[Git][security-tracker-team/security-tracker][master] 3 commits: Directly link the single commit from merges for CVE-2025-64336

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Nov 7 10:06:13 GMT 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a3ed2fb4 by Salvatore Bonaccorso at 2025-11-07T10:35:20+01:00
Directly link the single commit from merges for CVE-2025-64336

- - - - -
ab619860 by Salvatore Bonaccorso at 2025-11-07T10:35:23+01:00
Consolidate formatting slightly

- - - - -
c24e2258 by Salvatore Bonaccorso at 2025-11-07T10:42:28+01:00
Link CVE-2025-58767 relating to CVE-2024-41123

>From upstream view the issue affects only 3.3.3 to 3.4.1. But it looks
the introducing commit (part of the CVE-2024-41123 fix) in 3.3.3 was
backported to older versions.

Make a link between the two CVEs.

Mark ruby2.7 as removed from unstable along as followup from
06a0c1361bbe ("CVE-2025-58767/ruby2.7: bullseye not-affected ->
postponed").

Thanks: Sylvain Beucler for spotting and raising the problem.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11,8 +11,8 @@ CVE-2025-64336 (ClipBucket v5 is an open source video sharing platform. In versi
 CVE-2025-64329 (containerd is an open-source container runtime. Versions 1.7.28 and be ...)
 	- containerd <unfixed>
 	NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2
-	NOTE: https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df (v2.2.0)
-	NOTE: https://github.com/containerd/containerd/commit/e5cb6ddb7a7730c24253a94d7fdb6bbe13dba6f7 (v1.7.29)
+	NOTE: https://github.com/containerd/containerd/commit/a0d0f0ef68935338d2c710db164fa7820f692530 (v2.2.0)
+	NOTE: https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750 (v1.7.29)
 CVE-2025-64328 (FreePBX Endpoint Manager is a module for managing telephony endpoints  ...)
 	NOT-FOR-US: FreePBX Endpoint Manager
 CVE-2025-64327 (ThinkDashboard is a self-hosted bookmark dashboard built with Go and v ...)
@@ -17703,14 +17703,14 @@ CVE-2025-59304 (A directory traversal issue in Swetrix Web Analytics API 3.1.1 b
 CVE-2025-58767 (REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 h ...)
 	- ruby3.3 <unfixed> (bug #1115655)
 	- ruby3.1 <not-affected> (Vulnerable code not present)
-	- ruby2.7 <unfixed>
+	- ruby2.7 <removed>
 	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	- ruby-rexml <removed>
 	NOTE: https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5
-	NOTE: https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23 (v3.4.2)
-	NOTE: Vulnerable code probably imported through CVE-2024-35176 and CVE-2024-41123 backports
-	NOTE: The core issue appears to be 'source.rb:IOSource.match' reading the whole stream
+	NOTE: Fixed by: https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23 (v3.4.2)
+	NOTE: Introduced with: https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6 (v3.3.3)
+	NOTE: Vulnerable code introduced via the fix for CVE-2024-41123.
 CVE-2025-58766 (Dyad is a local AI app builder. A critical security vulnerability has  ...)
 	NOT-FOR-US: Dyad
 CVE-2025-58432 (ZimaOS is a fork of CasaOS, an operating system for Zima devices and x ...)
@@ -30635,8 +30635,8 @@ CVE-2025-55279 (This vulnerability exists in ZKTeco WL20 due to hard-coded priva
 CVE-2025-55163 (Netty is an asynchronous, event-driven network application framework.  ...)
 	- netty <unfixed> (bug #1111105)
 	NOTE: https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4
-	NOTE: Fixed by [1/2] https://github.com/netty/netty/commit/be53dc3c9acd9af2e20d0c3c07cd77115a594cf1 (netty-4.1.124.Final)
-	NOTE: Fixed by [2/2] https://github.com/netty/netty/commit/009bd17b38a39fb1eecf9d22ea8ae8108afaac59 (netty-4.1.124.Final)
+	NOTE: Fixed by [1/2]: https://github.com/netty/netty/commit/be53dc3c9acd9af2e20d0c3c07cd77115a594cf1 (netty-4.1.124.Final)
+	NOTE: Fixed by [2/2]: https://github.com/netty/netty/commit/009bd17b38a39fb1eecf9d22ea8ae8108afaac59 (netty-4.1.124.Final)
 CVE-2025-55160 (ImageMagick is free and open-source software used for editing and mani ...)
 	- imagemagick 8:7.1.2.1+dfsg1-1 (bug #1111104; unimportant)
 	NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hgw-6x87-578x
@@ -143021,8 +143021,9 @@ CVE-2024-41123 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6
 	NOTE: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
 	NOTE: https://github.com/ruby/rexml/issues/232#issuecomment-2585211411
-	NOTE: Fixed by commit [1/2] https://github.com/ruby/rexml/commit/6cac15d45864c8d70904baa5cbfcc97181000960 (v3.3.3)
-	NOTE: Fixed by commit [2/2] https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6 (v3.3.3)
+	NOTE: Fixed by [1/2]: https://github.com/ruby/rexml/commit/6cac15d45864c8d70904baa5cbfcc97181000960 (v3.3.3)
+	NOTE: Fixed by [2/2]: https://github.com/ruby/rexml/commit/e2546e6ecade16b04c9ee528e5be8509fe16c2d6 (v3.3.3)
+	NOTE: The fix for CVE-2024-41123 introduces CVE-2025-58767.
 CVE-2024-39839 (Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9. ...)
 	- mattermost-server <itp> (bug #823556)
 CVE-2024-39837 (Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly re ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/700ed577c13b9ed9816df8c7516530f5a9cdee02...c24e225896a7fba2b7949547e7ff2f7365ac1afd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/700ed577c13b9ed9816df8c7516530f5a9cdee02...c24e225896a7fba2b7949547e7ff2f7365ac1afd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251107/2ec502ec/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list