[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon May 19 08:03:18 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a67828d3 by Moritz Muehlenhoff at 2025-05-19T09:02:59+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -206,7 +206,8 @@ CVE-2025-4190 (The CSV Mass Importer WordPress plugin through 1.2 does not prope
 CVE-2025-4189 (The Audio Comments Plugin plugin for WordPress is vulnerable to Cross- ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-48188 (libpspp-core.a in GNU PSPP through 2.0.1 has an incorrect call from fi ...)
-	- pspp <unfixed> (bug #1105918)
+	- pspp <unfixed> (unimportant; bug #1105918)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://savannah.gnu.org/bugs/?67079
 CVE-2025-3812 (The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to  ...)
 	NOT-FOR-US: WordPress plugin
@@ -226,6 +227,7 @@ CVE-2025-4806 (A vulnerability, which was classified as critical, has been found
 	NOT-FOR-US: SourceCodester
 CVE-2025-4802 (Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GN ...)
 	- glibc 2.39-4
+	[bookworm] - glibc <no-dsa> (Minor issue)
 	NOTE: Introduced with: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=10e93d968716ab82931d593bada121c17c0a4b93 (glibc-2.27)
 	NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5451fa962cd0a90a0e2ec1d8910a559ace02bba0 (glibc-2.39)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=32976
@@ -1107,6 +1109,7 @@ CVE-2025-4516 (There is an issue in CPython when using `bytes.decode("unicode_es
 	- python3.13 <unfixed>
 	- python3.12 <unfixed>
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/L75IPBBTSCYEF56I2M4KIW353BB3AY74/
 	NOTE: https://github.com/python/cpython/issues/133767
@@ -1298,6 +1301,7 @@ CVE-2025-23165 [Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallba
 	NOTE: Fixed by https://github.com/nodejs/node/commit/6a7b005a07a0912260e328c6397317b5b862ffde
 CVE-2025-23167 [Improper HTTP header block termination in llhttp]
 	- node-undici <unfixed> (bug #1105919)
+	[bookworm] - node-undici <no-dsa> (Minor issue)
 	- llhttp <itp> (bug #977716)
 	NOTE: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium
 CVE-2025-23166 [Improper error handling in async cryptographic operations crashes process]
@@ -7724,6 +7728,7 @@ CVE-2025-23244 (NVIDIA GPU Display Driver for Linux contains a vulnerability whi
 	- nvidia-graphics-drivers-tesla 525.147.05-6 (bug #1104075)
 	NOTE: 525.147.05-6 turned the package into a metapackage to aid switching to nvidia-graphics-drivers
 	- nvidia-graphics-drivers-tesla-535 535.247.01-1 (bug #1104077)
+	[bookworm] - nvidia-graphics-drivers-tesla-535 <no-dsa> (Non-free not supported)
 	- nvidia-open-gpu-kernel-modules 535.247.01-1 (bug #1104076)
 	[bookworm] - nvidia-open-gpu-kernel-modules 535.247.01-1~deb12u1
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5630
@@ -8928,6 +8933,7 @@ CVE-2025-32442 (Fastify is a fast and low overhead web framework, for Node.js. I
 	NOT-FOR-US: Fastify
 CVE-2025-32434 (PyTorch is a Python package that provides tensor computation with stro ...)
 	- pytorch 2.6.0+dfsg-1
+	[bookworm] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6
 CVE-2025-32389 (NamelessMC is a free, easy to use & powerful website software for Mine ...)
 	NOT-FOR-US: NamelessMC


=====================================
data/dsa-needed.txt
=====================================
@@ -27,6 +27,8 @@ intel-microcode (carnil)
 --
 jpeg-xl
 --
+libavif
+--
 libreswan
   Waiting on feedback from maintainer
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a67828d3ef86ceb013a03780022e72735ed7476d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a67828d3ef86ceb013a03780022e72735ed7476d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250519/9fbebb31/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list