[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Oct 6 16:41:59 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ea6785e1 by Moritz Muehlenhoff at 2025-10-06T17:41:48+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1113,17 +1113,24 @@ CVE-2025-27231 (The LDAP 'Bind password' value cannot be read after saving, but
 	NOTE: Fixed in: 6.0.41, 7.0.18, 7.2.12, 7.4.2
 CVE-2025-11234 (A flaw was found in QEMU. If the QIOChannelWebsock object is freed whi ...)
 	- qemu <unfixed> (bug #1117153)
+	[trixie] - qemu <no-dsa> (Minor issue)
+	[bookworm] - qemu <no-dsa> (Minor issue)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2025-09/msg06566.html
 CVE-2025-11223 (Installer of   Panasonic   AutoDownloader      version 1.2.8 contains  ...)
 	NOT-FOR-US: Panasonic
 CVE-2025-10729 (The module will parse a <pattern> node which is not a child of a struc ...)
 	- qt6-svg <unfixed> (bug #1117445)
+	[trixie] - qt6-svg <no-dsa> (Minor issue)
+	[bookworm] - qt6-svg <no-dsa> (Minor issue)
 	- qtsvg-opensource-src <unfixed> (bug #1117446)
+	[trixie] - qtsvg-opensource-src <no-dsa> (Minor issue)
+	[bookworm] - qtsvg-opensource-src <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://codereview.qt-project.org/c/qt/qtsvg/+/676473
 	NOTE: Fixed by: https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=7e8898903265d931df0aa54b3913f2c49d4d7bf2 (dev)
 	NOTE: Fixed by: https://code.qt.io/cgit/qt/qtsvg.git/commit/?id=6a6273126770006232e805cf1631f93d4919b788 (v6.9.3)
 CVE-2025-10728 (When the module renders a Svg file that contains a <pattern> element,  ...)
 	- qt6-svg <unfixed> (bug #1117447)
+	[trixie] - qt6-svg <no-dsa> (Minor issue)
 	[bookworm] - qt6-svg <not-affected> (Vulnerable code introduced later)
 	- qtsvg-opensource-src <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugreports.qt.io/browse/QTBUG-137553
@@ -2917,6 +2924,8 @@ CVE-2025-11163 (The SmartCrawl SEO checker, analyzer & optimizer plugin for Word
 	NOT-FOR-US: WordPress plugin
 CVE-2025-11149 (This affects all versions of the package node-static; all versions of  ...)
 	- node-static <unfixed>
+	[trixie] - node-static <no-dsa> (Minor issue)
+	[bookworm] - node-static <no-dsa> (Minor issue)
 	NOTE: https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67 (v0.1.0)
 CVE-2025-11148 (All versions of the package check-branches are vulnerable to Command I ...)
 	TODO: check
@@ -4139,6 +4148,7 @@ CVE-2025-57353 (The Runtime components of messageformat package for Node.js prio
 	NOT-FOR-US: messageformat package for Node.js
 CVE-2025-57352 (A vulnerability exists in the 'min-document' package prior to version  ...)
 	- node-min-document <unfixed> (bug #1116340)
+	[trixie] - node-min-document <no-dsa> (Minor issue)
 	NOTE: https://github.com/Raynos/min-document/issues/54
 CVE-2025-57351 (A prototype pollution vulnerability exists in the ts-fns package versi ...)
 	NOT-FOR-US: ts-fns package for Node.js
@@ -4461,6 +4471,8 @@ CVE-2025-56146 (Indian Bank IndSMART Android App 3.8.1 is vulnerable to Missing
 	NOT-FOR-US: Indian Bank IndSMART Android App
 CVE-2025-55780 (A null pointer dereference occurs in the function break_word_for_overf ...)
 	- mupdf <unfixed> (bug #1116254)
+	[trixie] - mupdf <no-dsa> (Minor issue)
+	[bookworm] - mupdf <no-dsa> (Minor issue)
 	[bullseye] - mupdf <postponed> (minor issue; DoS)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=708720
 	NOTE: Fixed by: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5


=====================================
data/dsa-needed.txt
=====================================
@@ -84,6 +84,8 @@ tomcat10/oldstable (apo)
 --
 tomcat11/stable (apo)
 --
+valkey/stable
+--
 webkit2gtk (berto)
 --
 wordpress



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea6785e1430e961819c5600161a92791acd5eb6f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea6785e1430e961819c5600161a92791acd5eb6f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251006/5d52b54b/attachment.htm>

More information about the debian-security-tracker-commits mailing list