[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Oct 6 09:18:07 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f6227a6b by Moritz Muehlenhoff at 2025-10-06T10:17:32+02:00
bookworm/trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -142,14 +142,20 @@ CVE-2025-11278 (A security vulnerability has been detected in AllStarLink Superm
NOT-FOR-US: AllStarLink Supermon
CVE-2025-11277 (A weakness has been identified in Open Asset Import Library Assimp 6.0 ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when/if fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when/if fixed upstream)
NOTE: https://github.com/assimp/assimp/issues/6358
CVE-2025-11276 (A security flaw has been discovered in Rebuild up to 4.1.3. Affected b ...)
NOT-FOR-US: Rebuild
CVE-2025-11275 (A vulnerability was identified in Open Asset Import Library Assimp 6.0 ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when/if fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when/if fixed upstream)
NOTE: https://github.com/assimp/assimp/issues/6357
CVE-2025-11274 (A vulnerability was determined in Open Asset Import Library Assimp 6.0 ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when/if fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when/if fixed upstream)
NOTE: https://github.com/assimp/assimp/issues/6356
CVE-2025-11273 (A vulnerability was found in LaChatterie Verger up to 1.2.10. This imp ...)
NOT-FOR-US: LaChatterie Verger
@@ -1655,6 +1661,8 @@ CVE-2025-59148 (Suricata is a network IDS, IPS and NSM engine developed by the O
NOTE: https://redmine.openinfosecfoundation.org/issues/7838
CVE-2025-59147 (Suricata is a network IDS, IPS and NSM engine developed by the OISF (O ...)
- suricata 1:8.0.1-1
+ [trixie] - suricata <no-dsa> (Minor issue)
+ [bookworm] - suricata <no-dsa> (Minor issue)
NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-v8hv-6v7x-4c2r
NOTE: https://github.com/OISF/suricata/commit/be6315dba0d9101b11d16e9dacfe2822b3792f1b (suricata-8.0.1)
NOTE: https://github.com/OISF/suricata/commit/e91b03c90385db15e21cf1a0e85b921bf92b039e (suricata-7.0.12)
@@ -1695,6 +1703,8 @@ CVE-2025-43826 (Stored cross-site scripting (XSS) vulnerabilities in Web Content
NOT-FOR-US: Liferay
CVE-2025-43718 (Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption a ...)
- poppler 25.03.0-10 (bug #1117046)
+ [trixie] - poppler <no-dsa> (Minor issue)
+ [bookworm] - poppler <no-dsa> (Minor issue)
[bullseye] - poppler <postponed> (minor issue)
NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/f54b815672117c250420787c8c006de98e8c7408 (poppler-25.04.0)
CVE-2025-41421 (Improper handling of symbolic links in the TeamViewer Full Client and ...)
@@ -2818,6 +2828,8 @@ CVE-2025-59937 (go-mail is a comprehensive library for sending mails with Go. In
NOT-FOR-US: go-mail
CVE-2025-59933 (libvips is a demand-driven, horizontally threaded image processing lib ...)
- vips <unfixed> (bug #1117049)
+ [trixie] - vips <no-dsa> (Minor issue)
+ [bookworm] - vips <no-dsa> (Minor issue)
[bullseye] - vips <postponed> (minor issue; low impact, workaround exists)
NOTE: https://github.com/libvips/libvips/security/advisories/GHSA-q8px-4w5q-c2r4
NOTE: https://github.com/libvips/libvips/commit/a58bfae9223a5466cc81ba9fe6dfb08233cf17d1 (v8.17.2)
@@ -3126,6 +3138,7 @@ CVE-2025-11103 (A security vulnerability has been detected in Projectworlds Onli
NOT-FOR-US: Projectworlds Online Tours and Travels
CVE-2025-11065 [May Leak Sensitive Information in Logs]
- golang-github-go-viper-mapstructure <unfixed> (bug #1116584)
+ [trixie] - golang-github-go-viper-mapstructure <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2391829
NOTE: https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm
NOTE: https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c (v2.4.0)
@@ -3476,6 +3489,7 @@ CVE-2025-59843 (Flag Forge is a Capture The Flag (CTF) platform. From versions 2
NOT-FOR-US: Flag Forge
CVE-2025-59842 (jupyterlab is an extensible environment for interactive and reproducib ...)
- jupyterlab <unfixed>
+ [trixie] - jupyterlab <no-dsa> (Minor issue)
NOTE: https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vvfj-2jqx-52jm
NOTE: https://github.com/jupyterlab/jupyterlab/commit/88ef373039a8cc09f27d3814382a512d9033675c
CVE-2025-59362 (Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This oc ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -64,6 +64,8 @@ python-django
python-internetarchive
Antoine followed up on #1114635, prepared debdiffs for review
--
+redis
+--
rtpengine
Victor Seva prepared a debdiff for trixie-security for review, bookworm-security debdiff missing
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6227a6b74f88b7f8d855d86239c4e747819cf26
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6227a6b74f88b7f8d855d86239c4e747819cf26
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251006/7312f453/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list