[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Nov 11 15:22:07 GMT 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
23ef4cdb by Moritz Muehlenhoff at 2025-11-11T16:21:39+01:00
bookworm/trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -28478,10 +28478,7 @@ CVE-2025-52352 (Aikaan IoT management platform v3.25.0325-5-g2e9c59796 provides
 CVE-2025-52351 (Aikaan IoT management platform v3.25.0325-5-g2e9c59796 sends a newly g ...)
 	NOT-FOR-US: Aikaan IoT management platform
 CVE-2025-52194 (A buffer overflow vulnerability exists in libsndfile version 1.2.2 and ...)
-	- libsndfile <unfixed> (bug #1111876)
-	[trixie] - libsndfile <no-dsa> (Minor issue)
-	[bookworm] - libsndfile <no-dsa> (Minor issue)
-	[bullseye] - libsndfile <postponed> (Minor issue, possibly not-affected)
+	NOTE: Not reproducible report against libsndfile, was also filed as bug #1111876
 	NOTE: https://github.com/libsndfile/libsndfile/issues/1082
 CVE-2025-51989 (HTML injection vulnerability in the registration interface in Evolutio ...)
 	NOT-FOR-US: HRmaster
@@ -37963,7 +37960,7 @@ CVE-2025-30477 (Dell PowerScale OneFS, versions prior to 9.11.0.0, contains a us
 CVE-2025-30192 (An attacker spoofing answers to ECS enabled requests sent out by the R ...)
 	[experimental] - pdns-recursor 5.2.4-1
 	- pdns-recursor 5.2.4-2 (bug #1109808)
-	[bookworm] - pdns-recursor <no-dsa> (Minor issue; can be fixed via point release update)
+	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	[bullseye] - pdns-recursor <end-of-life> (No longer supported with security updates in Bullseye)
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html
 CVE-2025-2301 (Authorization Bypass Through User-Controlled Key vulnerability in Akbi ...)
@@ -38166,8 +38163,8 @@ CVE-2025-53770 (Deserialization of untrusted data in on-premises Microsoft Share
 	NOT-FOR-US: Microsoft
 CVE-2025-XXXX [exposes .zip passwords while (un)archiving]
 	- krusader <unfixed> (bug #1108942)
-	[trixie] - krusader <no-dsa> (Minor issue, revisit when fixed upstream)
-	[bookworm] - krusader <no-dsa> (Minor issue, revisit when fixed upstream)
+	[trixie] - krusader <postponed> (Minor issue, revisit when fixed upstream)
+	[bookworm] - krusader <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - krusader <postponed> (Minor issue)
 CVE-2025-7853 (A vulnerability was found in Tenda FH451 1.0.0.9. It has been rated as ...)
 	NOT-FOR-US: Tenda
@@ -315636,11 +315633,7 @@ CVE-2022-33065 (Multiple signed integers overflow in function au_read_header in
 	NOTE: https://github.com/libsndfile/libsndfile/issues/789
 	NOTE: https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c
 CVE-2022-33064 (An off-by-one error in function wav_read_header in src/wav.c in Libsnd ...)
-	- libsndfile <unfixed> (bug #1051890)
-	[trixie] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
-	[bookworm] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - libsndfile <no-dsa> (Minor issue)
-	[buster] - libsndfile <no-dsa> (Minor issue)
+	NOTE: Non issue in libsndfile, was also filed as bug #1051890
 	NOTE: https://github.com/libsndfile/libsndfile/issues/832
 	NOTE: Upstream disputes issue as possible false-positive:
 	NOTE: https://github.com/libsndfile/libsndfile/issues/832#issuecomment-1702253852 ff
@@ -382568,7 +382561,7 @@ CVE-2021-3618 (ALPACA is an application layer protocol content confusion attack,
 	[bullseye] - nginx 1.18.0-6.1+deb11u2
 	[stretch] - nginx <no-dsa> (Minor issue)
 	- vsftpd 3.0.5-0.1 (bug #991329)
-	[bookworm] - vsftpd <no-dsa> (Minor issue)
+	[bookworm] - vsftpd <ignored> (Minor issue)
 	[bullseye] - vsftpd <no-dsa> (Minor issue)
 	[buster] - vsftpd <no-dsa> (Minor issue)
 	[stretch] - vsftpd <no-dsa> (Minor issue)
@@ -426361,7 +426354,7 @@ CVE-2020-29583 (Firmware version 4.60 of Zyxel USG devices contains an undocumen
 	NOT-FOR-US: Zyxel
 CVE-2020-29582 (In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for  ...)
 	- kotlin 1.3.31+ds1-3 (bug #1001037)
-	[bookworm] - kotlin <no-dsa> (Minor issue)
+	[bookworm] - kotlin <ignored> (Minor issue)
 	NOTE: https://youtrack.jetbrains.com/issue/KT-42181 (not public)
 CVE-2020-29581 (The official spiped docker images before 1.5-alpine contain a blank pa ...)
 	NOT-FOR-US: spiped Docker images



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23ef4cdb67f8a48e16e7f6ed06642ba61a6ee2fd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23ef4cdb67f8a48e16e7f6ed06642ba61a6ee2fd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251111/7efa18ef/attachment.htm>

More information about the debian-security-tracker-commits mailing list