[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed May 7 11:42:21 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
22384455 by Moritz Muehlenhoff at 2025-05-07T12:41:47+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -153,6 +153,7 @@ CVE-2025-47417 (Exposure of Sensitive Information to an Unauthorized Actor vulne
 	NOT-FOR-US: Crestron Automate VX
 CVE-2025-47256 (Libxmp through 4.6.2 has a stack-based buffer overflow in depack_pha i ...)
 	- libxmp <unfixed>
+	[bookworm] - libxmp <no-dsa> (Minor issue)
 	NOTE: https://github.com/libxmp/libxmp/issues/847
 	NOTE: https://github.com/libxmp/libxmp/pull/848
 	NOTE: Fixed by: https://github.com/libxmp/libxmp/commit/004a102c5a75ad809fc309ff73ce8d0f9ab3e456
@@ -631,11 +632,10 @@ CVE-2024-42212 (HCL BigFix Compliance is affected by an improper or missing Same
 CVE-2024-11615 (The Envolve Plugin plugin for WordPress is vulnerable to arbitrary fil ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-47268 (ping in iputils through 20240905 allows a denial of service (applicati ...)
-	- iputils <unfixed> (bug #1104746)
-	[bookworm] - iputils <no-dsa> (Minor issue)
-	[bullseye] - iputils <postponed> (Minor issue, DoS)
+	- iputils <unfixed> (unimportant; bug #1104746)
 	NOTE: https://github.com/iputils/iputils/issues/584
 	NOTE: https://github.com/Zephkek/ping-rtt-overflow/
+	NOTE: Negligible security impact
 CVE-2025-43926 [ZSA-2025-07]
 	[experimental] - znuny 6.5.15-1
 	- znuny <unfixed> (bug #1104739)
@@ -2662,7 +2662,7 @@ CVE-2025-47153 (Certain build processes for libuv and Node.js for 32-bit systems
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=892601
 	NOTE: https://github.com/nodejs/node-v0.x-archive/issues/4549
 CVE-2025-4056
-	- glib2.0 <not-affected> (Only affcts Glib on Windows)
+	- glib2.0 <not-affected> (Only affects Glib on Windows)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2362826
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3668
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4570
@@ -4520,6 +4520,7 @@ CVE-2023-43958 (An arbitrary file upload vulnerability in the component /jquery-
 	NOT-FOR-US: Hospital Management System
 CVE-2023-43378 (A cross-site scripting (XSS) vulnerability in Hoteldruid v3.0.5 allows ...)
 	- hoteldruid <unfixed> (bug #1104020)
+	[bookworm] - hoteldruid <no-dsa> (Minor issue)
 	[bullseye] - hoteldruid <postponed> (minor bug; XSS)
 	NOTE: https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-commento1_1-post-parameter-44ff18cb61cd4a80bbba75d5e4360ee4
 CVE-2025-3856 (A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been cla ...)
@@ -4664,10 +4665,12 @@ CVE-2025-43970 (An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/m
 	NOTE: Fixed by: https://github.com/osrg/gobgp/commit/5153bafbe8dbe1a2f02a70bbf0365e98b80e47b0 (v3.35.0)
 CVE-2025-43967 (libheif before 1.19.6 has a NULL pointer dereference in ImageItem_Grid ...)
 	- libheif 1.19.7-1
+	[bookworm] - libheif <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libheif/issues/1455
 	NOTE: Fixed by: https://github.com/strukturag/libheif/commit/6e35af7b0ff9fb6cc952a1539590d160db32f671 (v1.19.6)
 CVE-2025-43966 (libheif before 1.19.6 has a NULL pointer dereference in ImageItem_iden ...)
 	- libheif 1.19.7-1
+	[bookworm] - libheif <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/strukturag/libheif/commit/b38555387e4b5dcf036fe45b0c440aca19b7b69c (v1.19.6)
 CVE-2025-43964 (In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in  ...)
 	{DLA-4142-1}
@@ -7305,6 +7308,7 @@ CVE-2025-24948 (In JotUrl 2.0, passwords are sent via HTTP GET-type requests, po
 CVE-2025-24358 (gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention mid ...)
 	{DLA-4151-1}
 	- golang-github-gorilla-csrf 1.7.2+ds1-2 (bug #1103584)
+	[bookworm] - golang-github-gorilla-csrf <no-dsa> (Minor issue)
 	NOTE: https://github.com/gorilla/csrf/security/advisories/GHSA-rq77-p4h8-4crw
 	NOTE: https://github.com/gorilla/csrf/commit/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb (v1.7.3)
 CVE-2025-22903 (TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a sta ...)
@@ -7365,6 +7369,7 @@ CVE-2025-3588 (A vulnerability, which was classified as problematic, has been fo
 	NOT-FOR-US: joelittlejohn jsonschema2pojo
 CVE-2025-3576 (A vulnerability in the MIT Kerberos implementation allows GSSAPI-prote ...)
 	- krb5 1.21.2-1 (bug #1103525)
+	[bookworm] - krb5 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2359465
 	NOTE: CVE relates to issues covered in:
 	NOTE: https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf


=====================================
data/dsa-needed.txt
=====================================
@@ -26,6 +26,8 @@ gimp
 --
 jpeg-xl
 --
+libapache2-mod-auth-openidc
+--
 libreswan
   Waiting on feedback from maintainer
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22384455d06b916bf10f977645fb4b831bdd1281

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22384455d06b916bf10f977645fb4b831bdd1281
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250507/ef95a51d/attachment.htm>

More information about the debian-security-tracker-commits mailing list