[Git][security-tracker-team/security-tracker][master] Reserve DLA-4354-1 for pypy3

[Andrej Shadura (@andrewsh)]

Andrej Shadura pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5009e72c by Andrej Shadura at 2025-10-31T08:08:09+01:00
Reserve DLA-4354-1 for pypy3

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -45806,7 +45806,6 @@ CVE-2025-6069 (The html.parser.HTMLParser class had worse-case quadratic complex
 	- pypy3 <unfixed> (bug #1118430)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
-	[bullseye] - pypy3 <postponed> (Minor issue; DoS)
 	- jython <unfixed> (bug #1109376)
 	[trixie] - jython <no-dsa> (Minor issue)
 	[bookworm] - jython <no-dsa> (Minor issue)
@@ -80365,7 +80364,6 @@ CVE-2025-1795 (During an address list folding when a separating comma ends up on
 	- python3.9 <removed>
 	- pypy3 7.3.18+dfsg-1
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
-	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/100884
 	NOTE: Regression issue: https://github.com/python/cpython/issues/118643
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/
@@ -90636,7 +90634,6 @@ CVE-2025-0938 (The Python standard library functions `urllib.parse.urlsplit` and
 	- python3.9 <removed>
 	- pypy3 7.3.18+dfsg-2
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
-	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/
 	NOTE: https://github.com/python/cpython/issues/105704
 	NOTE: https://github.com/python/cpython/pull/129418
@@ -114183,7 +114180,6 @@ CVE-2024-11168 (The urllib.parse.urlsplit() and urlparse() functions improperly
 	- python3.9 <removed>
 	- pypy3 7.3.18+dfsg-1
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
-	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/103848
 	NOTE: https://github.com/python/cpython/pull/103849
 	NOTE: https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5 (v3.12.0b1)
@@ -133246,7 +133242,6 @@ CVE-2024-6232 (There is a MEDIUM severity vulnerability affecting CPython.
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
 	- pypy3 7.3.18+dfsg-1
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
-	[bullseye] - pypy3 <postponed> (Minor issue; ReDoS)
 	NOTE: https://github.com/python/cpython/issues/121285
 	NOTE: https://github.com/python/cpython/pull/121286
 	NOTE: https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373 (v3.13.0rc2)
@@ -136373,7 +136368,6 @@ CVE-2024-7592 (There is a LOW severity vulnerability affecting CPython, specific
 	- python3.9 <removed>
 	- pypy3 7.3.18+dfsg-1
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
-	[bullseye] - pypy3 <postponed> (Minor issue; DoS)
 	NOTE: https://github.com/python/cpython/pull/123075
 	NOTE: https://github.com/python/cpython/issues/123067
 	NOTE: https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621 (v3.13.0rc2)
@@ -140690,7 +140684,6 @@ CVE-2024-6923 (There is a MEDIUM severity vulnerability affecting CPython.  The
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
 	- pypy3 7.3.18+dfsg-1
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
-	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/121650
 	NOTE: https://github.com/python/cpython/pull/122233
 	NOTE: https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0 (v3.13.0rc2)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[31 Oct 2025] DLA-4354-1 pypy3 - security update
+	{CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-11168 CVE-2025-0938 CVE-2025-1795 CVE-2025-6069 CVE-2025-8291}
+	[bullseye] - pypy3 7.3.5+dfsg-2+deb11u5
 [29 Oct 2025] DLA-4353-1 xorg-server - security update
 	{CVE-2025-62229 CVE-2025-62230 CVE-2025-62231}
 	[bullseye] - xorg-server 2:1.20.11-1+deb11u17


=====================================
data/dla-needed.txt
=====================================
@@ -281,11 +281,6 @@ php-laravel-framework
   NOTE: 20251027: tests is required to prevent regressions, but I could not get the upstream
   NOTE: 20251027: test suite to work. It is not exercised as part of Debian packages build. (paride)
 --
-pypy3 (andrewsh)
-  NOTE: 20250718: Added by Front-Desk (Beuc)
-  NOTE: 20250718: Sponsored through pypy[v2] which is obsoleted in bullseye.
-  NOTE: 20250718: Many postponed vulnerabilities, sync python3 fixes. (Beuc/front-desk)
---
 pytorch (dleidert)
   NOTE: 20250422: Added by Front-Desk (rouca)
   NOTE: 20250422: CVE-2025-32434 RCE need to be fixed. DoS may be postponed (rouca/FD)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5009e72c47c00acca48dfccef1bc4844b3d3ebdd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5009e72c47c00acca48dfccef1bc4844b3d3ebdd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251031/aa7605ea/attachment-0001.htm>