[Git][security-tracker-team/security-tracker][master] Update status for CVE-2025-52099 and CVE-2025-29088
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sun Oct 26 19:15:46 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
56897de2 by Salvatore Bonaccorso at 2025-10-26T20:14:32+01:00
Update status for CVE-2025-52099 and CVE-2025-29088
They are basically the same, and same fix commit as described (updated
by upstream) in https://sqlite.org/src/info/1ec4c308c76c69fb .
As confirmed by upstream, the OOB to the setup ABI is not much of a
problem. The API in question is only accessible from programs that
invoke SQLite and it cannot be reached from rogue SQL input or specially
crafted database files.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -108,11 +108,15 @@ CVE-2025-10579 (The BackWPup \u2013 WordPress Backup & Restore Plugin plugin for
CVE-2025-10488 (The Directorist: AI-Powered Business Directory Plugin with Classified ...)
NOT-FOR-US: WordPress plugin
CVE-2025-52099 (Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 allows a rem ...)
- - sqlite3 <unfixed>
- [trixie] - sqlite3 <no-dsa> (Minor issue)
- [bookworm] - sqlite3 <no-dsa> (Minor issue)
+ - sqlite3 3.46.1-4 (unimportant)
+ NOTE: https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2406257
NOTE: https://github.com/SCREAMBBY/CVE-2025-52099
+ NOTE: https://sqlite.org/forum/forumpost/48f365daec7e50af01350d72c19c317f02e5fc0d3b1e778256d1fbd8081eec5d
+ NOTE: Duplicate/overlapping with CVE-2025-29088.
+ NOTE: https://sqlite.org/src/info/1ec4c308c76c69fb
+ NOTE: OOB to setup API; API in question is only accessible from programms that invoke
+ NOTE: SQLite. Not reachable from rouge SQL inputs or specially crafted database files.
CVE-2025-8536 (A SQL injection vulnerability has been identified in DobryCMS. Imprope ...)
NOT-FOR-US: DobryCMS
CVE-2025-62714 (Karmada Dashboard is a general-purpose, web-based control panel for Ka ...)
@@ -64687,10 +64691,11 @@ CVE-2025-30148 (Silverstripe Framework is a PHP framework which powers the Silve
CVE-2025-29150 (BlueCMS 1.6 suffers from Arbitrary File Deletion via the id parameter ...)
NOT-FOR-US: BlueCMS
CVE-2025-29088 (In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_ ...)
- - sqlite3 3.46.1-4 (bug #1102670)
- [bookworm] - sqlite3 <no-dsa> (Minor issue)
- [bullseye] - sqlite3 <postponed> (Minor issue)
+ - sqlite3 3.46.1-4 (bug #1102670; unimportant)
NOTE: https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4
+ NOTE: https://sqlite.org/src/info/1ec4c308c76c69fb
+ NOTE: OOB to setup API; API in question is only accessible from programms that invoke
+ NOTE: SQLite. Not reachable from rouge SQL inputs or specially crafted database files.
CVE-2025-29017 (A Remote Code Execution (RCE) vulnerability exists in Code Astro Inter ...)
NOT-FOR-US: CodeAstro
CVE-2025-27813 (MSI Center before 2.0.52.0 has Missing PE Signature Validation.)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56897de23f67603931f0a5ef976c57ade07b4fa5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56897de23f67603931f0a5ef976c57ade07b4fa5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251026/f5bac9e8/attachment.htm>
More information about the debian-security-tracker-commits
mailing list