[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Mar 21 13:32:30 GMT 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
de8811b5 by Moritz Muehlenhoff at 2025-03-21T14:31:56+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,5 +1,6 @@
 CVE-2025-30348 (encodeText in QDom in Qt before 6.8.0 has a complex algorithm involvin ...)
 	- qt6-base 6.8.2+dfsg-5
+	[bookworm] - qt6-base <no-dsa> (Minor issue)
 	- qtbase-opensource-src <not-affected> (Not needed in Qt5)
 	- qtbase-opensource-src-gles <not-affected> (Not needed in Qt5)
 	NOTE: https://github.com/qt/qtbase/commit/2ce08e3671b8d18b0284447e5908ce15e6e8f80f (v6.9.0-beta1)
@@ -35,6 +36,7 @@ CVE-2025-2582 (A vulnerability was found in SimpleMachines SMF 2.1.4 and classif
 	NOT-FOR-US: SimpleMachines SMF
 CVE-2025-2581 (A vulnerability has been found in xmedcon 0.25.0 and classified as pro ...)
 	- xmedcon <unfixed>
+	[bookworm] - xmedcon <no-dsa> (Minor issue)
 	NOTE: https://xmedcon.sourceforge.io/Main/New
 	NOTE: https://sourceforge.net/p/xmedcon/code/ci/e7a88836fc2277f8ab777f3ef24f917d08415559/
 CVE-2025-2574 (Out-of-bounds array write in Xpdf 4.05 and earlier, due to incorrect i ...)
@@ -415,6 +417,7 @@ CVE-2024-7779 (A vulnerability in danswer-ai/danswer version 1 allows an attacke
 	NOT-FOR-US: danswer-ai/danswer
 CVE-2024-7776 (A vulnerability in the `download_model` function of the onnx/onnx fram ...)
 	- onnx 1.17.0-2
+	[bookworm] - onnx <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/a7a46cf6-1fa-454b-988c-62d222e83f63
 	NOTE: https://github.com/onnx/onnx/issues/6215
 	NOTE: https://github.com/onnx/onnx/commit/3fc3845edb048df559aa2a839e39e95503a0ee34 (v1.17.0)
@@ -493,6 +496,7 @@ CVE-2024-6829 (A vulnerability in aimhubio/aim version 3.19.3 allows an attacker
 	NOT-FOR-US: aimhubio/aim
 CVE-2024-6827 (Gunicorn version 21.2.0 does not properly validate the value of the 'T ...)
 	- gunicorn <unfixed>
+	[bookworm] - gunicorn <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7
 CVE-2024-6825 (BerriAI/litellm version 1.40.12 contains a vulnerability that allows r ...)
 	NOT-FOR-US: BerriAI/litellm
@@ -1046,14 +1050,17 @@ CVE-2024-10441 (Improper encoding or escaping of output vulnerability in the sys
 	NOT-FOR-US: Synology
 CVE-2025-29918 [detect: infinite loop with negated pcre and indefinite recursion limit setting]
 	- suricata 1:7.0.9-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b (master)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6 (suricata-7.0.9)
 CVE-2025-29917 [decode_base64: signature can do large memory allocation]
 	- suricata 1:7.0.9-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/32d0bd2bbb4d486623dec85a94952fde2515f2f0 (master)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/bab716776ba3561cfbfd1a57fc18ff1f6859f019 (suricata-7.0.9)
 CVE-2025-29916 [datasets: hashsize setting via rules can cause high memory usage]
 	- suricata 1:7.0.9-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/d32a39ca4b53d7f659f4f0a2a5c162ef97dc4797 (master)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/a7713db709b8a0be5fc5e5809ab58e9b14a16e85 (master)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/2f432c99a9734ea3a75c9218f35060e11a7a39ad (suricata-7.0.9)
@@ -1061,6 +1068,7 @@ CVE-2025-29916 [datasets: hashsize setting via rules can cause high memory usage
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/d86c5f9f0c75736d4fce93e27c0773fcb27e1047 (suricata-7.0.9)
 CVE-2025-29915 [af-packet: defrag option can lead to truncated packets]
 	- suricata 1:7.0.9-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/25d0fba91274e8d26e804f278c281a5c9f5309e9 (master)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/808502d5cac0681e17859ed1aef9be8f508c4b13 (master)
 	NOTE: Fixed by: https://github.com/OISF/suricata/commit/c342b054f40630521253666d3ca0192250a59ad2 (master)
@@ -1376,6 +1384,7 @@ CVE-2025-29787 (`zip` is a zip library for rust which supports reading and writi
 	TODO: check, might only be introduced in 1.3.0
 CVE-2025-29786 (Expr is an expression language and expression evaluation for Go. Prior ...)
 	- golang-github-antonmedv-expr <unfixed>
+	[bookworm] - golang-github-antonmedv-expr <no-dsa> (Minor issue)
 	NOTE: https://github.com/advisories/GHSA-93mq-9ffx-83m2
 	NOTE: https://github.com/expr-lang/expr/pull/762
 	NOTE: Fixed by: https://github.com/expr-lang/expr/commit/0d19441454426d2f58edb22c31f3ba5f99c7a26e (v1.17.0)
@@ -1590,9 +1599,11 @@ CVE-2025-2339 (A vulnerability was found in otale Tale Blog 2.0.5. It has been c
 	NOT-FOR-US: Tale Blog
 CVE-2025-2338 (A vulnerability, which was classified as critical, was found in tbeu m ...)
 	- libmatio <unfixed>
+	[bookworm] - libmatio <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/tbeu/matio/issues/269
 CVE-2025-2337 (A vulnerability, which was classified as critical, has been found in t ...)
 	- libmatio <unfixed>
+	[bookworm] - libmatio <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/tbeu/matio/issues/267
 CVE-2025-30077 (Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an i ...)
 	NOT-FOR-US: onos-lib-go
@@ -1666,6 +1677,7 @@ CVE-2024-13126 (The Download Manager WordPress plugin before 3.3.07 doesn't prev
 	NOT-FOR-US: WordPress plugin
 CVE-2022-49737 (In X.Org X server 20.11 through 21.1.16, when a client application use ...)
 	- xorg-server <unfixed> (bug #1081338)
+	[bookworm] - xorg-server <postponed> (Minor issue, can be fixed along in future DSA)
 	NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260
 	NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0
 CVE-2025-2333
@@ -7007,6 +7019,7 @@ CVE-2025-22869 (SSH servers which implement file transfer protocols are vulnerab
 	NOTE: https://pkg.go.dev/vuln/GO-2025-3487
 CVE-2025-22868 (An attacker can pass a malicious malformed token which causes unexpect ...)
 	- golang-golang-x-oauth2 0.27.0-1 (bug #1098967)
+	[bookworm] - golang-golang-x-oauth2 <no-dsa> (Minor issue)
 	[bullseye] - golang-golang-x-oauth2 <ignored> (minor bug; DoS and at least 144 packages to rebuild)
 	NOTE: https://pkg.go.dev/vuln/GO-2025-3488
 	NOTE: https://go-review.googlesource.com/c/oauth2/+/652155


=====================================
data/dsa-needed.txt
=====================================
@@ -34,7 +34,7 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
-mercurial
+mercurial (jmm)
   Maintainer prepared update
 --
 netty
@@ -54,7 +54,7 @@ python-django
 --
 ring
 --
-ruby-rack
+ruby-rack (jmm)
 --
 ruby-saml
 --
@@ -66,6 +66,8 @@ tcpdf
 --
 trafficserver (jmm)
 --
+webkit2gtk (berto)
+--
 wordpress
 --
 zabbix



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de8811b5d95e2cd70f8b536953f3b871ba578317

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de8811b5d95e2cd70f8b536953f3b871ba578317
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250321/8153fa25/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list