[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Mar 17 21:34:01 GMT 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f2bfe395 by Moritz Muehlenhoff at 2025-03-17T22:32:57+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -545,6 +545,7 @@ CVE-2025-XXXX [Parameter manipulation allows the forging of signed SAML messages
 	NOTE: https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=22a610b322e2178abd03e97cdbc8fb50b45efaee (3.3.1)
 CVE-2024-8176 (A stack overflow vulnerability exists in the libexpat library due to t ...)
 	- expat 2.7.0-1
+	[bookworm] - expat <ignored> (Minor issue and too intrusive to impact)
 	NOTE: https://blog.hartwork.org/posts/expat-2-7-0-released/
 	NOTE: https://github.com/libexpat/libexpat/issues/893
 	NOTE: https://github.com/libexpat/libexpat/pull/973
@@ -1853,9 +1854,11 @@ CVE-2025-2151 (A vulnerability classified as critical was found in Open Asset Im
 	NOTE: Fixed by: https://github.com/assimp/assimp/commit/d2c6e64a1122884570caf4aaa589d810f5351f28
 CVE-2025-2149 (A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as ...)
 	- pytorch <unfixed>
+	[bookworm] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/issues/147818
 CVE-2025-2148 (A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared ...)
 	- pytorch <unfixed>
+	[bookworm] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/issues/147722
 CVE-2025-2147 (A vulnerability was found in Beijing Zhide Intelligent Internet Techno ...)
 	NOT-FOR-US: Beijing Zhide Intelligent Internet Technology Modern Farm Digital Integrated Management System
@@ -2019,6 +2022,7 @@ CVE-2025-2124 (A vulnerability, which was classified as problematic, was found i
 	NOT-FOR-US: Control iD RH iD
 CVE-2025-2123 (A vulnerability, which was classified as problematic, has been found i ...)
 	- geshi <unfixed>
+	[bookworm] - geshi <no-dsa> (Minor issue)
 	NOTE: https://github.com/GeSHi/geshi-1.0/issues/159
 CVE-2025-2122 (A vulnerability classified as problematic was found in Thinkware Car D ...)
 	NOT-FOR-US: Thinkware Car Dashcam F800 Pro
@@ -3337,6 +3341,7 @@ CVE-2025-27221 (In the URI gem before 1.0.3 for Ruby, the URI handling methods (
 	{DLA-4082-1}
 	- ruby3.3 <unfixed>
 	- ruby3.1 <unfixed>
+	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
 	- rubygems <unfixed>
 	NOTE: https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 (v1.0.3)
@@ -3347,6 +3352,7 @@ CVE-2025-27220 (In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denia
 	{DLA-4082-1}
 	- ruby3.3 <unfixed>
 	- ruby3.1 <unfixed>
+	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
 	NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml
 	NOTE: https://github.com/ruby/cgi/commit/cd1eb08076c8b8e310d4d553d427763f2577a1b6 (v0.4.2)
@@ -3355,6 +3361,7 @@ CVE-2025-27219 (In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse meth
 	{DLA-4082-1}
 	- ruby3.3 <unfixed>
 	- ruby3.1 <unfixed>
+	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
 	NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml
 	NOTE: https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab (v0.4.2)
@@ -52703,6 +52710,7 @@ CVE-2024-7254 (Any project that parses untrusted Protocol Buffers datacontaining
 	[bookworm] - protobuf <no-dsa> (Minor issue)
 	[bullseye] - protobuf <postponed> (Minor issue)
 	- rust-protobuf <unfixed>
+	[bookworm] - rust-protobuf <no-dsa> (Minor issue)
 	NOTE: https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0437.html
 	NOTE: https://github.com/advisories/GHSA-735f-pc8j-v9w8


=====================================
data/dsa-needed.txt
=====================================
@@ -53,6 +53,8 @@ ring
 --
 rsync (carnil)
 --
+ruby-rack
+--
 ruby-saml
 --
 sogo



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2bfe395e0f3f820a2ddcb5e1db686638903e9da

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2bfe395e0f3f820a2ddcb5e1db686638903e9da
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250317/902c366a/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list