[Git][security-tracker-team/security-tracker][master] Add CVE-2025-66019/pypdf and update notes for CVE-2025-62708

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Nov 26 08:53:29 GMT 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d760d2f1 by Salvatore Bonaccorso at 2025-11-26T09:50:32+01:00
Add CVE-2025-66019/pypdf and update notes for CVE-2025-62708

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -65,7 +65,11 @@ CVE-2025-66021 (OWASP Java HTML Sanitizer is a configureable HTML Sanitizer writ
 CVE-2025-66020 (Valibot helps validate data using a schema. In versions from 0.31.0 to ...)
 	NOT-FOR-US: Valibot
 CVE-2025-66019 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
-	TODO: check
+	- pypdf <not-affected> (Vulnerable code introduced later)
+	NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-m449-cwjh-6pw7
+	NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/96186725e5e6f237129a58a97cd19204a9ce40b2 (6.4.0)
+	NOTE: This is a followup to GHSA-jfx9-29x2-rv3j (CVE-2025-62708) to align the
+	NOTE: default limit with the one for zlib.
 CVE-2025-65963 (Files is a module for managing files inside spaces and user profiles.  ...)
 	TODO: check
 CVE-2025-65957 (Core Bot Is an Open Source discord bot made for maple hospital servers ...)
@@ -9408,6 +9412,8 @@ CVE-2025-62708 (pypdf is a free and open-source pure-python PDF library. Prior t
 	NOTE: https://github.com/py-pdf/pypdf/pull/3502
 	NOTE: Introduced with: https://github.com/py-pdf/pypdf/commit/e825ac07ea89c78962646245e348b934d48f9629 (5.1.0)
 	NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/e51d07807ffcdaf18077b9486dadb3dc05b368da (6.1.3)
+	NOTE: When fixing this issue make sure to adjust the limits according to the followup
+	NOTE: GHSA-m449-cwjh-6pw7 / CVE-2025-66019 to not open up CVE-2025-66019
 CVE-2025-62707 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
 	- pypdf <unfixed> (bug #1118755)
 	[trixie] - pypdf <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d760d2f195b1c7f7f3835a77251a4d37c26fc485

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d760d2f195b1c7f7f3835a77251a4d37c26fc485
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251126/837925b8/attachment.htm>

More information about the debian-security-tracker-commits mailing list