[Git][security-tracker-team/security-tracker][master] 4 commits: dla: drop sogo

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Sat Nov 8 10:05:45 GMT 2025 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
24b9f521 by Sylvain Beucler at 2025-11-08T11:05:27+01:00
dla: drop sogo

Re-add when there's bookworm activity

- - - - -
da2a705a by Sylvain Beucler at 2025-11-08T11:05:30+01:00
dla: drop node-prismjs

1 no-dsa issue

- - - - -
66d1b782 by Sylvain Beucler at 2025-11-08T11:05:32+01:00
dla: drop node-axios

2 no-dsa issues

- - - - -
63e9ef03 by Sylvain Beucler at 2025-11-08T11:05:32+01:00
dla: drop knot-resolver

Only no-dsa and ignored CVEs, it was already the case at 591e4eaa3a81b4bf83881fb2bdbaf4b103259432 so not sure why it was added

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -21086,6 +21086,7 @@ CVE-2025-58754 (Axios is a promise based HTTP client for the browser and Node.js
 	- node-axios 1.12.1+dfsg-1 (bug #1114963)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj
 	NOTE: https://github.com/axios/axios/pull/7011
 	NOTE: https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593 (v1.12.0)
@@ -80652,6 +80653,7 @@ CVE-2025-27518 (Cognita is a RAG (Retrieval Augmented Generation) Framework for
 CVE-2025-27152 (axios is a promise based HTTP client for the browser and node.js. The  ...)
 	- node-axios 1.8.4+dfsg-1 (bug #1102223)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
 	NOTE: Similar to: https://github.com/axios/axios/issues/6463 (CVE-2024-39338)
 CVE-2025-26643 (The UI performs the wrong action in Microsoft Edge (Chromium-based) al ...)
@@ -82678,6 +82680,7 @@ CVE-2024-53382 (Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with r
 	- node-prismjs 1.30.0+dfsg+~1.26.5-1 (bug #1099619)
 	[trixie] - node-prismjs <no-dsa> (Minor issue)
 	[bookworm] - node-prismjs <no-dsa> (Minor issue)
+	[bullseye] - node-prismjs <postponed> (Minor issue)
 	NOTE: https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660
 	NOTE: https://github.com/PrismJS/prism/issues/3864
 	NOTE: https://github.com/PrismJS/prism/pull/3863 (v1.30.0)
@@ -134566,6 +134569,7 @@ CVE-2024-27364 (An issue was discovered in Mobile Processor, Wearable Processor
 	NOT-FOR-US: Samsung
 CVE-2024-24510 (Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows ...)
 	- sogo 5.10.0-1
+	[bullseye] - sogo <postponed> (Follow bookworm updates)
 	NOTE: Fixed by: https://github.com/Alinto/sogo/commit/21468700718ed71774eaf2979ee59330fc569424 (SOGo-5.10.0)
 CVE-2023-50883 (ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediat ...)
 	NOT-FOR-US: ONLYOFFICE Docs


=====================================
data/dla-needed.txt
=====================================
@@ -156,11 +156,6 @@ jackson-core
   NOTE: 20250707: Added by Front-Desk (apo)
   NOTE: 20251016: A single patch is not possible to apply to fix the CVE. I'm working on backporting more than one.
 --
-knot-resolver
-  NOTE: 20240924: Added by Front-Desk (lamby)
-  NOTE: 20250506: Writting to upstream to get a PoC to reproduce open CVEs.
-  NOTE: 20250522: Processing some tips received by upstream to try to reproduce CVE. Still working on the patches.
---
 lasso (abhijith)
   NOTE: 20251108: Added by Front-Desk (Beuc)
   NOTE: 20251108: CVE-2025-47151 is a critical RCE (Beuc/front-desk)
@@ -239,12 +234,6 @@ nagvis
 netty (rouca)
   NOTE: 20250814: Added by Front-Desk (lamby)
 --
-node-axios
-  NOTE: 20250308: Added by Front-Desk (rouca)
---
-node-prismjs
-  NOTE: 20250303: Added by Front-Desk (rouca)
---
 nova
   NOTE: 20250908: Added by Front-Desk (apo)
   NOTE: 20250908: See also watcher. Consider fixing postponed issues and sync
@@ -341,11 +330,6 @@ samba
   NOTE: 20251102: hence it makes sense to sync with these distributions. (apo/front-desk)
   NOTE: 20251107: Upcoming trixie SPU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119136 (Beuc/front-desk)
 --
-sogo
-  NOTE: 20240922: Added by Front-Desk (apo)
-  NOTE: 20240922: See also postponed issues.
-  NOTE: 20250609: Please take care of vulnerable embed js (rouca)
---
 squid (rouca)
   NOTE: 20251027: Added by Front-Desk (pochu)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/98293eec01e2864ba4d7d95a0e6479213ea76a1f...63e9ef034af0f194567bfa906ea57fabd72bc426

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/98293eec01e2864ba4d7d95a0e6479213ea76a1f...63e9ef034af0f194567bfa906ea57fabd72bc426
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251108/48ea180c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list