[Git][security-tracker-team/security-tracker][master] 18 commits: CVE-2025-62725,docker-compose: bullseye is not affected
Markus Koschany (@apo)
apo at debian.org
Sun Nov 2 22:10:50 GMT 2025
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a431e9cc by Markus Koschany at 2025-11-02T23:09:17+01:00
CVE-2025-62725,docker-compose: bullseye is not affected
Support for remote OCI artifacts was added in version 2.22
https://github.com/docker/compose/commit/e0f39ebbef094480660bf4f82b945b145d47ff26
- - - - -
ca129454 by Markus Koschany at 2025-11-02T23:09:18+01:00
hdf5,bullseye: mark new issues as postponed
- - - - -
15e2b862 by Markus Koschany at 2025-11-02T23:09:18+01:00
Add samba to dla-needed.txt
- - - - -
bb1c79da by Markus Koschany at 2025-11-02T23:09:18+01:00
Add git-lfs to dla-needed.txt
- - - - -
843d70a4 by Markus Koschany at 2025-11-02T23:09:19+01:00
Add libwebsockets to dla-needed.txt
- - - - -
f8ecbbff by Markus Koschany at 2025-11-02T23:09:19+01:00
Add unbound to dla-needed.txt
- - - - -
7654e25c by Markus Koschany at 2025-11-02T23:09:20+01:00
Mark consul CVE as EOL for bullseye
- - - - -
1b3cd341 by Markus Koschany at 2025-11-02T23:09:21+01:00
Mark pdns-recursor CVE EOL for bullseye
- - - - -
44dd6fea by Markus Koschany at 2025-11-02T23:09:23+01:00
Mark golang-15 CVE as postponed for bullseye
Minor issues
- - - - -
e28d7a24 by Markus Koschany at 2025-11-02T23:09:24+01:00
CVE-2025-59530,golang-github-lucas-clemente-quic-go: bullseye is postponed
Minor issues
- - - - -
b9483bcc by Markus Koschany at 2025-11-02T23:09:26+01:00
CVE-2025-62611,aiomysql: bullseye is postponed
Minor issue
- - - - -
357b20bc by Markus Koschany at 2025-11-02T23:09:28+01:00
CVE-2025-11146,apt-cacher-ng: bullseye is postponed
Minor issue
- - - - -
b7444082 by Markus Koschany at 2025-11-02T23:09:29+01:00
CVE-2025-50950,audiofile: bullseye is postponed
Minor issue
- - - - -
857c54b9 by Markus Koschany at 2025-11-02T23:09:31+01:00
CVE-2025-50949,CVE-2025-50951,fontforge: bullseye is postponed
Minor issue
- - - - -
7c7fe581 by Markus Koschany at 2025-11-02T23:09:32+01:00
CVE-2025-11568,luksmeta: bullseye is postponed
Minor issue
- - - - -
2a4eaaf0 by Markus Koschany at 2025-11-02T23:09:34+01:00
CVE-2025-62875,opensmtpd: bullseye is postponed
Minor issue
- - - - -
d5ee74be by Markus Koschany at 2025-11-02T23:09:35+01:00
CVE-2025-62672,rplay: bullseye is postponed
Minor issue
- - - - -
6e6e857b by Markus Koschany at 2025-11-02T23:09:37+01:00
CVE-2025-61783,social-auth-app-django: bullseye is postponed
Minor issue
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -44,6 +44,7 @@ CVE-2025-62875 [Denial-of-Service via UNIX Domain Socket]
- opensmtpd <unfixed> (bug #1119840)
[trixie] - opensmtpd <no-dsa> (Minor issue)
[bookworm] - opensmtpd <no-dsa> (Minor issue)
+ [bullseye] - opensmtpd <postponed> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2025/10/31/3
NOTE: https://github.com/OpenSMTPD/OpenSMTPD/commit/653abf00f5283a2d3247eb9aabf8987d1b2f0510 (7.8.0p0)
NOTE: 270e23a6eb upstream (7.7.0p0) made major changes to the message parsing code
@@ -1185,9 +1186,11 @@ CVE-2025-11705 (The Anti-Malware Security and Brute-Force Firewall plugin for Wo
NOT-FOR-US: WordPress plugin
CVE-2025-11375 (Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) event endpoin ...)
- consul <removed>
+ [bullseye] - consul <end-of-life> (bug #1057418)
NOTE: https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723
CVE-2025-11374 (Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) key/value end ...)
- consul <removed>
+ [bullseye] - consul <end-of-life> (bug #1057418)
NOTE: https://discuss.hashicorp.com/t/hcsec-2025-29-consuls-kv-endpoint-is-vulnerable-to-denial-of-service/76724
CVE-2023-7320 (The WooCommerce plugin for WordPress is vulnerable to Sensitive Inform ...)
NOT-FOR-US: WordPress plugin
@@ -1601,6 +1604,7 @@ CVE-2025-62777 (Use of Hard-Coded Credentials issue exists in MZK-DP300N version
NOT-FOR-US: MZK-DP300N
CVE-2025-62725 (Docker Compose trusts the path information embedded in remote OCI comp ...)
- docker-compose <unfixed> (bug #1119298)
+ [bullseye] - docker-compose <not-affected> (Vulnerable code was introduced later)
NOTE: https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q
NOTE: Fixed by: https://github.com/docker/compose/commit/69bcb962bfb2ea53b41aa925333d356b577d6176 (v2.40.2)
CVE-2025-62594 (ImageMagick is a software suite to create, edit, compose, or convert b ...)
@@ -2823,17 +2827,20 @@ CVE-2025-50951 (FontForge v20230101 was discovered to contain a memory leak via
- fontforge <unfixed> (bug #1118749)
[trixie] - fontforge <no-dsa> (Minor issue)
[bookworm] - fontforge <no-dsa> (Minor issue)
+ [bullseye] - fontforge <postponed> (Minor issue)
NOTE: https://github.com/fontforge/fontforge/pull/5495
NOTE: Fixed by: https://github.com/fontforge/fontforge/commit/dcb6efb85030c4bee2f18c6e46c20561d1c77a2b (20251009)
CVE-2025-50950 (Audiofile v0.3.7 was discovered to contain a NULL pointer dereference ...)
- audiofile <unfixed> (bug #1118940)
[trixie] - audiofile <no-dsa> (Minor issue)
[bookworm] - audiofile <no-dsa> (Minor issue)
+ [bullseye] - audiofile <postponed> (Minor issue)
NOTE: https://github.com/mpruett/audiofile/issues/66
CVE-2025-50949 (FontForge v20230101 was discovered to contain a memory leak via the co ...)
- fontforge <unfixed> (bug #1118748)
[trixie] - fontforge <no-dsa> (Minor issue)
[bookworm] - fontforge <no-dsa> (Minor issue)
+ [bullseye] - fontforge <postponed> (Minor issue)
NOTE: https://github.com/fontforge/fontforge/pull/5491
NOTE: Fixed by: https://github.com/fontforge/fontforge/commit/da98987fa8c896fce9a7813923f4f1c75b0d8cd3 (20251009)
CVE-2025-48430 (Uncaught Exception (CWE-248) in the Command Centre Server allows an Au ...)
@@ -2916,11 +2923,13 @@ CVE-2025-59024
{DSA-6045-1}
- pdns-recursor 5.3.1-1 (bug #1118751)
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
+ [bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html
CVE-2025-59023
{DSA-6045-1}
- pdns-recursor 5.3.1-1 (bug #1118751)
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
+ [bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html
CVE-2025-9158 (The Request Tracker software is vulnerable to a Stored XSS vulnerabili ...)
- request-tracker5 5.0.7+dfsg-5
@@ -2943,6 +2952,7 @@ CVE-2025-62611 (aiomysql is a library for accessing a MySQL database from the as
- aiomysql 0.3.2-1 (bug #1118754)
[trixie] - aiomysql <no-dsa> (Minor issue)
[bookworm] - aiomysql <no-dsa> (Minor issue)
+ [bullseye] - aiomysql <postponed> (Minor issue)
NOTE: https://github.com/aio-libs/aiomysql/security/advisories/GHSA-r397-ff8c-wv2g
NOTE: https://github.com/aio-libs/aiomysql/pull/1044
NOTE: Fixed by: https://github.com/aio-libs/aiomysql/commit/32c4520dae3711367ded74a4726dcb8bb8919538 (v0.3.2)
@@ -4451,6 +4461,7 @@ CVE-2025-62672 (rplay through 3.3.2 allows attackers to cause a denial of servic
- rplay <unfixed> (bug #1118224)
[trixie] - rplay <no-dsa> (Minor issue)
[bookworm] - rplay <no-dsa> (Minor issue)
+ [bullseye] - rplay <postponed> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2025/10/17/3
NOTE: https://www.openwall.com/lists/oss-security/2025/10/18/4
CVE-2025-11939 (A vulnerability was determined in ChurchCRM up to 5.18.0. This issue a ...)
@@ -5246,6 +5257,7 @@ CVE-2025-11568 (A data corruption vulnerability has been identified in the luksm
- luksmeta 10-1 (bug #1118280)
[trixie] - luksmeta <no-dsa> (Minor issue)
[bookworm] - luksmeta <no-dsa> (Minor issue)
+ [bullseye] - luksmeta <postponed> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2404244
NOTE: https://github.com/latchset/luksmeta/pull/16
NOTE: Fixed by: https://github.com/latchset/luksmeta/commit/017998805ddf98a482bb02fc1d0a09343baab2ca (v10)
@@ -6944,6 +6956,7 @@ CVE-2025-59530 (quic-go is an implementation of the QUIC protocol in Go. In vers
- golang-github-lucas-clemente-quic-go 0.54.1-1
[trixie] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue)
[bookworm] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue)
+ [bullseye] - golang-github-lucas-clemente-quic-go <postponed> (Minor issue)
NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw
NOTE: https://github.com/quic-go/quic-go/pull/5354
NOTE: Fixed by: https://github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42 (v0.55.0)
@@ -7192,6 +7205,7 @@ CVE-2025-61783 (Python Social Auth is a social authentication/registration mecha
- social-auth-app-django <unfixed> (bug #1117857)
[trixie] - social-auth-app-django <no-dsa> (Minor issue)
[bookworm] - social-auth-app-django <no-dsa> (Minor issue)
+ [bullseye] - social-auth-app-django <postponed> (Minor issue)
NOTE: https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg
NOTE: https://github.com/python-social-auth/social-app-django/issues/220
NOTE: https://github.com/python-social-auth/social-app-django/issues/231
@@ -7334,6 +7348,7 @@ CVE-2025-61724 (The Reader.ReadResponse function constructs a response string th
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75716
NOTE: https://github.com/golang/go/commit/5d7a787aa2b486f77537eeaed9c38c940a7182b8 (go1.25.2)
@@ -7346,6 +7361,7 @@ CVE-2025-58183 (tar.Reader does not set a maximum size on the number of sparse r
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75677
NOTE: https://github.com/golang/go/commit/2612dcfd3cb6dd73c76e14a24fe1a68e2708e4e3 (go1.25.2)
@@ -7358,6 +7374,7 @@ CVE-2025-58188 (Validating certificate chains which contain DSA public keys can
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75675
NOTE: https://github.com/golang/go/commit/930ce220d052d632f0d84df5850c812a77b70175 (go1.25.2)
@@ -7370,6 +7387,7 @@ CVE-2025-58186 (Despite HTTP headers having a default limit of 1MB, the number o
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75672
NOTE: https://github.com/golang/go/commit/100c5a66802b5a895b1d0e5ed3b7918f899c4833 (go1.25.2)
@@ -7382,6 +7400,7 @@ CVE-2025-58185 (Parsing a maliciously crafted DER payload could allocate large a
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75671
NOTE: https://github.com/golang/go/commit/e0f655bf3f96410f90756f49532bc6a1851855ca (go1.25.2)
@@ -7394,6 +7413,7 @@ CVE-2025-47912 (The Parse function permits values other than IPv6 addresses to b
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75678
NOTE: https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e (go1.25.2)
@@ -7406,6 +7426,7 @@ CVE-2025-61723 (The processing time for parsing some invalid inputs scales non-l
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75676
NOTE: https://github.com/golang/go/commit/90f72bd5001d0278949fab0b7a40f7d8c712979b (go1.25.2)
@@ -7418,6 +7439,7 @@ CVE-2025-58189 (When Conn.Handshake fails during ALPN negotiation the error cont
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75652
NOTE: https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976 (go1.25.2)
@@ -7430,6 +7452,7 @@ CVE-2025-58187 (Due to the design of the name constraint checking algorithm, the
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75681
NOTE: https://github.com/golang/go/commit/f0c69db15aae2eb10bddd8b6745dff5c2932e8f5 (go1.25.2)
@@ -7442,6 +7465,7 @@ CVE-2025-61725 (The ParseAddress function constructeds domain-literal address co
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75680
NOTE: https://github.com/golang/go/commit/6a057327cf9a405e6388593dd4aedc0d0da77092 (go1.25.2)
@@ -12094,6 +12118,7 @@ CVE-2025-11147 (Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. Th
CVE-2025-11146 (Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vuln ...)
- apt-cacher-ng 3.7.5-1
[bookworm] - apt-cacher-ng <no-dsa> (Minor issue)
+ [bullseye] - apt-cacher-ng <postponed> (Minor issue)
NOTE: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-apt-cacher-ng
NOTE: https://salsa.debian.org/blade/apt-cacher-ng/-/commit/b03d9a3ab326aad2538f42d2831b3114b830912b (upstream/3.7.5)
CVE-2025-10346 (HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a sto ...)
@@ -40477,6 +40502,7 @@ CVE-2025-7067 (A vulnerability classified as problematic was found in HDF5 1.14.
- hdf5 <unfixed> (bug #1108886)
[trixie] - hdf5 <no-dsa> (Minor issue)
[bookworm] - hdf5 <no-dsa> (Minor issue)
+ [bullseye] - hdf5 <postponed> (Minor issue)
NOTE: https://github.com/HDFGroup/hdf5/issues/5577
NOTE: https://github.com/HDFGroup/hdf5/pull/5815
NOTE: https://github.com/HDFGroup/hdf5/commit/ea4b483d981b1c73ba2b8185c544565e4b05ae0e
@@ -42331,6 +42357,7 @@ CVE-2025-6816 (A vulnerability classified as problematic was found in HDF5 1.14.
- hdf5 <unfixed> (bug #1108482)
[trixie] - hdf5 <no-dsa> (Minor issue)
[bookworm] - hdf5 <no-dsa> (Minor issue)
+ [bullseye] - hdf5 <postponed> (Minor issue)
NOTE: https://github.com/HDFGroup/hdf5/issues/5571
NOTE: https://github.com/HDFGroup/hdf5/pull/5829
NOTE: https://github.com/HDFGroup/hdf5/commit/29c847a43db0cdc85b01cafa5a7613ea73932675
@@ -42774,6 +42801,7 @@ CVE-2025-6750 (A vulnerability, which was classified as problematic, has been fo
- hdf5 <unfixed> (bug #1108409)
[trixie] - hdf5 <no-dsa> (Minor issue)
[bookworm] - hdf5 <no-dsa> (Minor issue)
+ [bullseye] - hdf5 <postponed> (Minor issue)
NOTE: https://github.com/HDFGroup/hdf5/issues/5549
NOTE: https://github.com/HDFGroup/hdf5/pull/5856
NOTE: https://github.com/HDFGroup/hdf5/commit/86149a098837a37b2513746e9baf84010f75fb54
@@ -72387,11 +72415,13 @@ CVE-2025-2926 (A vulnerability was found in HDF5 up to 1.14.6 and classified as
- hdf5 <unfixed> (bug #1103531)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5384
CVE-2025-2925 (A vulnerability has been found in HDF5 up to 1.14.6 and classified as ...)
- hdf5 <unfixed> (bug #1103532)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5383
NOTE: https://github.com/HDFGroup/hdf5/pull/5739
NOTE: https://github.com/HDFGroup/hdf5/commit/4310c19608455c17a213383d07715efb2918defc
@@ -72399,6 +72429,7 @@ CVE-2025-2924 (A vulnerability, which was classified as problematic, was found i
- hdf5 <unfixed> (bug #1103533)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5382
NOTE: https://github.com/HDFGroup/hdf5/pull/5814
NOTE: https://github.com/HDFGroup/hdf5/commit/0a57195ca67d278f1cf7d01566c121048e337a59
@@ -72406,6 +72437,7 @@ CVE-2025-2923 (A vulnerability, which was classified as problematic, has been fo
- hdf5 <unfixed> (bug #1103534)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5381
NOTE: https://github.com/HDFGroup/hdf5/pull/5829
NOTE: https://github.com/HDFGroup/hdf5/commit/29c847a43db0cdc85b01cafa5a7613ea73932675
@@ -72425,22 +72457,26 @@ CVE-2025-2915 (A vulnerability classified as problematic was found in HDF5 up to
- hdf5 <unfixed> (bug #1103536)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5380
CVE-2025-2914 (A vulnerability classified as problematic has been found in HDF5 up to ...)
- hdf5 <unfixed> (bug #1103537)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5379
NOTE: https://github.com/HDFGroup/hdf5/pull/5722
CVE-2025-2913 (A vulnerability was found in HDF5 up to 1.14.6. It has been rated as c ...)
- hdf5 <unfixed> (bug #1103538)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5376
CVE-2025-2912 (A vulnerability was found in HDF5 up to 1.14.6. It has been declared a ...)
- hdf5 <unfixed> (bug #1103539)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5370
CVE-2025-2911 (Unauthorised access to the call forwarding service system in MeetMe pr ...)
NOT-FOR-US: MeetMe
@@ -76750,16 +76786,19 @@ CVE-2025-2310 (A vulnerability was found in HDF5 1.14.6 and classified as critic
- hdf5 <unfixed> (bug #1103540)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc4.md
CVE-2025-2309 (A vulnerability has been found in HDF5 1.14.6 and classified as critic ...)
- hdf5 <unfixed> (bug #1103541)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc3.md
CVE-2025-2308 (A vulnerability, which was classified as critical, was found in HDF5 1 ...)
- hdf5 <unfixed> (bug #1103542)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/madao123123/crash_report/blob/main/hdf5_poc/hdf5_poc2.md
CVE-2025-2295 (EDK2 contains a vulnerability in BIOS where a user may cause an Intege ...)
- edk2 2025.02-4 (bug #1100594)
@@ -78275,6 +78314,7 @@ CVE-2025-2153 (A vulnerability, which was classified as critical, was found in H
- hdf5 <unfixed> (bug #1100440)
[trixie] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/HDFGroup/hdf5/issues/5329
NOTE: https://github.com/HDFGroup/hdf5/pull/5795
NOTE: https://github.com/HDFGroup/hdf5/commit/38954615fc079538aa45d48097625a6d76aceef0
=====================================
data/dla-needed.txt
=====================================
@@ -102,6 +102,10 @@ freeimage
NOTE: 20240922: Many postponed CVE.
NOTE: 20241202: still WIP (santiago)
--
+git-lfs
+ NOTE: 20251102: Added by Front-Desk (apo)
+ NOTE: 20251102: Fix may be partial due to git < 2.42 in bullseye.
+--
golang-github-gorilla-csrf
NOTE: 20250422: Added by Front-Desk (rouca)
NOTE: 20250422: Need to binNMU reverse depends (in that order): golang-github-alecthomas-chroma, golang-github-niklasfasching-go-org, golang-github-yuin-goldmark-highlighting, hugo (rouca)
@@ -188,6 +192,9 @@ libsoup2.4
NOTE: 20250520: seems sensible. Or maybe someone else will have more luck
NOTE: 20250520: than me with getting the backported tests to run. (spwhitton)
--
+libwebsockets
+ NOTE: 20251102: Added by Front-Desk (apo)
+--
libxmltok
NOTE: 20250421: Added by Front-Desk (ta)
NOTE: 20250421: Also review all other expat CVEs. (bunk)
@@ -301,6 +308,11 @@ rails
NOTE: 20250621: rails DSA uploaded the last 6.1 release before EOL (2024-11)
NOTE: 20250621: 6.0 branch is EOL (2023-06) so all open CVEs need individual backport (Beuc)
--
+samba
+ NOTE: 20251102: Added by Front-Desk (apo)
+ NOTE: 20251102: Minor issue, but fixes are proposed for bookworm onwards
+ NOTE: 20251102: hence it makes sense to sync with these distributions.
+--
sogo
NOTE: 20240922: Added by Front-Desk (apo)
NOTE: 20240922: See also postponed issues.
@@ -324,6 +336,9 @@ trafficserver
NOTE: 20250403: There are multiple new CVEs. But none of them is addresses in Sid and maintainers didn't reply to me last time (dleidert)
NOTE: 20250405: DSA 5896-1 is out (Beuc/front-desk)
--
+unbound
+ NOTE: 20251102: Added by Front-Desk (apo)
+--
watcher
NOTE: 20250908: Added by Front-Desk (apo)
NOTE: 20250908: See also nova. (apo)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5f166b41ed76d509efc4dad771897b36baff01bd...6e6e857b45c02bf6b5ce36dab8814414dcfdc63b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5f166b41ed76d509efc4dad771897b36baff01bd...6e6e857b45c02bf6b5ce36dab8814414dcfdc63b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251102/eb5e848d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list