by Moritz Muehlenhoff at 2025-03-10T15:08:15+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -193,6 +193,7 @@ CVE-2025-27518 (Cognita is a RAG (Retrieval Augmented Generation) Framework for
 	NOT-FOR-US: Cognita
 CVE-2025-27152 (axios is a promise based HTTP client for the browser and node.js. The  ...)
 	- node-axios <unfixed>
+	[bookworm] - node-axios <no-dsa> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
 	NOTE: Similar to: https://github.com/axios/axios/issues/6463 (CVE-2024-39338)
 CVE-2025-26643 (No cwe for this issue in Microsoft Edge (Chromium-based) allows an una ...)
@@ -1505,6 +1506,7 @@ CVE-2025-27498 (aes-gcm is a pure Rust implementation of the AES-GCM. In decrypt
 	NOTE: https://github.com/RustCrypto/AEADs/commit/d1d749ba57e38e65b0e037cd744d0b17f7254037
 CVE-2025-27423 (Vim is an open source, command line text editor. Vim is distributed wi ...)
 	- vim <unfixed> (bug #1099610)
+	[bookworm] - vim <no-dsa> (Minor issue)
 	NOTE: https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3
 	NOTE: Introduced with: https://github.com/vim/vim/commit/129a8446d23cd9cb4445fcfea259cba5e0487d29 (v9.1.0858)
 	NOTE: Fixed by: https://github.com/vim/vim/commit/334a13bff78aa0ad206bc436885f63e3a0bab399 (v9.1.1164)
@@ -2168,6 +2170,7 @@ CVE-2024-53386 (Stage.js through 0.8.10 allows DOM Clobbering (with resultant XS
 	NOT-FOR-US: Stage.js
 CVE-2024-53382 (Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resulta ...)
 	- node-prismjs <unfixed> (bug #1099619)
+	[bookworm] - node-prismjs <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660
 	NOTE: https://github.com/PrismJS/prism/issues/3864
 CVE-2025-1801 (A flaw was found in the Ansible aap-gateway. Concurrent requests handl ...)
@@ -2404,6 +2407,7 @@ CVE-2025-1795 (During an address list folding when a separating comma ends up on
 	- python3.13 3.13.0~b1-1
 	- python3.12 3.12.9-1
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	NOTE: https://github.com/python/cpython/issues/100884
 	NOTE: Regression issue: https://github.com/python/cpython/issues/118643
@@ -7259,6 +7263,7 @@ CVE-2025-1402 (The Event Tickets and Registration plugin for WordPress is vulner
 	NOT-FOR-US: WordPress plugin
 CVE-2025-0838 (There exists a heap buffer overflow vulnerable in Abseil-cpp. The size ...)
 	- abseil <unfixed> (bug #1098903)
+	[bookworm] - abseil <no-dsa> (Minor issue)
 	NOTE: https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 (20250127.rc1)
 CVE-2025-0728 (In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before   ...)
 	NOT-FOR-US: Eclipse ThreadX NetX Duo
@@ -11071,10 +11076,11 @@ CVE-2024-57609 (An issue in Kanaries Inc Pygwalker before v.0.4.9.9 allows a rem
 	NOT-FOR-US: Kanaries Inc Pygwalker
 CVE-2024-57392 (Buffer Overflow vulnerability in Proftpd commit 4017eff8 allows a remo ...)
 	{DLA-4077-1}
-	- proftpd-dfsg 1.3.8.c+dfsg-2
+	- proftpd-dfsg 1.3.8.c+dfsg-2 (unimportant)
 	NOTE: https://github.com/proftpd/proftpd/issues/1866
 	NOTE: https://github.com/proftpd/proftpd/issues/1866#issuecomment-2645976560
 	NOTE: https://github.com/proftpd/proftpd/commit/981a37916fdb7b73435c6d5cdb01428b2269427d
+	NOTE: Bogus CVE assignment, no security impact
 CVE-2024-56889 (Incorrect access control in the endpoint /admin/m_delete.php of CodeAs ...)
 	NOT-FOR-US: CodeAstro Complaint Management System
 CVE-2024-56467 (IBM EntireX 11.1 could allow a local user to obtain sensitive informat ...)
@@ -11669,10 +11675,12 @@ CVE-2024-13733 (The SKT Blocks \u2013 Gutenberg based Page Builder plugin for Wo
 CVE-2024-13723 (The "NagVis" component within Checkmk is vulnerable to remote code exe ...)
 	- check-mk <removed>
 	- nagvis 1:1.9.42-1
+	[bookworm] - nagvis <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/02/04/4
 CVE-2024-13722 (The "NagVis" component within Checkmk is vulnerable to reflected cross ...)
 	- check-mk <removed>
 	- nagvis 1:1.9.42-1
+	[bookworm] - nagvis <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/02/04/3
 CVE-2024-13699 (The Qi Addons For Elementor plugin for WordPress is vulnerable to Stor ...)
 	NOT-FOR-US: WordPress plugin


=====================================
data/dsa-needed.txt
=====================================
@@ -32,6 +32,8 @@ linux (carnil)
 mosquitto (carnil)
   Backports of patches for CVEs done, but autopkgtests fail as regression
 --
+netty
+--
 nodejs
   Bastien Roucaries (rouca) showed interest to prepare an update and is working on it
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d61113899a3b6c2881b2a8954fec41c9da54927f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d61113899a3b6c2881b2a8954fec41c9da54927f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250310/7f3f24d4/attachment-0001.htm>
