[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat Oct 25 17:30:20 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1ae1c8ab by Moritz Muehlenhoff at 2025-10-25T18:29:54+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -90,6 +90,8 @@ CVE-2025-10488 (The Directorist: AI-Powered Business Directory Plugin with Class
 	NOT-FOR-US: WordPress plugin
 CVE-2025-52099 (Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 allows a rem ...)
 	- sqlite3 <unfixed>
+	[trixie] - sqlite3 <no-dsa> (Minor issue)
+	[bookworm] - sqlite3 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2406257
 	NOTE: https://github.com/SCREAMBBY/CVE-2025-52099
 CVE-2025-8536 (A SQL injection vulnerability has been identified in DobryCMS. Imprope ...)
@@ -373,6 +375,7 @@ CVE-2025-62710 (Sakai is a Collaboration and Learning Environment. Prior to vers
 	NOT-FOR-US: Sakai
 CVE-2025-62708 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
 	- pypdf <unfixed> (bug #1118756)
+	[trixie] - pypdf <no-dsa> (Minor issue)
 	[bookworm] - pypdf <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j
 	NOTE: https://github.com/py-pdf/pypdf/pull/3502
@@ -380,6 +383,7 @@ CVE-2025-62708 (pypdf is a free and open-source pure-python PDF library. Prior t
 	NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/e51d07807ffcdaf18077b9486dadb3dc05b368da (6.1.3)
 CVE-2025-62707 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
 	- pypdf <unfixed> (bug #1118755)
+	[trixie] - pypdf <no-dsa> (Minor issue)
 	[bookworm] - pypdf <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-vr63-x8vc-m265
 	NOTE: https://github.com/py-pdf/pypdf/pull/3501
@@ -475,13 +479,19 @@ CVE-2025-53701 (Vilar VS-IPC1002 IP cameras are vulnerable to Reflected XSS (Cro
 	NOT-FOR-US: Vilar VS-IPC1002 IP cameras
 CVE-2025-50951 (FontForge v20230101 was discovered to contain a memory leak via the ut ...)
 	- fontforge <unfixed> (bug #1118749)
+	[trixie] - fontforge <no-dsa> (Minor issue)
+	[bookworm] - fontforge <no-dsa> (Minor issue)
 	NOTE: https://github.com/fontforge/fontforge/pull/5495
 	NOTE: Fixed by: https://github.com/fontforge/fontforge/commit/dcb6efb85030c4bee2f18c6e46c20561d1c77a2b (20251009)
 CVE-2025-50950 (Audiofile v0.3.7 was discovered to contain a NULL pointer dereference  ...)
 	- audiofile <unfixed>
+	[trixie] - audiofile <no-dsa> (Minor issue)
+	[bookworm] - audiofile <no-dsa> (Minor issue)
 	NOTE: https://github.com/mpruett/audiofile/issues/66
 CVE-2025-50949 (FontForge v20230101 was discovered to contain a memory leak via the co ...)
 	- fontforge <unfixed> (bug #1118748)
+	[trixie] - fontforge <no-dsa> (Minor issue)
+	[bookworm] - fontforge <no-dsa> (Minor issue)
 	NOTE: https://github.com/fontforge/fontforge/pull/5491
 	NOTE: Fixed by: https://github.com/fontforge/fontforge/commit/da98987fa8c896fce9a7813923f4f1c75b0d8cd3 (20251009)
 CVE-2025-48430 (Uncaught Exception (CWE-248) in the Command Centre Server allows an Au ...)
@@ -516,6 +526,8 @@ CVE-2025-12110 (A flaw was found in Keycloak. An offline session continues to be
 	- keycloak <itp> (bug #1088287)
 CVE-2025-12105 (A flaw was found in the asynchronous message queue handling of the lib ...)
 	- libsoup3 <unfixed> (bug #1118783)
+	[trixie] - libsoup3 <no-dsa> (Minor issue)
+	[bookworm] - libsoup3 <no-dsa> (Minor issue)
 	- libsoup2.4 <undetermined>
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/481
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9ba1243a24e442fa5ec44684617a4480027da960
@@ -1555,11 +1567,11 @@ CVE-2025-62587 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virt
 	- virtualbox <unfixed> (bug #1118542)
 CVE-2025-62518 (astral-tokio-tar is a tar archive reading/writing library for async Ru ...)
 	- rust-astral-tokio-tar 0.5.6-1 (bug #1118562)
+	[trixie] - rust-astral-tokio-tar <no-dsa> (Minor issue)
 	NOTE: https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-j5gw-2vrg-8fgx
 	NOTE: https://github.com/astral-sh/tokio-tar/commit/22b3f884adb7a2adf1d3a8d03469533f5cbc8318 (v0.5.6)
 	NOTE: https://edera.dev/stories/tarmageddon
 	NOTE: https://github.com/edera-dev/cve-tarmageddon
-	TODO: check completeness
 CVE-2025-62481 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...)
 	NOT-FOR-US: Oracle
 CVE-2025-62480 (Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracl ...)
@@ -2084,6 +2096,8 @@ CVE-2025-11940 (A security vulnerability has been detected in LibreWolf up to 14
 	NOT-FOR-US: LibreWolf
 CVE-2025-62672 (rplay through 3.3.2 allows attackers to cause a denial of service (SIG ...)
 	- rplay <unfixed> (bug #1118224)
+	[trixie] - rplay <no-dsa> (Minor issue)
+	[bookworm] - rplay <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/10/17/3
 	NOTE: https://www.openwall.com/lists/oss-security/2025/10/18/4
 CVE-2025-11939 (A vulnerability was determined in ChurchCRM up to 5.18.0. This issue a ...)
@@ -4810,6 +4824,8 @@ CVE-2025-61871 (NAS Navigator2 Windows version by BUFFALO INC. registers a Windo
 	NOT-FOR-US: NAS Navigator2 Windows (Buffalo)
 CVE-2025-61783 (Python Social Auth is a social authentication/registration mechanism.  ...)
 	- social-auth-app-django <unfixed> (bug #1117857)
+	[trixie] - social-auth-app-django <no-dsa> (Minor issue)
+	[bookworm] - social-auth-app-django <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg
 	NOTE: https://github.com/python-social-auth/social-app-django/issues/220
 	NOTE: https://github.com/python-social-auth/social-app-django/issues/231
@@ -10804,6 +10820,7 @@ CVE-2025-59251 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerabil
 	NOT-FOR-US: Microsoft
 CVE-2025-58457 (Improper permission check in ZooKeeper AdminServer lets authorized cli ...)
 	- zookeeper 3.9.4-1 (bug #1116339)
+	[trixie] - zookeeper <no-dsa> (Minor issue)
 	[bookworm] - zookeeper <not-affected> (Vulnerable code not present)
 	[bullseye] - zookeeper <not-affected> (Vulnerable code not present)
 	NOTE: https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx


=====================================
data/dsa-needed.txt
=====================================
@@ -76,6 +76,8 @@ tomcat10/oldstable (apo)
 --
 tomcat11/stable (apo)
 --
+unbound
+--
 webkit2gtk (berto)
 --
 wordpress



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae1c8abed7c0f66e3ca551957f6c4fdcbaf1472

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae1c8abed7c0f66e3ca551957f6c4fdcbaf1472
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251025/2a92585e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list