[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri May 16 17:24:50 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ffc98f41 by Moritz Muehlenhoff at 2025-05-16T18:23:23+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -663,6 +663,7 @@ CVE-2025-47285 (Vyper is the Pythonic Programming Language for the Ethereum Virt
 	NOT-FOR-US: Vyper
 CVE-2025-47279 (Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6. ...)
 	- node-undici <unfixed> (bug #1105860)
+	[bookworm] - node-undici <no-dsa> (Minor issue)
 	NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
 	NOTE: https://github.com/nodejs/undici/issues/3895
 	NOTE: https://github.com/nodejs/undici/pull/4088
@@ -807,6 +808,7 @@ CVE-2024-13914 (The File Manager Advanced Shortcode WordPress plugin for WordPre
 	NOT-FOR-US: WordPress plugin
 CVE-2025-4478
 	- gnome-remote-desktop <unfixed>
+	[bookworm] - gnome-remote-desktop <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2365232
 CVE-2025-23165 [Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string]
 	- nodejs <unfixed> (bug #1105832)
@@ -2057,13 +2059,11 @@ CVE-2025-46718 (sudo-rs is a memory safe implementation of sudo and su written i
 	NOTE: https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6
 	NOTE: https://github.com/trifectatechfoundation/sudo-rs/commit/54984189d62a0763235d4a02a4b2d09d768a9986 (v0.2.6)
 	NOTE: https://github.com/trifectatechfoundation/sudo-rs/commit/848719f28067d3b5e6672d07f34da5b24f85765b (v0.2.6)
-	TODO: check details
 CVE-2025-46717 (sudo-rs is a memory safe implementation of sudo and su written in Rust ...)
 	- rust-sudo-rs 0.2.5-5
 	NOTE: https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6
 	NOTE: https://github.com/trifectatechfoundation/sudo-rs/commit/54984189d62a0763235d4a02a4b2d09d768a9986 (v0.2.6)
 	NOTE: https://github.com/trifectatechfoundation/sudo-rs/commit/848719f28067d3b5e6672d07f34da5b24f85765b (v0.2.6)
-	TODO: check details
 CVE-2025-4535 (A vulnerability, which was classified as problematic, was found in Gos ...)
 	NOT-FOR-US: Gosuncn Technology Group Audio-Visual Integrated Management Platform
 CVE-2025-4534 (A vulnerability, which was classified as problematic, has been found i ...)
@@ -2281,6 +2281,7 @@ CVE-2025-4403 (The Drag and Drop Multiple File Upload for WooCommerce plugin for
 	NOT-FOR-US: WordPress plugin
 CVE-2025-4382 (A flaw was found in systems utilizing LUKS-encrypted disks with GRUB c ...)
 	- grub2 <unfixed> (bug #1105108)
+	[bookworm] - grub2 <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=c448f511e74cb7c776b314fcb7943f98d3f22b6d
 	NOTE: Additional hardening via:
 	NOTE: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=ed691c0e0e20d9d0e8d8305a120e8c61d6be3d38
@@ -3326,6 +3327,7 @@ CVE-2025-47423 (Personal Weather Station Dashboard 12_lts allows unauthenticated
 	NOT-FOR-US: Personal Weather Station Dashboard
 CVE-2025-47203 (dbclient in Dropbear SSH before 2025.88 allows command injection via a ...)
 	- dropbear 2025.88-1
+	[bookworm] - dropbear <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/mkj/dropbear/commit/e5a0ef27c227f7ae69d9a9fec98a056494409b9b (DROPBEAR_2025.88)
 CVE-2025-46828 (WeGIA is a web manager for charitable institutions.  An unauthenticate ...)
 	NOT-FOR-US: WeGIA
@@ -3994,6 +3996,7 @@ CVE-2025-4316 (Improper access control in PAM feature in Devolutions Server allo
 	NOT-FOR-US: Devolutions
 CVE-2025-4287 (A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as ...)
 	- pytorch <unfixed> (bug #1104931)
+	[bookworm] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/issues/150836
 	NOTE: https://github.com/pytorch/pytorch/pull/150923
 CVE-2025-4286 (A vulnerability was found in Intelbras InControl up to 2.21.59. It has ...)
@@ -13126,7 +13129,7 @@ CVE-2025-29480 (Buffer Overflow vulnerability in gdal 3.10.2 allows a local atta
 	- gdal <unfixed> (bug #1103839; unimportant)
 	NOTE: https://github.com/lmarch2/poc/blob/main/gdal/gdal.md
 	NOTE: https://github.com/OSGeo/gdal/issues/12188
-	TODO: check pending rejection as invalid/unreproducible issue upstream
+	NOTE: invalid/unreproducible issue upstream, possibly will be rejected
 CVE-2025-29479
 	REJECTED
 CVE-2025-29478 (An issue in fluent-bit v.3.7.2 allows a local attacker to cause a deni ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -65,6 +65,8 @@ sympa
 tcpdf
   Santiago is taking a look and reporting back on progress
 --
+tomcat10
+--
 thunderbird (jmm)
 --
 webkit2gtk (berto)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffc98f41ec717278f57da54e0cd7765491728117

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffc98f41ec717278f57da54e0cd7765491728117
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250516/f7a86183/attachment.htm>

More information about the debian-security-tracker-commits mailing list