[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Oct 30 09:41:48 GMT 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8807afd8 by security tracker role at 2025-10-30T08:12:39+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,53 @@
+CVE-2025-9954 (Missing Authorization vulnerability in Drupal Acquia DAM allows Forcef ...)
+	TODO: check
+CVE-2025-62257 (Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4 ...)
+	TODO: check
+CVE-2025-61959 (Prior to September 19, 2025, the Hospital Manager Backend Services ret ...)
+	TODO: check
+CVE-2025-54549 (Cryptographic validation of upgrade images could be circumventing by d ...)
+	TODO: check
+CVE-2025-54548 (On affected platforms, restricted users could view sensitive portions  ...)
+	TODO: check
+CVE-2025-54547 (On affected platforms, if SSH session multiplexing was configured on t ...)
+	TODO: check
+CVE-2025-54546 (On affected platforms, restricted users could use SSH port forwarding  ...)
+	TODO: check
+CVE-2025-54545 (On affected platforms, a restricted user could break out of the CLI sa ...)
+	TODO: check
+CVE-2025-54459 (Prior to September 19, 2025, the Hospital Manager Backend Services exp ...)
+	TODO: check
+CVE-2025-12475 (The Blocksy Companion plugin for WordPress is vulnerable to Stored Cro ...)
+	TODO: check
+CVE-2025-12466 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...)
+	TODO: check
+CVE-2025-12083 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2025-12082 (Incorrect Authorization vulnerability in Drupal CivicTheme Design Syst ...)
+	TODO: check
+CVE-2025-11906 (A vulnerability exists in Progress Flowmon versions prior 12.5.6 where ...)
+	TODO: check
+CVE-2025-11881 (The AppPresser \u2013 Mobile App Framework plugin for WordPress is vul ...)
+	TODO: check
+CVE-2025-11627 (The Site Checkup Debug AI Troubleshooting with Wizard and Tips for Eac ...)
+	TODO: check
+CVE-2025-11428
+	REJECTED
+CVE-2025-10931 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2025-10930 (Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency all ...)
+	TODO: check
+CVE-2025-10929 (Improper Validation of Consistency within Input vulnerability in Drupa ...)
+	TODO: check
+CVE-2025-10928 (Improper Restriction of Excessive Authentication Attempts vulnerabilit ...)
+	TODO: check
+CVE-2025-10927 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2025-10926 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2025-10636 (The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not ...)
+	TODO: check
+CVE-2025-10008 (The Translate WordPress and go Multilingual \u2013 Weglot plugin for W ...)
+	TODO: check
 CVE-2025-62503
 	- airflow <itp> (bug #819700)
 CVE-2025-62402
@@ -727,7 +777,7 @@ CVE-2025-40026 (In the Linux kernel, the following vulnerability has been resolv
 CVE-2025-40025 (In the Linux kernel, the following vulnerability has been resolved:  f ...)
 	- linux <unfixed>
 	NOTE: https://git.kernel.org/linus/c18ecd99e0c707ef8f83cace861cbc3162f4fdf1 (6.18-rc1)
-CVE-2025-62231
+CVE-2025-62231 (A flaw was identified in the X.Org X server\u2019s X Keyboard (Xkb) ex ...)
 	{DSA-6044-1 DLA-4353-1}
 	- xorg-server 2:21.1.20-1
 	- xwayland <unfixed>
@@ -736,7 +786,7 @@ CVE-2025-62231
 	NOTE: https://lists.x.org/archives/xorg-announce/2025-October/003635.html
 	NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49acd0e55bc0b089ed77f732ad18585470
 	NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3baad99f9c15028ed8c3e3d8408e5ec35db155aa (xorg-server-21.1.19)
-CVE-2025-62230
+CVE-2025-62230 (A flaw was discovered in the X.Org X server\u2019s X Keyboard (Xkb) ex ...)
 	{DSA-6044-1 DLA-4353-1}
 	- xorg-server 2:21.1.20-1
 	- xwayland <unfixed>
@@ -747,7 +797,7 @@ CVE-2025-62230
 	NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238bdad17c11707e0bdaaa3a9cd54c504be
 	NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/865089ca70840c0f13a61df135f7b44a9782a175 (xorg-server-21.1.19)
 	NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/87fe2553937a99fd914ad0cde999376a3adc3839 (xorg-server-21.1.19)
-CVE-2025-62229
+CVE-2025-62229 (A flaw was found in the X.Org X server and Xwayland when processing X1 ...)
 	{DSA-6044-1 DLA-4353-1}
 	- xorg-server 2:21.1.20-1
 	- xwayland <unfixed>
@@ -2085,10 +2135,12 @@ CVE-2025-10497 (GitLab has remediated an issue in GitLab CE/EE affecting all ver
 CVE-2025-11702 (GitLab has remediated an issue in EE affecting all versions from 17.1  ...)
 	- gitlab <not-affected> (Specific to EE)
 CVE-2025-59024
+	{DSA-6045-1}
 	- pdns-recursor 5.3.1-1 (bug #1118751)
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html
 CVE-2025-59023
+	{DSA-6045-1}
 	- pdns-recursor 5.3.1-1 (bug #1118751)
 	[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html
@@ -6487,7 +6539,7 @@ CVE-2025-10124 (The Booking Manager  WordPress plugin before 2.1.15 registers a
 	NOT-FOR-US: WordPress plugin
 CVE-2016-15047 (AVTECH devices that include the CloudSetup.cgi management endpoint are ...)
 	NOT-FOR-US: AVTECH
-CVE-2025-61724 [net/textproto: excessive CPU consumption in Reader.ReadResponse]
+CVE-2025-61724 (The Reader.ReadResponse function constructs a response string through  ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6499,7 +6551,7 @@ CVE-2025-61724 [net/textproto: excessive CPU consumption in Reader.ReadResponse]
 	NOTE: https://github.com/golang/go/issues/75716
 	NOTE: https://github.com/golang/go/commit/5d7a787aa2b486f77537eeaed9c38c940a7182b8 (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/a402f4ad285514f5f3db90516d72047d591b307a (go1.24.8)
-CVE-2025-58183 [archive/tar: unbounded allocation when parsing GNU sparse map]
+CVE-2025-58183 (tar.Reader does not set a maximum size on the number of sparse region  ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6511,7 +6563,7 @@ CVE-2025-58183 [archive/tar: unbounded allocation when parsing GNU sparse map]
 	NOTE: https://github.com/golang/go/issues/75677
 	NOTE: https://github.com/golang/go/commit/2612dcfd3cb6dd73c76e14a24fe1a68e2708e4e3 (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556 (go1.24.8)
-CVE-2025-58188 [crypto/x509: panic when validating certificates with DSA public keys]
+CVE-2025-58188 (Validating certificate chains which contain DSA public keys can cause  ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6523,7 +6575,7 @@ CVE-2025-58188 [crypto/x509: panic when validating certificates with DSA public
 	NOTE: https://github.com/golang/go/issues/75675
 	NOTE: https://github.com/golang/go/commit/930ce220d052d632f0d84df5850c812a77b70175 (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/f9f198ab05e3282cbf6b13251d47d9141981e401 (go1.24.8)
-CVE-2025-58186 [net/http: lack of limit when parsing cookies can cause memory exhaustion]
+CVE-2025-58186 (Despite HTTP headers having a default limit of 1MB, the number of cook ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6535,7 +6587,7 @@ CVE-2025-58186 [net/http: lack of limit when parsing cookies can cause memory ex
 	NOTE: https://github.com/golang/go/issues/75672
 	NOTE: https://github.com/golang/go/commit/100c5a66802b5a895b1d0e5ed3b7918f899c4833 (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/c6b04dd33b0215f5deb83724661921842bf67607 (go1.24.8)
-CVE-2025-58185 [encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion]
+CVE-2025-58185 (Parsing a maliciously crafted DER payload could allocate large amounts ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6547,7 +6599,7 @@ CVE-2025-58185 [encoding/asn1: pre-allocating memory when parsing DER payload ca
 	NOTE: https://github.com/golang/go/issues/75671
 	NOTE: https://github.com/golang/go/commit/e0f655bf3f96410f90756f49532bc6a1851855ca (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1 (go1.24.8)
-CVE-2025-47912 [net/url: insufficient validation of bracketed IPv6 hostnames]
+CVE-2025-47912 (The Parse function permits values other than IPv6 addresses to be incl ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6559,7 +6611,7 @@ CVE-2025-47912 [net/url: insufficient validation of bracketed IPv6 hostnames]
 	NOTE: https://github.com/golang/go/issues/75678
 	NOTE: https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea (go1.24.8)
-CVE-2025-61723 [encoding/pem: quadratic complexity when parsing some invalid inputs]
+CVE-2025-61723 (The processing time for parsing some invalid inputs scales non-linearl ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6571,7 +6623,7 @@ CVE-2025-61723 [encoding/pem: quadratic complexity when parsing some invalid inp
 	NOTE: https://github.com/golang/go/issues/75676
 	NOTE: https://github.com/golang/go/commit/90f72bd5001d0278949fab0b7a40f7d8c712979b (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2 (go1.24.8)
-CVE-2025-58189 [crypto/tls: ALPN negotiation errors can contain arbitrary text]
+CVE-2025-58189 (When Conn.Handshake fails during ALPN negotiation the error contains a ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6583,7 +6635,7 @@ CVE-2025-58189 [crypto/tls: ALPN negotiation errors can contain arbitrary text]
 	NOTE: https://github.com/golang/go/issues/75652
 	NOTE: https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976 (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9 (go1.24.8)
-CVE-2025-58187 [crypto/x509: quadratic complexity when checking name constraints]
+CVE-2025-58187 (Due to the design of the name constraint checking algorithm, the proce ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
@@ -6595,7 +6647,7 @@ CVE-2025-58187 [crypto/x509: quadratic complexity when checking name constraints
 	NOTE: https://github.com/golang/go/issues/75681
 	NOTE: https://github.com/golang/go/commit/f0c69db15aae2eb10bddd8b6745dff5c2932e8f5 (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/f334417e71f8b078ad64035bddb6df7f8910da6c (go1.24.8)
-CVE-2025-61725 [net/mail: excessive CPU consumption in ParseAddress]
+CVE-2025-61725 (The ParseAddress function constructeds domain-literal address componen ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8807afd8ecd65901c769fe685e203a12db5d9688

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8807afd8ecd65901c769fe685e203a12db5d9688
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251030/5ce324da/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list