[Git][security-tracker-team/security-tracker][master] 7 commits: add containerd

Thorsten Alteholz (@alteholz) alteholz at debian.org
Thu Nov 13 22:55:15 GMT 2025 


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a4dd6008 by Thorsten Alteholz at 2025-11-13T23:54:55+01:00
add containerd

- - - - -
0e047a85 by Thorsten Alteholz at 2025-11-13T23:54:55+01:00
add pdfminer

- - - - -
96e9a818 by Thorsten Alteholz at 2025-11-13T23:54:58+01:00
limited support for golang-github-dvsekhvalnov-jose2go

- - - - -
e55928aa by Thorsten Alteholz at 2025-11-13T23:54:58+01:00
add calibre

- - - - -
3ca182cc by Thorsten Alteholz at 2025-11-13T23:54:59+01:00
mark CVE-2025-61224 as postponed for Bullseye

- - - - -
834b63ff by Thorsten Alteholz at 2025-11-13T23:55:02+01:00
mark CVE-2025-64500 as postponed for Bullseye

- - - - -
2d1a6f8f by Thorsten Alteholz at 2025-11-13T23:55:02+01:00
add openexr

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -364,6 +364,7 @@ CVE-2025-64500 (Symfony is a PHP framework for web and console applications and
 	- symfony <unfixed>
 	[trixie] - symfony <no-dsa> (Minor issue)
 	[bookworm] - symfony <no-dsa> (Minor issue)
+	[bullseye] - symfony <postponed> (Minor issue)
 	NOTE: https://github.com/advisories/GHSA-3rg7-wf37-54rm
 	NOTE: https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac (v5.4.50, v6.4.29, v7.3.7)
 CVE-2025-40208 (In the Linux kernel, the following vulnerability has been resolved:  m ...)
@@ -571,6 +572,7 @@ CVE-2025-63927 (A heap-use-after-free vulnerability exists in airpig2011 IEC104
 	NOT-FOR-US: airpig2011 IEC104
 CVE-2025-63811 (An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allow ...)
 	- golang-github-dvsekhvalnov-jose2go <unfixed>
+	[bullseye] - golang-github-dvsekhvalnov-jose2go <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://github.com/dvsekhvalnov/jose2go/issues/33
 CVE-2025-63679 (free5gc v4.1.0 and before is vulnerable to Buffer Overflow. When AMF r ...)
 	NOT-FOR-US: Free5gc
@@ -12853,6 +12855,7 @@ CVE-2025-61224 (Cross Site Scripting vulnerability in DokuWiki 2025-05-14a 'Libr
 	- dokuwiki <unfixed> (bug #1117531)
 	[trixie] - dokuwiki <no-dsa> (Minor issue)
 	[bookworm] - dokuwiki <no-dsa> (Minor issue)
+	[bullseye] - dokuwiki <postponed> (Minor issue)
 	NOTE: https://github.com/dokuwiki/dokuwiki/issues/4512
 	NOTE: Fixed by: https://github.com/dokuwiki/dokuwiki/commit/84f2d3156dbe7e95e360366199807c520b866e4f (release-2025-05-14b)
 CVE-2025-61198 (A stored cross-site scripting (XSS) vulnerability in Optimod 5950 - Op ...)
@@ -207475,7 +207478,7 @@ CVE-2023-50658 (The jose2go component before 1.6.0 for Go allows attackers to ca
 	- golang-github-dvsekhvalnov-jose2go <unfixed> (bug #1059507)
 	[trixie] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
 	[bookworm] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
-	[bullseye] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
+	[bullseye] - golang-github-dvsekhvalnov-jose2go <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	[buster] - golang-github-dvsekhvalnov-jose2go <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d5317 (v1.6.0)
 CVE-2023-50339 (Stored cross-site scripting vulnerability exists in the User Managemen ...)


=====================================
data/dla-needed.txt
=====================================
@@ -56,10 +56,16 @@ ca-certificates
   NOTE: 20250811: upload ca-certificates-java (rouca)
   NOTE: 20250811: wait for direction from security team about bookworm update first (rouca)
 --
+calibre
+  NOTE: 20251113: Added by Front-Desk (ta)
+--
 ckeditor
   NOTE: 20241002: Added by Front-Desk (Beuc)
   NOTE: 20241002: Multiple CVEs have been piling up (Beuc/front-desk)
 --
+containerd
+  NOTE: 20251113: Added by Front-Desk (ta)
+--
 dnsdist
   NOTE: 20250521: Added by Front-Desk (Beuc)
   NOTE: 20250521: Also fix postponed issue (Beuc/front-desk)
@@ -252,6 +258,10 @@ opencryptoki
   NOTE: 20250505: https://github.com/opencryptoki/opencryptoki/issues/731#issuecomment-1851436555
   NOTE: 20250505: Cf. #1104729 to determine whether to fix or ignore this in all dists (Beuc/front-desk)
 --
+openexr
+  NOTE: 20251113: Added by Front-Desk (ta)
+  NOTE: 20251113: probably not affected, but please recheck
+--
 p7zip
   NOTE: 20251020: Added by Front-Desk (dleidert)
   NOTE: 20251020: I disagree with the low-severity ratings; but finding the patches might be a hard (dleidert/front-desk)
@@ -268,6 +278,9 @@ pagure (dleidert)
   NOTE: 20250216: The second issue is outside of my field of expertise. Returning to pool and send message to list (dleidert)
   NOTE: 20250217: Upcoming DSA, coordinate with security team (Beuc/front-desk)
 --
+pdfminer
+  NOTE: 20251113: Added by Front-Desk (ta)
+--
 php-laravel-framework
   NOTE: 20250307: Added by Front-Desk (rouca)
   NOTE: 20251027: History of upstream branch fixing v12: git log 9de75259..2d133034^2.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e4627c522532dbd3b4c8baac9e63029ca0d8b8dc...2d1a6f8fc38b8b125cd2da7471f8b31d8721b1dc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e4627c522532dbd3b4c8baac9e63029ca0d8b8dc...2d1a6f8fc38b8b125cd2da7471f8b31d8721b1dc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251113/d0f4a3b2/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list