[Git][security-tracker-team/security-tracker][master] 5 commits: CVE-2025-31160,atop: bullseye is ignored

Sun Mar 30 23:02:00 BST 2025


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f4a89085 by Markus Koschany at 2025-03-31T00:01:45+02:00
CVE-2025-31160,atop: bullseye is ignored

because atopgpud is not installed by default (disabled via patch). Netatop is also not part of
Debian.

- - - - -
f8812de2 by Markus Koschany at 2025-03-31T00:01:45+02:00
Add php-horde to dla-needed.txt

- - - - -
6be62ce3 by Markus Koschany at 2025-03-31T00:01:45+02:00
Add varnish to dla-needed.txt

- - - - -
cba65de2 by Markus Koschany at 2025-03-31T00:01:47+02:00
CVE-2025-2312,cifs-utils: bullseye is not affected

The vulnerable code was introduced later

- - - - -
3c28b536 by Markus Koschany at 2025-03-31T00:01:48+02:00
CVE-2025-30472,corosync: bullseye is postponed

Minor issue. Encryption should be the default and if the attacker knows the
encryption key then the whole application is compromised and the key must be
changed ASAP.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1498,6 +1498,7 @@ CVE-2025-30355 (Synapse is an open source Matrix homeserver implementation. A ma
 	NOTE: https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389 (v1.127.1)
 CVE-2025-31160 (atop through 2.11.0 allows local users to cause a denial of service (e ...)
 	- atop <unfixed>
+	[bullseye] - atop <ignored> (atopgpud is not installed by default)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/03/26/2
 	NOTE: https://github.com/Atoptool/atop/issues/334
 	NOTE: https://www.openwall.com/lists/oss-security/2025/03/29/1
@@ -2570,6 +2571,7 @@ CVE-2024-13666 (The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz
 	NOT-FOR-US: WordPress plugin
 CVE-2025-30472 (Corosync through 3.1.9, if encryption is disabled or the attacker know ...)
 	- corosync <unfixed>
+	[bullseye] - corosync <postponed> (Minor issue)
 	NOTE: https://github.com/corosync/corosync/issues/778
 CVE-2025-30204 (golang-jwt is a Go implementation of JSON Web Tokens. Prior to  5.2.2  ...)
 	- golang-github-golang-jwt-jwt-v5 5.2.2-1
@@ -4315,6 +4317,7 @@ CVE-2023-52315
 	REJECTED
 CVE-2025-2312 (A flaw was found in cifs-utils. When trying to obtain Kerberos credent ...)
 	- cifs-utils 2:7.2-1
+	[bullseye] - cifs-utils <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2352604
 	NOTE: Depends on change on kernel: https://git.kernel.org/linus/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf (6.13-rc1)
 	NOTE: Fixed by: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174 (7.2)


=====================================
data/dla-needed.txt
=====================================
@@ -206,6 +206,11 @@ pagure
 pgagent
   NOTE: 20250117: Added by Front-Desk (rouca)
 --
+php-horde
+  NOTE: 20250330: Added by Front-Desk (apo)
+  NOTE: 20250330: Needs more investigation. Project looks stale. Warrants a
+  NOTE: 20250330: warning to disable HTML emails at least. (apo)
+--
 php-laravel-framework
   NOTE: 20250307: Added by Front-Desk (rouca)
 --
@@ -292,6 +297,9 @@ u-boot (dleidert)
   NOTE: 20250219: New CVEs, plus it's time to fix all the no-dsa&postponed CVEs (Beuc/front-desk)
   NOTE: 20250327: All patches prepped; currently testing (dleidert)
 --
+varnish
+  NOTE: 20250330: Added by Front-Desk (apo)
+--
 webkit2gtk (Emilio)
   NOTE: 20250321: Added by Front-Desk (pochu)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4396410bd3a31b5cb0855b7756f587140243f947...3c28b536e9e889527a86c9bd2701896c868bedf5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4396410bd3a31b5cb0855b7756f587140243f947...3c28b536e9e889527a86c9bd2701896c868bedf5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250330/8a43f0cb/attachment-0001.htm>
