[Git][security-tracker-team/security-tracker][master] 2 commits: Merge changes for updates with CVEs via bookworm 12.12
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Sep 6 11:16:15 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3c10a51f by Salvatore Bonaccorso at 2025-09-06T11:56:36+02:00
Merge changes for updates with CVEs via bookworm 12.12
- - - - -
b8609ddd by Salvatore Bonaccorso at 2025-09-06T12:16:06+02:00
Merge branch 'bookworm-12.12' into 'master'
Merge changes accepted for bookworm 12.12 release
See merge request security-tracker-team/security-tracker!244
- - - - -
2 changed files:
- data/CVE/list
- data/next-oldstable-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2790,7 +2790,7 @@ CVE-2024-13987 (Improper neutralization of input during web page generation ('Cr
CVE-2025-40927 (CGI::Simple versions before 1.282 for Perl has a HTTP response splitti ...)
- libcgi-simple-perl 1.282-1
[trixie] - libcgi-simple-perl 1.282-1~deb13u1
- [bookworm] - libcgi-simple-perl <no-dsa> (Minor issue)
+ [bookworm] - libcgi-simple-perl 1.280-2+deb12u1
[bullseye] - libcgi-simple-perl <postponed> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/32357435/
NOTE: https://github.com/manwar/CGI--Simple/commit/0c1a2e0b8f24804d33daac686666ac944363a630 (v1.282)
@@ -6282,7 +6282,7 @@ CVE-2025-55293 (Meshtastic is an open source mesh networking solution. Prior to
CVE-2025-55291 (Shaarli is a minimalist bookmark manager and link sharing service. Pri ...)
- shaarli 0.15.0+dfsg-1 (bug #1111589)
[trixie] - shaarli 0.14.0+dfsg-2
- [bookworm] - shaarli <no-dsa> (Minor issue, will be fixed in point release)
+ [bookworm] - shaarli 0.12.1+dfsg-8+deb12u1
NOTE: https://github.com/shaarli/Shaarli/security/advisories/GHSA-7w7w-pw4j-265h
NOTE: https://github.com/shaarli/Shaarli/commit/66faa61335a6e72184be64092ff1242ffa4fe5b6 (v0.15.0)
CVE-2025-55288 (Genealogy is a family tree PHP application. Prior to 4.4.0, Authentica ...)
@@ -6844,7 +6844,7 @@ CVE-2025-54989 (Firebird is a relational database. Prior to versions 3.0.13, 4.0
{DSA-5992-1 DLA-4282-1}
- firebird3.0 3.0.13.ds7-1 (bug #1111321)
[trixie] - firebird3.0 3.0.12.ds7-13+deb13u1
- [bookworm] - firebird3.0 <no-dsa> (Minor issue)
+ [bookworm] - firebird3.0 3.0.11.33637.ds4-2+deb12u1
- firebird4.0 4.0.6.3221.ds6-1 (bug #1111320)
NOTE: https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-7qp6-hqxj-pjjp
NOTE: https://github.com/FirebirdSQL/firebird/issues/8554
@@ -7547,7 +7547,7 @@ CVE-2025-8715 (Improper neutralization of newlines in pg_dump in PostgreSQL allo
- postgresql-17 17.6-1
[trixie] - postgresql-17 17.6-0+deb13u1
- postgresql-15 <removed>
- [bookworm] - postgresql-15 <no-dsa> (Minor issue)
+ [bookworm] - postgresql-15 15.14-0+deb12u1
- postgresql-13 <removed>
NOTE: https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
NOTE: https://www.postgresql.org/support/security/CVE-2025-8715/
@@ -7556,7 +7556,7 @@ CVE-2025-8714 (Untrusted data inclusion in pg_dump in PostgreSQL allows a malici
- postgresql-17 17.6-1
[trixie] - postgresql-17 17.6-0+deb13u1
- postgresql-15 <removed>
- [bookworm] - postgresql-15 <no-dsa> (Minor issue)
+ [bookworm] - postgresql-15 15.14-0+deb12u1
- postgresql-13 <removed>
NOTE: https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
NOTE: https://www.postgresql.org/support/security/CVE-2025-8714/
@@ -7565,7 +7565,7 @@ CVE-2025-8713 (PostgreSQL optimizer statistics allow a user to read sampled data
- postgresql-17 17.6-1
[trixie] - postgresql-17 17.6-0+deb13u1
- postgresql-15 <removed>
- [bookworm] - postgresql-15 <no-dsa> (Minor issue)
+ [bookworm] - postgresql-15 15.14-0+deb12u1
- postgresql-13 <removed>
NOTE: https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
NOTE: https://www.postgresql.org/support/security/CVE-2025-8713/
@@ -7957,7 +7957,7 @@ CVE-2025-53859 (NGINX Open Source and NGINX Plus have a vulnerability in the ngx
[experimental] - nginx 1.28.0-2
- nginx 1.28.0-3 (bug #1111138)
[trixie] - nginx 1.26.3-3+deb13u1
- [bookworm] - nginx <no-dsa> (Minor issue, will be fixed via point update)
+ [bookworm] - nginx 1.22.1-9+deb12u3
[bullseye] - nginx <postponed> (minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2025/08/13/5
NOTE: https://nginx.org/download/patch.2025.smtp.txt
@@ -9192,7 +9192,7 @@ CVE-2022-50233 (In the Linux kernel, the following vulnerability has been resolv
CVE-2025-7039 (A flaw was found in glib. An integer overflow during temporary file cr ...)
- glib2.0 2.84.4-1 (bug #1110640)
[trixie] - glib2.0 2.84.4-3~deb13u1
- [bookworm] - glib2.0 <no-dsa> (Minor issue)
+ [bookworm] - glib2.0 2.74.6-2+deb12u7
[bullseye] - glib2.0 <postponed> (Minor issue; can be fixed in next update)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3716
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4674
@@ -9425,7 +9425,7 @@ CVE-2025-51533 (An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_
NOT-FOR-US: Sage DPW
CVE-2025-50952 (openjpeg v 2.5.0 was discovered to contain a NULL pointer dereference ...)
- openjpeg2 2.5.3-1
- [bookworm] - openjpeg2 <no-dsa> (Minor issue)
+ [bookworm] - openjpeg2 2.5.0-2+deb12u2
[bullseye] - openjpeg2 <postponed> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1505
NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/d903fbb4ab9ccf9b96c8bc7398fafc0007505a37 (v2.5.1)
@@ -9435,7 +9435,7 @@ CVE-2025-50675 (GPMAW 14, a bioinformatics software, has a critical vulnerabilit
NOT-FOR-US: GPMAW
CVE-2025-47808 (In GStreamer through 1.26.1, the subparse plugin's tmplayer_parse_line ...)
- gst-plugins-base1.0 1.26.2-1
- [bookworm] - gst-plugins-base1.0 <no-dsa> (Minor issue)
+ [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u5
[bullseye] - gst-plugins-base1.0 <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md
NOTE: https://gstreamer.freedesktop.org/security/sa-2025-0003.html
@@ -9444,7 +9444,7 @@ CVE-2025-47808 (In GStreamer through 1.26.1, the subparse plugin's tmplayer_pars
NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/9b810e83d0f4135cf5a066da8b9430cf6e375d29 (1.26.2)
CVE-2025-47807 (In GStreamer through 1.26.1, the subparse plugin's subrip_unescape_for ...)
- gst-plugins-base1.0 1.26.2-1
- [bookworm] - gst-plugins-base1.0 <no-dsa> (Minor issue)
+ [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u5
[bullseye] - gst-plugins-base1.0 <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md
NOTE: https://gstreamer.freedesktop.org/security/sa-2025-0002.html
@@ -9453,7 +9453,7 @@ CVE-2025-47807 (In GStreamer through 1.26.1, the subparse plugin's subrip_unesca
NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0711a31221a27c076dde3b9716cbcabf85088fa5 (1.26.2)
CVE-2025-47806 (In GStreamer through 1.26.1, the subparse plugin's parse_subrip_time f ...)
- gst-plugins-base1.0 1.26.2-1
- [bookworm] - gst-plugins-base1.0 <no-dsa> (Minor issue)
+ [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u5
[bullseye] - gst-plugins-base1.0 <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md
NOTE: https://gstreamer.freedesktop.org/security/sa-2025-0006.html
@@ -9461,7 +9461,7 @@ CVE-2025-47806 (In GStreamer through 1.26.1, the subparse plugin's parse_subrip_
NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da4380c4df0e00f8d0bad569927bfc7ea35ec37d (1.26.2)
CVE-2025-47219 (In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak fu ...)
- gst-plugins-good1.0 1.26.2-1
- [bookworm] - gst-plugins-good1.0 <no-dsa> (Minor issue)
+ [bookworm] - gst-plugins-good1.0 1.22.0-5+deb12u3
[bullseye] - gst-plugins-good1.0 <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md
NOTE: https://gstreamer.freedesktop.org/security/sa-2025-0004.html
@@ -9586,7 +9586,7 @@ CVE-2025-54798 (tmp is a temporary file and directory creator for node.js. In ve
{DLA-4268-1}
- node-tmp 0.2.2+dfsg+~0.2.3-1.1 (bug #1110532)
[trixie] - node-tmp 0.2.2+dfsg+~0.2.3-1.1~deb13u1
- [bookworm] - node-tmp <no-dsa> (Minor issue)
+ [bookworm] - node-tmp 0.2.2+dfsg+~0.2.3-1.1~deb12u1
NOTE: https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
NOTE: https://github.com/raszi/node-tmp/issues/207
NOTE: https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b (v0.2.4)
@@ -10653,7 +10653,7 @@ CVE-2025-54350 (In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertio
{DLA-4281-1}
- iperf3 3.19.1-1 (bug #1110376)
[trixie] - iperf3 3.18-2+deb13u1
- [bookworm] - iperf3 <no-dsa> (Minor issue; requires enabled SSL authentication; will be fixed via point release)
+ [bookworm] - iperf3 3.12-1+deb12u2
NOTE: https://downloads.es.net/pub/iperf/esnet-secadv-2025-0002.txt.asc
NOTE: Introduced with https://github.com/esnet/iperf/commit/a51045de196f762fb74c86184b03da148c4e8f07 (3.2rc1)
NOTE: Fixed by: https://github.com/esnet/iperf/commit/4eab661da0bbaac04493fa40164e928c6df7934a (master)
@@ -10662,7 +10662,7 @@ CVE-2025-54349 (In iperf before 3.19.1, iperf_auth.c has an off-by-one error and
{DLA-4281-1}
- iperf3 3.19.1-1 (bug #1110376)
[trixie] - iperf3 3.18-2+deb13u1
- [bookworm] - iperf3 <no-dsa> (Minor issue; requires enabled SSL authentication; will be fixed via point release)
+ [bookworm] - iperf3 3.12-1+deb12u2
NOTE: https://downloads.es.net/pub/iperf/esnet-secadv-2025-0003.txt.asc
NOTE: Introduced with https://github.com/esnet/iperf/commit/a51045de196f762fb74c86184b03da148c4e8f07 (3.2rc1)
NOTE: Fixed by: https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf (master)
@@ -13375,7 +13375,7 @@ CVE-2025-8060 (A vulnerability has been found in Tenda AC23 16.03.07.52 and clas
NOT-FOR-US: Tenda
CVE-2025-8058 (The regcomp function in the GNU C library version from 2.4 to 2.41 is ...)
- glibc 2.41-11 (bug #1109803)
- [bookworm] - glibc <no-dsa> (Minor issue)
+ [bookworm] - glibc 2.36-9+deb12u13
[bullseye] - glibc <postponed> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=33185
NOTE: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2025-0005
@@ -14652,7 +14652,7 @@ CVE-2025-7784 (A flaw was found in the Keycloak identity and access management s
CVE-2025-7783 (Use of Insufficiently Random Values vulnerability in form-data allows ...)
{DLA-4261-1}
- node-form-data 4.0.1-2 (bug #1109551)
- [bookworm] - node-form-data <no-dsa> (Minor issue)
+ [bookworm] - node-form-data 4.0.1-1+deb12u1
NOTE: https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4
NOTE: Fixed by: https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 (v4.0.4)
CVE-2025-7697 (The Integration for Google Sheets and Contact Form 7, WPForms, Element ...)
@@ -14683,7 +14683,7 @@ CVE-2025-7394 (In the OpenSSL compatibility layer implementation, the function R
[experimental] - wolfssl 5.7.2-0.3
- wolfssl 5.7.2-0.4 (bug #1109549)
[trixie] - wolfssl 5.7.2-0.1+deb13u1
- [bookworm] - wolfssl <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - wolfssl 5.5.4-2+deb12u2
NOTE: https://github.com/wolfSSL/wolfssl/pull/8849
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/0c12337194ee6dd082f082f0ccaed27fc4ee44f5 (v5.8.2-stable)
NOTE: https://github.com/wolfSSL/wolfssl/pull/8867
@@ -15581,7 +15581,7 @@ CVE-2025-6971 (Use After Free vulnerability exists in the CATPRODUCT file readin
NOT-FOR-US: Dassault Systemes
CVE-2025-6965 (There exists a vulnerability in SQLite versions before 3.50.2 where th ...)
- sqlite3 3.46.1-7 (bug #1109379)
- [bookworm] - sqlite3 <no-dsa> (Minor issue)
+ [bookworm] - sqlite3 3.40.1-2+deb12u2
[bullseye] - sqlite3 <postponed> (Minor issue)
NOTE: https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
CVE-2025-6558 (Insufficient validation of untrusted input in ANGLE and GPU in Google ...)
@@ -16799,7 +16799,7 @@ CVE-2025-53364 (Parse Server is an open source backend that can be deployed to a
CVE-2025-53020 (Late Release of Memory after Effective Lifetime vulnerability in Apach ...)
{DLA-4270-1}
- apache2 2.4.64-1
- [bookworm] - apache2 <no-dsa> (Will be updated via point release)
+ [bookworm] - apache2 2.4.65-1~deb12u1
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-53020
NOTE: Fixed by: https://github.com/apache/httpd/commit/ef98f4f494ff2f99d736a3716cd31219688b46f5
CVE-2025-52837 (Trend Micro Password Manager (Consumer) version 5.8.0.1327 and below i ...)
@@ -16829,13 +16829,13 @@ CVE-2025-4972 (An issue has been discovered in GitLab EE affecting all versions
CVE-2025-49812 (In some mod_ssl configurations on Apache HTTP Server versions through ...)
{DLA-4270-1}
- apache2 2.4.64-1
- [bookworm] - apache2 <no-dsa> (Will be updated via point release)
+ [bookworm] - apache2 2.4.65-1~deb12u1
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-49812
NOTE: Fixed by: https://github.com/apache/httpd/commit/87a7351c755c9ef8ab386e3090e44838c2a06d48
CVE-2025-49630 (In certain proxy configurations, a denial of service attack againstApa ...)
{DLA-4270-1}
- apache2 2.4.64-1
- [bookworm] - apache2 <no-dsa> (Will be updated via point release)
+ [bookworm] - apache2 2.4.65-1~deb12u1
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-49630
NOTE: Fixed by: https://github.com/apache/httpd/commit/88304321841a2fe8bd5eacc70e69418b0b545ca5
CVE-2025-49464 (Classic buffer overflow in certain Zoom Clients for Windows may allow ...)
@@ -16893,7 +16893,7 @@ CVE-2025-27889 (Wing FTP Server before 7.4.4 does not properly validate and sani
CVE-2025-23048 (In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to ...)
{DLA-4270-1}
- apache2 2.4.64-1
- [bookworm] - apache2 <no-dsa> (Will be updated via point release)
+ [bookworm] - apache2 2.4.65-1~deb12u1
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-23048
NOTE: Fixed by: https://github.com/apache/httpd/commit/c4cfa50c9068e8b8134c530ab21674e77d1278a2
NOTE: possible regression for misconfigured load balancer
@@ -16903,7 +16903,7 @@ CVE-2024-7650 (Improper Control of Generation of Code ('Code Injection') vulnera
CVE-2024-47252 (Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP ...)
{DLA-4270-1}
- apache2 2.4.64-1
- [bookworm] - apache2 <no-dsa> (Will be updated via point release)
+ [bookworm] - apache2 2.4.65-1~deb12u1
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-47252
NOTE: Fixed by: https://github.com/apache/httpd/commit/c01e60707048be14a510f0a92128a5227923215c
CVE-2024-43394 (Server-Side Request Forgery (SSRF)in Apache HTTP Server on Windows all ...)
@@ -16913,14 +16913,14 @@ CVE-2024-43394 (Server-Side Request Forgery (SSRF)in Apache HTTP Server on Windo
CVE-2024-43204 (SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to ...)
{DLA-4270-1}
- apache2 2.4.64-1
- [bookworm] - apache2 <no-dsa> (Will be updated via point release)
+ [bookworm] - apache2 2.4.65-1~deb12u1
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-43204
NOTE: Fixed by [1/2]: https://github.com/apache/httpd/commit/6764774d51f3dcb07e79779c64a463d3c112b53f (2.4.64)
NOTE: Fixed by [2/2]: https://github.com/apache/httpd/commit/b3d3ded288815bea063c3bf77dd80b26446f76ce (2.4.64)
CVE-2024-42516 (HTTP response splitting in the core of Apache HTTP Server allows an at ...)
{DLA-4270-1}
- apache2 2.4.64-1
- [bookworm] - apache2 <no-dsa> (Will be updated via point release)
+ [bookworm] - apache2 2.4.65-1~deb12u1
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-42516
NOTE: CVE exists, because original patch for CVE-2023-38709 did not address the issue.
NOTE: Fixed by: https://github.com/apache/httpd/commit/a7a9d814c7c23e990283277230ddd5a9efec27c7
@@ -18907,19 +18907,19 @@ CVE-2024-37656 (An open redirect vulnerability in gnuboard5 v.5.5.16 allows a re
CVE-2024-25178 (LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an ...)
{DLA-4283-1}
- luajit 2.1.0+openresty20240314-1
- [bookworm] - luajit <no-dsa> (Minor issue)
+ [bookworm] - luajit 2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
NOTE: https://github.com/LuaJIT/LuaJIT/issues/1152
NOTE: Fixed by: https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8 (v2.1)
CVE-2024-25177 (LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an ...)
{DLA-4283-1}
- luajit 2.1.0+openresty20240314-1
- [bookworm] - luajit <no-dsa> (Minor issue)
+ [bookworm] - luajit 2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
NOTE: https://github.com/LuaJIT/LuaJIT/issues/1147
NOTE: Fixed by: https://github.com/LuaJIT/LuaJIT/commit/85b4fed0b0353dd78c8c875c2f562d522a2b310f (v2.1)
CVE-2024-25176 (LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a s ...)
{DLA-4283-1}
- luajit 2.1.0+openresty20240314-1
- [bookworm] - luajit <no-dsa> (Minor issue)
+ [bookworm] - luajit 2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
NOTE: https://github.com/LuaJIT/LuaJIT/issues/1149
NOTE: Fixed by: https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc (v2.1)
CVE-2023-51232 (Directory Traversal vulnerability in dagster-webserver Dagster thru 1. ...)
@@ -21751,7 +21751,7 @@ CVE-2025-29331 (An issue in MHSanaei 3x-ui before v.2.5.3 and before allows a re
NOT-FOR-US: MHSanaei 3x-ui
CVE-2024-6174 (When a non-x86 platform is detected, cloud-init grants root access to ...)
- cloud-init 25.1.4-1 (bug #1108403)
- [bookworm] - cloud-init <no-dsa> (Minor issue)
+ [bookworm] - cloud-init 22.4.2-1+deb12u3
[bullseye] - cloud-init <postponed> (Minor issue)
NOTE: Fixed by: https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1 (25.1.3)
NOTE: https://github.com/advisories/GHSA-w8g9-wp36-fchj
@@ -21761,7 +21761,7 @@ CVE-2024-52928 (Arc before 1.26.1 on Windows has a bypass issue in the site sett
NOT-FOR-US: Arc Browser
CVE-2024-11584 (cloud-initthrough 25.1.2 includes the systemd socket unitcloud-init-ho ...)
- cloud-init 25.1.4-1 (bug #1108402)
- [bookworm] - cloud-init <no-dsa> (Minor issue)
+ [bookworm] - cloud-init 22.4.2-1+deb12u3
[bullseye] - cloud-init <postponed> (Minor issue)
NOTE: Fixed by: https://github.com/canonical/cloud-init/commit/4839736429e9057a309ccd835cb3159fb51b1353 (25.1.3)
NOTE: https://github.com/canonical/cloud-init/pull/6265
@@ -23546,7 +23546,7 @@ CVE-2025-20271 (A vulnerability in the Cisco AnyConnect VPN server of Cisco Mera
CVE-2025-20260 (A vulnerability in the PDF scanning processes of ClamAV could allow an ...)
{DLA-4292-1}
- clamav 1.4.3+dfsg-1 (bug #1108046)
- [bookworm] - clamav <no-dsa> (clamav is being updated via -updates)
+ [bookworm] - clamav 1.0.9+dfsg-1~deb12u1
NOTE: https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
CVE-2025-20234 (A vulnerability in Universal Disk Format (UDF) processing of ClamAV co ...)
- clamav 1.4.3+dfsg-1 (bug #1108045)
@@ -25650,7 +25650,7 @@ CVE-2025-5309 (The chat feature within Remote Support (RS) and Privileged Remote
NOT-FOR-US: BeyondTrust
CVE-2025-4748 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
- erlang 1:27.3.4.1+dfsg-1 (bug #1107939)
- [bookworm] - erlang <no-dsa> (Minor issue, will be fixed via spu)
+ [bookworm] - erlang 1:25.2.3+dfsg-1+deb12u2
NOTE: https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc
NOTE: https://github.com/erlang/otp/pull/9941
NOTE: https://github.com/erlang/otp/commit/10608879c81332af2d3c00db61ee173c93c1ea4e (OTP-26.2.5.13, OTP-27.3.4.1)
@@ -27322,7 +27322,7 @@ CVE-2023-48786 (A server-side request forgery vulnerability [CWE-918] in Fortine
NOT-FOR-US: Fortinet
CVE-2025-49133 (Libtpms is a library that targets the integration of TPM functionality ...)
- libtpms 0.9.2-3.2 (bug #1107617)
- [bookworm] - libtpms <no-dsa> (Minor issue)
+ [bookworm] - libtpms 0.9.2-3.1+deb12u1
NOTE: Fixed by: https://github.com/stefanberger/libtpms/commit/9f9baccdba9cd3fc32f1355613abd094b21f7ba0 (v0.9.7)
CVE-2025-5952 (A vulnerability, which was classified as critical, has been found in Z ...)
NOT-FOR-US: Zend.To
@@ -27471,25 +27471,25 @@ CVE-2025-5918 (A vulnerability has been identified in the libarchive library. Th
NOTE: Regression fixed by: https://github.com/libarchive/libarchive/commit/51b4c35bb38b7df4af24de7f103863dd79129b01
CVE-2025-5917 (A vulnerability has been identified in the libarchive library. This fl ...)
- libarchive 3.7.4-4 (bug #1107626)
- [bookworm] - libarchive <no-dsa> (Minor issue)
+ [bookworm] - libarchive 3.6.2-1+deb12u3
[bullseye] - libarchive <postponed> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/pull/2588
NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85 (v3.8.0)
CVE-2025-5916 (A vulnerability has been identified in the libarchive library. This fl ...)
- libarchive 3.7.4-4 (bug #1107623)
- [bookworm] - libarchive <no-dsa> (Minor issue)
+ [bookworm] - libarchive 3.6.2-1+deb12u3
[bullseye] - libarchive <postponed> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/pull/2568
NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403 (v3.8.0)
CVE-2025-5915 (A vulnerability has been identified in the libarchive library. This fl ...)
- libarchive 3.7.4-4 (bug #1107622)
- [bookworm] - libarchive <no-dsa> (Minor issue)
+ [bookworm] - libarchive 3.6.2-1+deb12u3
[bullseye] - libarchive <postponed> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/pull/2599
NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c (v3.8.0)
CVE-2025-5914 (A vulnerability has been identified in the libarchive library, specifi ...)
- libarchive 3.7.4-4 (bug #1107621)
- [bookworm] - libarchive <no-dsa> (Minor issue)
+ [bookworm] - libarchive 3.6.2-1+deb12u3
[bullseye] - libarchive <postponed> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/pull/2598
NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209 (v3.8.0)
@@ -29585,7 +29585,7 @@ CVE-2025-48494 (Gokapi is a self-hosted file sharing server with automatic expir
CVE-2025-48387 (tar-fs provides filesystem bindings for tar-stream. Versions prior to ...)
{DLA-4214-1}
- node-tar-fs 3.0.9+~cs2.0.4-1
- [bookworm] - node-tar-fs <no-dsa> (Minor issue)
+ [bookworm] - node-tar-fs 2.1.3-0+deb12u1
NOTE: https://github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v
NOTE: Fixed by: https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f (v3.0.9)
CVE-2025-47585 (Missing Authorization vulnerability in Mage people team Booking and Re ...)
@@ -29836,7 +29836,7 @@ CVE-2025-1499 (IBM InfoSphere Information Server 11.7 stores credential informat
NOT-FOR-US: IBM
CVE-2025-40908 (YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing exis ...)
- libyaml-libyaml-perl 0.903.0+ds-1
- [bookworm] - libyaml-libyaml-perl <no-dsa> (Minor issue)
+ [bookworm] - libyaml-libyaml-perl 0.86+ds-1+deb12u1
[bullseye] - libyaml-libyaml-perl <postponed> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/30071726/
NOTE: https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
@@ -30503,7 +30503,7 @@ CVE-2024-38341 (IBM Sterling Secure Proxy 6.0.0.0 through 6.0.3.1, 6.1.0.0 throu
CVE-2025-48734 (Improper Access Control vulnerability in Apache Commons. A special ...)
{DLA-4229-1}
- commons-beanutils 1.10.1-1.1 (bug #1106746)
- [bookworm] - commons-beanutils <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - commons-beanutils 1.9.4-1+deb12u1
NOTE: https://www.openwall.com/lists/oss-security/2025/05/28/6
NOTE: https://dlcdn.apache.org/commons/beanutils/RELEASE-NOTES.txt
NOTE: Fixed upstream in 1.11.0
@@ -31578,7 +31578,7 @@ CVE-2024-13945 (Stored Absolute Path Traversal vulnerabilities in ASPECT could e
CVE-2023-53154 (parse_string in cJSON before 1.7.18 has a heap-based buffer over-read ...)
{DLA-4216-1}
- cjson 1.7.18-1
- [bookworm] - cjson <no-dsa> (Minor issue)
+ [bookworm] - cjson 1.7.15-1+deb12u3
NOTE: https://github.com/DaveGamble/cJSON/issues/800
NOTE: https://github.com/DaveGamble/cJSON/pull/852
NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/3ef4e4e730e5efd381be612df41e1ff3f5bb3c32 (v1.7.18)
@@ -31593,7 +31593,7 @@ CVE-2018-25110 (Marked prior to version 0.3.17 is vulnerable to a Regular Expres
CVE-2025-40909 (Perl threads have a working directory race condition where file operat ...)
[experimental] - perl 5.40.1-4
- perl 5.40.1-5 (bug #1098226)
- [bookworm] - perl <no-dsa> (Minor issue; Perl maintainer will fix it via point release)
+ [bookworm] - perl 5.36.0-7+deb12u3
[bullseye] - perl <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/Perl/perl5/issues/23010
NOTE: Fixed by: https://github.com/Perl/perl5/commit/fc8063aa51f400394f2e44173fd4f87f080502c9 (v5.41.13)
@@ -31992,7 +31992,7 @@ CVE-2025-48063 (XWiki is a generic wiki platform. In XWiki 16.10.0, required rig
CVE-2025-48060 (jq is a command-line JSON processor. In versions up to and including 1 ...)
- jq 1.8.0-1 (bug #1106288)
[trixie] - jq 1.7.1-6+deb13u1
- [bookworm] - jq <no-dsa> (Minor issue)
+ [bookworm] - jq 1.6-2.1+deb12u1
[bullseye] - jq <postponed> (Minor issue; revisit when fixed upstream)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-p7rr-28xf-3m5w
CVE-2025-48012 (Authentication Bypass by Capture-replay vulnerability in Drupal One Ti ...)
@@ -33464,7 +33464,7 @@ CVE-2025-47931 (LibreNMS is PHP/MySQL/SNMP based network monitoring software. Li
CVE-2025-47273 (setuptools is a package that allows users to download, build, install, ...)
{DLA-4183-1}
- setuptools 78.1.1-0.1 (bug #1105970)
- [bookworm] - setuptools <no-dsa> (Minor issue)
+ [bookworm] - setuptools 66.1.1-1+deb12u2
NOTE: https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf
NOTE: https://github.com/pypa/setuptools/issues/4946
NOTE: Fixed by: https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b (v78.1.1)
@@ -33537,7 +33537,7 @@ CVE-2025-4806 (A vulnerability, which was classified as critical, has been found
CVE-2025-4802 (Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GN ...)
{DLA-4181-1}
- glibc 2.39-4
- [bookworm] - glibc <no-dsa> (Minor issue)
+ [bookworm] - glibc 2.36-9+deb12u11
NOTE: Introduced with: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=10e93d968716ab82931d593bada121c17c0a4b93 (glibc-2.27)
NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5451fa962cd0a90a0e2ec1d8910a559ace02bba0 (glibc-2.39)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=32976
@@ -36573,7 +36573,7 @@ CVE-2025-46812 (Trix is a what-you-see-is-what-you-get rich text editor for ever
NOT-FOR-US: Trix
CVE-2025-46712 (Erlang/OTP is a set of libraries for the Erlang programming language. ...)
- erlang 1:27.3.4+dfsg-1 (bug #1104963)
- [bookworm] - erlang <no-dsa> (Minor issue)
+ [bookworm] - erlang 1:25.2.3+dfsg-1+deb12u2
[bullseye] - erlang <postponed> (Minor issue, "no immediate security impact")
NOTE: https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf
NOTE: https://github.com/erlang/otp/commit/e4b56a9f4a511aa9990dd86c16c61439c828df83 (OTP-25.3.2.21)
@@ -37240,7 +37240,7 @@ CVE-2025-47423 (Personal Weather Station Dashboard 12_lts allows unauthenticated
CVE-2025-47203 (dbclient in Dropbear SSH before 2025.88 allows command injection via a ...)
{DLA-4169-1}
- dropbear 2025.88-1
- [bookworm] - dropbear <no-dsa> (Minor issue)
+ [bookworm] - dropbear 2022.83-1+deb12u3
NOTE: Fixed by: https://github.com/mkj/dropbear/commit/e5a0ef27c227f7ae69d9a9fec98a056494409b9b (DROPBEAR_2025.88)
CVE-2025-46828 (WeGIA is a web manager for charitable institutions. An unauthenticate ...)
NOT-FOR-US: WeGIA
@@ -37543,7 +37543,7 @@ CVE-2025-4374 (A flaw was found in Quay. When an organization acts as a proxy ca
NOT-FOR-US: Quay
CVE-2025-4373 (A flaw was found in GLib, which is vulnerable to an integer overflow i ...)
- glib2.0 2.84.1-3 (bug #1104930)
- [bookworm] - glib2.0 <no-dsa> (Minor issue)
+ [bookworm] - glib2.0 2.74.6-2+deb12u7
[bullseye] - glib2.0 <postponed> (Minor issue, fix along with next update)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3677
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4588
@@ -38928,7 +38928,7 @@ CVE-2025-46345 (Auth0 Account Link Extension is an extension aimed to help link
CVE-2025-46337 (ADOdb is a PHP database class library that provides abstractions for p ...)
{DLA-4177-1}
- libphp-adodb 5.22.9-0.1 (bug #1104548)
- [bookworm] - libphp-adodb <no-dsa> (Will be fixed via point release)
+ [bookworm] - libphp-adodb 5.21.4-1+deb12u1
NOTE: https://github.com/ADOdb/ADOdb/security/advisories/GHSA-8x27-jwjr-8545
NOTE: https://github.com/ADOdb/ADOdb/issues/1070
NOTE: https://github.com/ADOdb/ADOdb/commit/11107d6d6e5160b62e05dff8a3a2678cf0e3a426 (v5.22.9)
@@ -41465,7 +41465,7 @@ CVE-2025-46435 (Cross-Site Request Forgery (CSRF) vulnerability in Yash Binani T
NOT-FOR-US: WordPress plugin or theme
CVE-2025-46421 (A flaw was found in libsoup. When libsoup clients encounter an HTTP re ...)
- libsoup3 3.6.5-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 <unfixed> (bug #1104054)
[trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
@@ -41474,7 +41474,7 @@ CVE-2025-46421 (A flaw was found in libsoup. When libsoup clients encounter an H
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/3e5c26415811f19e7737238bb23305ffaf96f66b (3.6.5)
CVE-2025-46420 (A flaw was found in libsoup. It is vulnerable to memory leaks in the s ...)
- libsoup3 3.6.4-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10.1 (bug #1104055)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/438
@@ -41619,6 +41619,7 @@ CVE-2025-46417 (The unsafe globals in Picklescan before 0.0.25 do not include ss
CVE-2025-46400 (In xfig diagramming tool, a segmentation fault while running fig2dev a ...)
{DLA-4147-1}
- fig2dev 1:3.2.9a-3 (unimportant)
+ [bookworm] - fig2dev 1:3.2.8b-3+deb12u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2362054
NOTE: https://sourceforge.net/p/mcj/tickets/187/
NOTE: Error covered with: https://sourceforge.net/p/mcj/fig2dev/ci/1e5515a1ea2ec8651cf85ab5000d026bb962492a/
@@ -41627,18 +41628,21 @@ CVE-2025-46400 (In xfig diagramming tool, a segmentation fault while running fig
CVE-2025-46399 (A flaw was found in fig2dev. This vulnerability allows availability vi ...)
{DLA-4147-1}
- fig2dev 1:3.2.9a-4 (unimportant)
+ [bookworm] - fig2dev 1:3.2.8b-3+deb12u2
NOTE: https://sourceforge.net/p/mcj/tickets/190/
NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/2bd6c0b210916d0d3ca81f304535b5af0849aa93/
NOTE: Crash in CLI tool, no security impact
CVE-2025-46398 (In xfig diagramming tool, a stack-overflow while running fig2dev allow ...)
{DLA-4147-1}
- fig2dev 1:3.2.9a-4 (unimportant)
+ [bookworm] - fig2dev 1:3.2.8b-3+deb12u2
NOTE: https://sourceforge.net/p/mcj/tickets/191/
NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/5f22009dba73922e98d49c0096cece8b215cd45b/
NOTE: Crash in CLI tool, no security impact
CVE-2025-46397 (In xfig diagramming tool, a stack-overflowwhile running fig2dev allows ...)
{DLA-4147-1}
- fig2dev 1:3.2.9a-4 (unimportant)
+ [bookworm] - fig2dev 1:3.2.8b-3+deb12u2
NOTE: https://sourceforge.net/p/mcj/tickets/192/
NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/
NOTE: Crash in CLI tool, no security impact
@@ -42242,22 +42246,22 @@ CVE-2025-43966 (libheif before 1.19.6 has a NULL pointer dereference in ImageIte
CVE-2025-43964 (In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in ...)
{DLA-4142-1}
- libraw 0.21.4-1 (bug #1103783)
- [bookworm] - libraw <no-dsa> (Minor issue)
+ [bookworm] - libraw 0.20.2-2.1+deb12u1
NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 (0.21.4)
CVE-2025-43963 (In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cp ...)
{DLA-4142-1}
- libraw 0.21.4-1 (bug #1103782)
- [bookworm] - libraw <no-dsa> (Minor issue)
+ [bookworm] - libraw 0.20.2-2.1+deb12u1
NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/be26e7639ecf8beb55f124ce780e99842de2e964 (0.21.4)
CVE-2025-43962 (In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cp ...)
{DLA-4142-1}
- libraw 0.21.4-1 (bug #1103781)
- [bookworm] - libraw <no-dsa> (Minor issue)
+ [bookworm] - libraw 0.20.2-2.1+deb12u1
NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2 (0.21.4)
CVE-2025-43961 (In LibRaw before 0.21.4, metadata/tiff.cpp has an out-of-bounds read i ...)
{DLA-4142-1}
- libraw 0.21.4-1 (bug #1103781)
- [bookworm] - libraw <no-dsa> (Minor issue)
+ [bookworm] - libraw 0.20.2-2.1+deb12u1
NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2 (0.21.4)
CVE-2025-0632 (Local File Inclusion (LFI) vulnerability in a Render function of Formu ...)
NOT-FOR-US: Formulatrix Rock Maker Web (RMW)
@@ -42318,7 +42322,7 @@ CVE-2025-3819 (A vulnerability has been found in PHPGurukul Men Salon Management
CVE-2025-3818 (A vulnerability, which was classified as critical, was found in webpy ...)
{DLA-4189-1}
- webpy 1:0.62-6 (bug #1103780)
- [bookworm] - webpy <no-dsa> (Minor issue; can be fixed in point release)
+ [bookworm] - webpy 1:0.62-4+deb12u1
NOTE: https://noppgwz8if.feishu.cn/docx/TxjpddUpTokyBwxibSgcTRr7nUf
NOTE: https://github.com/webpy/webpy/issues/806
NOTE: Fixed by: https://github.com/webpy/webpy/commit/3ba1b40e5a828a26a1df1b49cdc87395f3274c81
@@ -44460,7 +44464,7 @@ CVE-2025-30722 (Vulnerability in the MySQL Client product of Oracle MySQL (compo
{DLA-4208-1}
- mysql-8.0 8.0.42-1 (bug #1103385)
- mariadb 1:11.8.2-1 (bug #1105976)
- [bookworm] - mariadb <no-dsa> (Minor issue, will be fixed in next point release)
+ [bookworm] - mariadb 1:10.11.13-0+deb12u1
- mariadb-10.5 <removed>
NOTE: Fixed in MariaDB: 11.4.6, 10.6.22, 10.5.29, 10.11.12
NOTE: MariaDB bug: https://jira.mariadb.org/browse/MDEV-36268
@@ -44537,7 +44541,7 @@ CVE-2025-30693 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
{DLA-4208-1}
- mysql-8.0 8.0.42-1 (bug #1103385)
- mariadb 1:11.8.2-1 (bug #1105976)
- [bookworm] - mariadb <no-dsa> (Minor issue, will be fixed in next point release)
+ [bookworm] - mariadb 1:10.11.13-0+deb12u1
- mariadb-10.5 <removed>
NOTE: Fixed in MariaDB: 11.4.6, 10.6.22, 10.5.29, 10.11.12
NOTE: MariaDB bug: https://jira.mariadb.org/browse/MDEV-36613
@@ -44980,7 +44984,7 @@ CVE-2025-3588 (A vulnerability, which was classified as problematic, has been fo
CVE-2025-3576 (A vulnerability in the MIT Kerberos implementation allows GSSAPI-prote ...)
{DLA-4195-1}
- krb5 1.21.2-1 (bug #1103525)
- [bookworm] - krb5 <no-dsa> (Minor issue)
+ [bookworm] - krb5 1.20.1-2+deb12u4
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2359465
NOTE: CVE relates to issues covered in:
NOTE: https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
@@ -45117,7 +45121,7 @@ CVE-2025-32913 (A flaw was found in libsoup, where the soup_message_headers_get_
CVE-2025-32912 (A flaw was found in libsoup, where SoupAuthDigest is vulnerable to a N ...)
{DLA-4140-1}
- libsoup3 3.6.5-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10.1 (bug #1103516)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/434
@@ -45129,7 +45133,7 @@ CVE-2025-32912 (A flaw was found in libsoup, where SoupAuthDigest is vulnerable
CVE-2025-32911 (A use-after-free type vulnerability was found in libsoup, in the soup_ ...)
{DLA-4140-1}
- libsoup3 3.6.4-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10.1 (bug #1103515)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/433
@@ -45138,7 +45142,7 @@ CVE-2025-32911 (A use-after-free type vulnerability was found in libsoup, in the
CVE-2025-32910 (A flaw was found in libsoup, where soup_auth_digest_authenticate() is ...)
{DLA-4140-1}
- libsoup3 3.6.4-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10.1 (bug #1103516)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/432
@@ -45147,7 +45151,7 @@ CVE-2025-32910 (A flaw was found in libsoup, where soup_auth_digest_authenticate
CVE-2025-32909 (A flaw was found in libsoup. SoupContentSniffer may be vulnerable to a ...)
{DLA-4140-1}
- libsoup3 3.6.4-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10.1 (bug #1103517)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/431
@@ -45172,7 +45176,7 @@ CVE-2025-32907 (A flaw was found in libsoup. The implementation of HTTP range re
CVE-2025-32906 (A flaw was found in libsoup, where the soup_headers_parse_request() fu ...)
{DLA-4140-1}
- libsoup3 3.6.5-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10.1 (bug #1103521)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/404
@@ -48201,14 +48205,14 @@ CVE-2025-32054 (In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code c
CVE-2025-32052 (A flaw was found in libsoup. A vulnerability in the sniff_unknown() fu ...)
{DLA-4140-1}
- libsoup3 3.6.1-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10 (bug #1102214)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/425
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/f182429e5b1fc034050510da20c93256c4fa9652 (3.6.1)
CVE-2025-32051 (A flaw was found in libsoup. The libsoup soup_uri_decode_data_uri() fu ...)
- libsoup3 3.6.1-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 <not-affected> (Vulnerable code introduced later, cf #1102213)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/401
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/0713ba4a719da938dc8facc89fca99cd0aa3069f (3.6.1)
@@ -48217,7 +48221,7 @@ CVE-2025-32051 (A flaw was found in libsoup. The libsoup soup_uri_decode_data_ur
CVE-2025-32050 (A flaw was found in libsoup. The libsoup append_param_quoted() functio ...)
{DLA-4140-1}
- libsoup3 3.6.1-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10 (bug #1102212)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/424
@@ -48508,7 +48512,7 @@ CVE-2025-2874 (The User Submitted Posts \u2013 Enable Users to Submit Posts from
CVE-2025-2784 (A flaw was found in libsoup. The package is vulnerable to a heap buffe ...)
{DLA-4140-1}
- libsoup3 3.6.5-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10 (bug #1102208)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/422
@@ -48518,7 +48522,7 @@ CVE-2025-2784 (A flaw was found in libsoup. The package is vulnerable to a heap
CVE-2025-32053 (A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() a ...)
{DLA-4140-1}
- libsoup3 3.6.1-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-10 (bug #1102215)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/426
@@ -51800,7 +51804,7 @@ CVE-2024-55070 (A Broken Object Level Authorization vulnerability in the compone
CVE-2024-12905 (An Improper Link Resolution Before File Access ("Link Following") and ...)
{DLA-4214-1}
- node-tar-fs 3.0.8+~cs2.0.4-1 (bug #1101501)
- [bookworm] - node-tar-fs <no-dsa> (Minor issue)
+ [bookworm] - node-tar-fs 2.1.3-0+deb12u1
NOTE: https://github.com/advisories/GHSA-pq67-2wwv-3xjx
NOTE: https://github.com/mafintosh/tar-fs/commit/fd1634e869e7c5f85948e95eabdaa8451a085de5 (v2.1.2)
NOTE: https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed (v3.0.7)
@@ -53445,7 +53449,7 @@ CVE-2025-29795 (Improper link resolution before file access ('link following') i
CVE-2025-27553 (Relative Path Traversal vulnerability in Apache Commons VFS before 2.1 ...)
{DLA-4111-1}
- commons-vfs 2.1-5 (bug #1101204)
- [bookworm] - commons-vfs <no-dsa> (Minor issue; will be fixed via point release)
+ [bookworm] - commons-vfs 2.1-4+deb12u1
NOTE: https://www.openwall.com/lists/oss-security/2025/03/23/1
NOTE: Fixed by: https://github.com/apache/commons-vfs/commit/83d815afad4057234d9f928f6f00701bb7b51e86 (commons-vfs-2.10.0-RC1)
CVE-2025-2644 (A vulnerability was found in PHPGurukul Art Gallery Management System ...)
@@ -53514,7 +53518,7 @@ CVE-2024-13666 (The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz
NOT-FOR-US: WordPress plugin
CVE-2025-30472 (Corosync through 3.1.9, if encryption is disabled or the attacker know ...)
- corosync 3.1.9-2 (bug #1102006)
- [bookworm] - corosync <no-dsa> (Minor issue)
+ [bookworm] - corosync 3.1.7-1+deb12u1
[bullseye] - corosync <postponed> (Minor issue)
NOTE: https://github.com/corosync/corosync/issues/778
NOTE: https://github.com/corosync/corosync/pull/779
@@ -54157,7 +54161,7 @@ CVE-2024-6982 (A remote code execution vulnerability exists in the Calculate fun
CVE-2024-6866 (corydolphin/flask-cors version 4.01 contains a vulnerability where the ...)
{DLA-4197-1}
- python-flask-cors 6.0.0-1 (bug #1100988)
- [bookworm] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - python-flask-cors 3.0.10-2+deb12u1
NOTE: https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6
NOTE: https://github.com/advisories/GHSA-43qf-4rqw-9q2g
NOTE: Fixed by: https://github.com/corydolphin/flask-cors/commit/eb39516a3c96b90d0ae5f51293972395ec3ef358 (6.0.0)
@@ -54170,7 +54174,7 @@ CVE-2024-6851 (In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup
CVE-2024-6844 (A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inc ...)
{DLA-4197-1}
- python-flask-cors 6.0.0-1 (bug #1100988)
- [bookworm] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - python-flask-cors 3.0.10-2+deb12u1
NOTE: https://huntr.com/bounties/731a6cd4-d05f-4fe6-8f5b-fe088d7b34e0
NOTE: https://github.com/corydolphin/flask-cors/issues/385
NOTE: https://github.com/advisories/GHSA-8vgw-p6qm-5gr7
@@ -54182,7 +54186,7 @@ CVE-2024-6841 (A Cross-Site Request Forgery (CSRF) vulnerability exists in the l
CVE-2024-6839 (corydolphin/flask-cors version 4.0.1 contains an improper regex path m ...)
{DLA-4197-1}
- python-flask-cors 6.0.1-1 (bug #1100988)
- [bookworm] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - python-flask-cors 3.0.10-2+deb12u1
NOTE: https://huntr.com/bounties/403eb1fc-86f4-4820-8eba-0f3dfae9f2b4
NOTE: https://github.com/advisories/GHSA-7rxf-gvfg-47g4
NOTE: Fixed by: https://github.com/corydolphin/flask-cors/commit/e970988bea563e05e8b8f53fa7bcc134b5bf5c5f (6.0.0)
@@ -55611,7 +55615,7 @@ CVE-2025-31335 (The OpenSAML C++ library before 3.3.1 allows forging of signed S
NOTE: https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=22a610b322e2178abd03e97cdbc8fb50b45efaee (3.3.1)
CVE-2024-8176 (A stack overflow vulnerability exists in the libexpat library due to t ...)
- expat 2.7.0-1
- [bookworm] - expat <ignored> (Minor issue and too intrusive to backport)
+ [bookworm] - expat 2.5.0-1+deb12u2
[bullseye] - expat <ignored> (Minor issue and too intrusive to backport)
- libxmltok <removed>
[bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
@@ -56406,7 +56410,7 @@ CVE-2025-27789 (Babel is a compiler for writing next generation JavaScript. When
CVE-2025-27773 (The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related fun ...)
{DLA-4161-1}
- simplesamlphp 1.19.7-2 (bug #1100595)
- [bookworm] - simplesamlphp <no-dsa> (Will be fixed via point release)
+ [bookworm] - simplesamlphp 1.19.7-1+deb12u2
NOTE: https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56
NOTE: https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0
NOTE: SimpleSAMLphp SAML2 library embedded in simplesamlphp
@@ -57199,7 +57203,7 @@ CVE-2025-1362 (The URL Shortener | Conversion Tracking | AB Testing | WooComme
NOT-FOR-US: WordPress plugin
CVE-2023-52971 (MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes i ...)
- mariadb 1:11.8.2-1 (bug #1100437)
- [bookworm] - mariadb <no-dsa> (Minor issue)
+ [bookworm] - mariadb 1:10.11.13-0+deb12u1
- mariadb-10.5 <not-affected> (Vulnerable code introduced later)
NOTE: https://jira.mariadb.org/browse/MDEV-32084
NOTE: Fixed in MariaDB: 10.11.12, 11.4.6, 11.8.2
@@ -57207,7 +57211,7 @@ CVE-2023-52971 (MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* cra
CVE-2023-52970 (MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through ...)
{DLA-4154-1}
- mariadb 1:11.8.2-1 (bug #1100437)
- [bookworm] - mariadb <no-dsa> (Minor issue)
+ [bookworm] - mariadb 1:10.11.13-0+deb12u1
- mariadb-10.5 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-32086
NOTE: Fixed in MariaDB: 10.5.29, 10.6.22, 10.11.12, 11.4.6, 11.8.2
@@ -57216,7 +57220,7 @@ CVE-2023-52970 (MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 th
CVE-2023-52969 (MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through ...)
{DLA-4154-1}
- mariadb 1:11.8.2-1 (bug #1100437)
- [bookworm] - mariadb <no-dsa> (Minor issue)
+ [bookworm] - mariadb 1:10.11.13-0+deb12u1
- mariadb-10.5 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-32083
NOTE: Fixed in MariaDB: 10.5.29, 10.6.22, 10.11.12, 11.4.6, 11.8.2
@@ -57934,7 +57938,7 @@ CVE-2025-27622 (Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not reda
CVE-2025-27516 (Jinja is an extensible templating engine. Prior to 3.1.6, an oversight ...)
{DLA-4126-1}
- jinja2 3.1.6-1 (bug #1099690)
- [bookworm] - jinja2 <no-dsa> (Minor issue)
+ [bookworm] - jinja2 3.1.2-1+deb12u3
NOTE: https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7
NOTE: Fixed by: https://github.com/pallets/jinja/commit/065334d1ee5b7210e1a0a93c37238c86858f2af7 (3.1.6)
CVE-2025-27508 (Emissary is a P2P based data-driven workflow engine. The ChecksumCalcu ...)
@@ -58537,7 +58541,7 @@ CVE-2025-27221 (In the URI gem before 1.0.3 for Ruby, the URI handling methods (
[bookworm] - ruby3.1 <no-dsa> (Minor issue)
- ruby2.7 <removed>
- rubygems 3.6.6-1
- [bookworm] - rubygems <no-dsa> (Minor issue)
+ [bookworm] - rubygems 3.3.15-2+deb12u1
NOTE: https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495 (v1.0.3)
NOTE: https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5 (v1.0.3)
NOTE: https://github.com/ruby/uri/pull/154
@@ -69598,7 +69602,7 @@ CVE-2024-56921 (An issue was discovered in Open5gs v2.7.2. InitialUEMessage, Reg
CVE-2024-56161 (Improper signature verification in AMD CPU ROM microcode patch loader ...)
{DLA-4098-1}
- amd64-microcode 3.20250311.1 (bug #1095470)
- [bookworm] - amd64-microcode <no-dsa> (Minor issue in Debian context; AMD-SEV not supported)
+ [bookworm] - amd64-microcode 3.20250311.1~deb12u1
NOTE: https://www.openwall.com/lists/oss-security/2025/01/22/1
NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
NOTE: https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
@@ -72488,7 +72492,7 @@ CVE-2025-20156 (A vulnerability in the REST API of Cisco Meeting Management coul
CVE-2025-20128 (A vulnerability in the Object Linking and Embedding 2 (OLE2) decryptio ...)
{DLA-4292-1}
- clamav 1.4.2+dfsg-1 (bug #1093880)
- [bookworm] - clamav <no-dsa> (clamav is being updated via -updates)
+ [bookworm] - clamav 1.0.9+dfsg-1~deb12u1
NOTE: https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html
CVE-2025-0651 (Improper Privilege Management vulnerability in Cloudflare WARP on Wind ...)
NOT-FOR-US: Cloudflare
@@ -76883,7 +76887,7 @@ CVE-2025-23022 (FreeType 2.8.1 has a signed integer overflow in cf2_doFlex in cf
NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1312
CVE-2025-23016 (FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (an ...)
- libfcgi 2.4.5-0.1 (bug #1092774)
- [bookworm] - libfcgi <no-dsa> (Minor issue)
+ [bookworm] - libfcgi 2.4.2-2+deb12u1
[bullseye] - libfcgi <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/FastCGI-Archives/fcgi2/issues/67
NOTE: https://github.com/FastCGI-Archives/fcgi2/pull/74
@@ -76940,14 +76944,14 @@ CVE-2024-5872 (On affected platforms running Arista EOS, a specially crafted pac
NOT-FOR-US: Arista EOS
CVE-2024-57823 (In Raptor RDF Syntax Library through 2.0.16, there is an integer under ...)
- raptor2 2.0.16-6 (bug #1067896)
- [bookworm] - raptor2 <no-dsa> (Minor issue; will be fixed via point release)
+ [bookworm] - raptor2 2.0.15-4+deb12u1
[bullseye] - raptor2 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/pedrib/PoC/blob/master/fuzzing/raptor-fuzz.md
NOTE: https://github.com/dajobe/raptor/issues/70
NOTE: https://github.com/dajobe/raptor/commit/da7a79976bd0314c23cce55d22495e7d29301c44
CVE-2024-57822 (In Raptor RDF Syntax Library through 2.0.16, there is a heap-based buf ...)
- raptor2 2.0.16-6 (bug #1067896)
- [bookworm] - raptor2 <no-dsa> (Minor issue; will be fixed via point release)
+ [bookworm] - raptor2 2.0.15-4+deb12u1
[bullseye] - raptor2 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/pedrib/PoC/blob/master/fuzzing/raptor-fuzz.md
NOTE: https://github.com/dajobe/raptor/issues/70
@@ -83039,7 +83043,7 @@ CVE-2024-56173 (In Optimizely Configured Commerce before 5.2.2408, malicious pay
CVE-2024-48943
{DLA-4066-1}
- fort-validator 1.6.4-1
- [bookworm] - fort-validator <no-dsa> (Will be fixed via spu)
+ [bookworm] - fort-validator 1.5.4-1+deb12u1
NOTE: https://nicmx.github.io/FORT-validator/CVE.html
NOTE: https://github.com/NICMx/FORT-validator/commit/4ee88d1c3fa7df763dd52312134cd93c1ce50870 (1.6.4)
CVE-2024-56170 (A validation integrity issue was discovered in Fort through 1.6.4 befo ...)
@@ -94137,7 +94141,7 @@ CVE-2024-52533 (gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-on
CVE-2024-52532 (GNOME libsoup before 3.6.1 has an infinite loop, and memory consumptio ...)
{DLA-3992-1}
- libsoup3 3.6.0-4 (bug #1087416)
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-8.1 (bug #1089238)
[bookworm] - libsoup2.4 2.74.3-1+deb12u1
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/391
@@ -94148,7 +94152,7 @@ CVE-2024-52532 (GNOME libsoup before 3.6.1 has an infinite loop, and memory cons
CVE-2024-52531 (GNOME libsoup before 3.6.1 allows a buffer overflow in applications th ...)
{DLA-3992-1}
- libsoup3 3.6.0-4 (bug #1087417)
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-8.1 (bug #1089240)
[bookworm] - libsoup2.4 2.74.3-1+deb12u1
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407
@@ -94157,7 +94161,7 @@ CVE-2024-52531 (GNOME libsoup before 3.6.1 allows a buffer overflow in applicati
CVE-2024-52530 (GNOME libsoup before 3.6.0 allows HTTP request smuggling in some confi ...)
{DLA-3992-1}
- libsoup3 3.5.2-1
- [bookworm] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 3.2.3-0+deb12u1
- libsoup2.4 2.74.3-8.1 (bug #1088812)
[bookworm] - libsoup2.4 2.74.3-1+deb12u1
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
@@ -97658,7 +97662,7 @@ CVE-2024-42041 (The com.videodownload.browser.videodownloader (aka AppTool-Brows
CVE-2024-3935 (In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitt ...)
{DLA-4059-1}
- mosquitto 2.0.20-1
- [bookworm] - mosquitto <no-dsa> (Will be fixed via point release for additional exposure for CI and potential testers)
+ [bookworm] - mosquitto 2.0.11-1.2+deb12u2
NOTE: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/197
NOTE: https://mosquitto.org/blog/2024/10/version-2-0-19-released/
NOTE: https://github.com/eclipse-mosquitto/mosquitto/commit/ae7a804dadac8f2aaedb24336df8496a9680fda9 (v2.0.19)
@@ -97701,7 +97705,7 @@ CVE-2024-10546 (A vulnerability classified as critical was found in open-scratch
CVE-2024-10525 (In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a maliciou ...)
{DLA-4059-1}
- mosquitto 2.0.20-1
- [bookworm] - mosquitto <no-dsa> (Will be fixed via point release for additional exposure for CI and potential testers)
+ [bookworm] - mosquitto 2.0.11-1.2+deb12u2
NOTE: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190
NOTE: https://mosquitto.org/blog/2024/10/version-2-0-19-released/
NOTE: https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c (v2.0.19)
@@ -98065,14 +98069,14 @@ CVE-2024-50052 (Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <=
CVE-2024-49769 (Waitress is a Web Server Gateway Interface server for Python 2 and 3. ...)
{DLA-3955-1}
- waitress 3.0.1-1 (bug #1086468)
- [bookworm] - waitress <no-dsa> (Minor issue)
+ [bookworm] - waitress 2.1.2-2+deb12u1
NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-3f84-rpwh-47g6
NOTE: https://github.com/Pylons/waitress/issues/418
NOTE: https://github.com/Pylons/waitress/pull/435
NOTE: Fixed by: https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c (v3.0.1)
CVE-2024-49768 (Waitress is a Web Server Gateway Interface server for Python 2 and 3. ...)
- waitress 3.0.1-1 (bug #1086467)
- [bookworm] - waitress <no-dsa> (Minor issue)
+ [bookworm] - waitress 2.1.2-2+deb12u1
[bullseye] - waitress <not-affected> (The vulnerable code was introduced in version 2.0)
NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj
NOTE: Fixed by: https://github.com/Pylons/waitress/commit/6943dcf556610ece2ff3cddb39e59a05ef110661 (v3.0.1)
@@ -98824,7 +98828,7 @@ CVE-2024-50624 (ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-mid
{DLA-4196-1}
[experimental] - kmail-account-wizard 4:24.08.0-1
- kmail-account-wizard 4:24.12.0-2 (bug #1086198)
- [bookworm] - kmail-account-wizard <no-dsa> (Minor issue)
+ [bookworm] - kmail-account-wizard 4:22.12.3-1+deb12u1
NOTE: https://bugs.kde.org/show_bug.cgi?id=487882
NOTE: https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4 (v24.07.80)
NOTE: Vulnerable code in src/ispdb/ispdb.cpp
@@ -98855,7 +98859,7 @@ CVE-2024-50613 (libsndfile through 1.2.2 has a reachable assertion, that may lea
CVE-2024-50612 (libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out ...)
{DLA-4287-1}
- libsndfile 1.2.2-2 (bug #1088692)
- [bookworm] - libsndfile <no-dsa> (Minor issue)
+ [bookworm] - libsndfile 1.2.0-1+deb12u1
NOTE: https://github.com/libsndfile/libsndfile/issues/1035
NOTE: Fixed by: https://github.com/libsndfile/libsndfile/commit/4755f5bd7854611d92ad0f1295587b439f9950ba
CVE-2024-50611 (CycloneDX cdxgen through 10.10.7, when run against an untrusted codeba ...)
@@ -98930,7 +98934,7 @@ CVE-2024-10413 (A vulnerability, which was classified as critical, has been foun
CVE-2024-50602 (An issue was discovered in libexpat before 2.6.4. There is a crash wit ...)
{DLA-4145-1}
- expat 2.6.3-2 (bug #1086134)
- [bookworm] - expat <no-dsa> (Minor issue)
+ [bookworm] - expat 2.5.0-1+deb12u2
- libxmltok <removed>
[bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/915
@@ -99596,11 +99600,12 @@ CVE-2024-5764 (Use of Hard-coded Credentials vulnerability in Sonatype Nexus Rep
NOT-FOR-US: Sonatype
CVE-2024-50383 (Botan before 3.6.0, when certain GCC versions are used, has a compiler ...)
- botan 2.19.5+dfsg-3 (bug #1086039)
- [bookworm] - botan <no-dsa> (Minor issue)
+ [bookworm] - botan 2.19.3+dfsg-1+deb12u1
[bullseye] - botan <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957 (3.6.0)
CVE-2024-50382 (Botan before 3.6.0, when certain LLVM versions are used, has compiler- ...)
- botan 2.19.5+dfsg-3 (unimportant)
+ [bookworm] - botan 2.19.3+dfsg-1+deb12u1
NOTE: https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957 (3.6.0)
NOTE: Debian packages not compiled with LLVM
CVE-2024-50050 (Llama Stack prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 ...)
@@ -103799,7 +103804,7 @@ CVE-2024-8530 (CWE-306: Missing Authentication for Critical Function vulnerabili
NOT-FOR-US: Schneider
CVE-2024-8376 (In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve me ...)
- mosquitto 2.0.20-1 (bug #1084982)
- [bookworm] - mosquitto <no-dsa> (Will be fixed via point release for additional exposure for CI and potential testers)
+ [bookworm] - mosquitto 2.0.11-1.2+deb12u2
[bullseye] - mosquitto <ignored> (Minor issue, too intrusive to backport)
NOTE: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218
NOTE: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227
@@ -114021,37 +114026,37 @@ CVE-2024-45240 (The TikTok (aka com.zhiliaoapp.musically) application before 34.
CVE-2024-45239 (An issue was discovered in Fort before 1.6.3. A malicious RPKI reposit ...)
{DLA-4066-1}
- fort-validator 1.6.3-1
- [bookworm] - fort-validator <no-dsa> (Will be fixed via spu)
+ [bookworm] - fort-validator 1.5.4-1+deb12u1
NOTE: https://nicmx.github.io/FORT-validator/CVE.html
NOTE: https://github.com/NICMx/FORT-validator/commit/942f921ba7244cdcf4574cedc4c16392a7cc594b (1.6.3)
CVE-2024-45238 (An issue was discovered in Fort before 1.6.3. A malicious RPKI reposit ...)
{DLA-4066-1}
- fort-validator 1.6.3-1
- [bookworm] - fort-validator <no-dsa> (Will be fixed via spu)
+ [bookworm] - fort-validator 1.5.4-1+deb12u1
NOTE: https://nicmx.github.io/FORT-validator/CVE.html
NOTE: https://github.com/NICMx/FORT-validator/commit/5689dea5e878fed28c5f338a27d7cda4151a14f1 (1.6.3)
CVE-2024-45237 (An issue was discovered in Fort before 1.6.3. A malicious RPKI reposit ...)
{DLA-4066-1}
- fort-validator 1.6.3-1
- [bookworm] - fort-validator <no-dsa> (Will be fixed via spu)
+ [bookworm] - fort-validator 1.5.4-1+deb12u1
NOTE: https://nicmx.github.io/FORT-validator/CVE.html
NOTE: https://github.com/NICMx/FORT-validator/commit/939d988551d17996be73f52c376a70a3d6ba69f9 (1.6.3)
CVE-2024-45236 (An issue was discovered in Fort before 1.6.3. A malicious RPKI reposit ...)
{DLA-4066-1}
- fort-validator 1.6.3-1
- [bookworm] - fort-validator <no-dsa> (Will be fixed via spu)
+ [bookworm] - fort-validator 1.5.4-1+deb12u1
NOTE: https://nicmx.github.io/FORT-validator/CVE.html
NOTE: https://github.com/NICMx/FORT-validator/commit/4dafbd9de64a5a0616af97365bc1751465b29d2e (1.6.3)
CVE-2024-45235 (An issue was discovered in Fort before 1.6.3. A malicious RPKI reposit ...)
{DLA-4066-1}
- fort-validator 1.6.3-1
- [bookworm] - fort-validator <no-dsa> (Will be fixed via spu)
+ [bookworm] - fort-validator 1.5.4-1+deb12u1
NOTE: https://nicmx.github.io/FORT-validator/CVE.html
NOTE: https://github.com/NICMx/FORT-validator/commit/b1eb3c507ae920859bbe294776ebc2bb30bb7e56 (1.6.3)
CVE-2024-45234 (An issue was discovered in Fort before 1.6.3. A malicious RPKI reposit ...)
{DLA-4066-1}
- fort-validator 1.6.3-1
- [bookworm] - fort-validator <no-dsa> (Will be fixed via spu)
+ [bookworm] - fort-validator 1.5.4-1+deb12u1
NOTE: https://nicmx.github.io/FORT-validator/CVE.html
NOTE: https://github.com/NICMx/FORT-validator/commit/521b1a0db5041258096fbabdf8fc1e10ecc793cf (1.6.3)
CVE-2024-42340 (CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security)
@@ -126745,7 +126750,7 @@ CVE-2024-5793 (The Houzez Theme - Functionality plugin for WordPress is vulnerab
NOT-FOR-US: WordPress plugin
CVE-2024-5569 (A Denial of Service (DoS) vulnerability exists in the jaraco/zipp libr ...)
- python-zipp 3.19.2-1
- [bookworm] - python-zipp <no-dsa> (Minor issue)
+ [bookworm] - python-zipp 1.0.0-6+deb12u1
[bullseye] - python-zipp <no-dsa> (Minor issue)
NOTE: https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd (v3.19.1)
CVE-2024-5549 (A CORS misconfiguration in the stitionai/devika repository allows atta ...)
@@ -126899,7 +126904,7 @@ CVE-2024-39677 (NHibernate is an object-relational mapper for the .NET framework
NOT-FOR-US: NHibernate
CVE-2024-39312 (Botan is a C++ cryptography library. X.509 certificates can identify e ...)
- botan 2.19.5+dfsg-1
- [bookworm] - botan <no-dsa> (Minor issue)
+ [bookworm] - botan 2.19.3+dfsg-1+deb12u1
[bullseye] - botan <no-dsa> (Minor issue)
NOTE: https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86
CVE-2024-39308 (RailsAdmin is a Rails engine that provides an interface for managing d ...)
@@ -126912,7 +126917,7 @@ CVE-2024-37999 (A vulnerability has been identified in Medicalis Workflow Orches
NOT-FOR-US: Medicalis Workflow Orchestrator
CVE-2024-34702 (Botan is a C++ cryptography library. X.509 certificates can identify e ...)
- botan 2.19.5+dfsg-1
- [bookworm] - botan <no-dsa> (Minor issue)
+ [bookworm] - botan 2.19.3+dfsg-1+deb12u1
[bullseye] - botan <no-dsa> (Minor issue)
NOTE: https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j
NOTE: https://github.com/randombit/botan/pull/4034
@@ -128211,7 +128216,7 @@ CVE-2024-38480 ("Piccoma" App for Android and iOS versions prior to 6.20.0 uses
NOT-FOR-US: "Piccoma" App for Android and iOS
CVE-2024-34703 (Botan is a C++ cryptography library. X.509 certificates can identify e ...)
- botan 2.19.4+dfsg-1
- [bookworm] - botan <no-dsa> (Minor issue)
+ [bookworm] - botan 2.19.3+dfsg-1+deb12u1
[bullseye] - botan <no-dsa> (Minor issue)
NOTE: https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
NOTE: https://github.com/randombit/botan/commit/fbe9ec578a8548958677224d2e60d2c2c838bc9a (3.3.0)
@@ -128310,7 +128315,7 @@ CVE-2019-25211 (parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mis
{DLA-4285-1}
- golang-github-gin-contrib-cors 1.7.6-1 (bug #1075962)
[trixie] - golang-github-gin-contrib-cors 1.4.0-1+deb13u1
- [bookworm] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
+ [bookworm] - golang-github-gin-contrib-cors 1.4.0-1+deb12u1
NOTE: https://github.com/gin-contrib/cors/pull/57
NOTE: https://github.com/gin-contrib/cors/pull/106
NOTE: https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d (v1.6.0)
@@ -150473,7 +150478,7 @@ CVE-2024-33903 (In CARLA through 0.9.15.2, the collision sensor mishandles some
NOT-FOR-US: CARLA (carla-simulator)
CVE-2024-33899 (RARLAB WinRAR before 7.00, on Linux and UNIX platforms, allows attacke ...)
- rar 2:7.00-1
- [bookworm] - rar <ignored> (Non-free not supported)
+ [bookworm] - rar 2:7.01-1~deb12u1
[bullseye] - rar <no-dsa> (Non-free not supported)
- unrar-nonfree 1:7.0.3-1
[bookworm] - unrar-nonfree <ignored> (Non-free not supported)
@@ -152275,7 +152280,7 @@ CVE-2024-21846 (An unauthenticated attacker can reset the board and stop transmi
CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the log lev ...)
{DLA-4197-1}
- python-flask-cors 4.0.1-1 (bug #1069764)
- [bookworm] - python-flask-cors <no-dsa> (Minor issue)
+ [bookworm] - python-flask-cors 3.0.10-2+deb12u1
[buster] - python-flask-cors <postponed> (Minor issue)
NOTE: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644
NOTE: https://github.com/corydolphin/flask-cors/issues/349
@@ -174464,7 +174469,7 @@ CVE-2023-52426 (libexpat through 2.5.0 allows recursive XML Entity Expansion if
CVE-2023-52425 (libexpat through 2.5.0 allows a denial of service (resource consumptio ...)
{DLA-3893-1 DLA-3783-1}
- expat 2.6.0-1 (bug #1063238)
- [bookworm] - expat <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - expat 2.5.0-1+deb12u2
- libxmltok <removed>
[bookworm] - libxmltok <ignored> (Minor issue, no runtime dependencies left)
NOTE: https://github.com/libexpat/libexpat/pull/789
@@ -216441,7 +216446,7 @@ CVE-2023-31484 (CPAN.pm before 2.35 does not verify TLS certificates when downlo
{DLA-3926-1}
[experimental] - perl 5.38.0~rc2-1
- perl 5.38.2-2 (bug #1035109)
- [bookworm] - perl <no-dsa> (Minor issue)
+ [bookworm] - perl 5.36.0-7+deb12u3
[buster] - perl <no-dsa> (Minor issue)
NOTE: https://github.com/andk/cpanpm/pull/175
NOTE: https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL)
@@ -224469,7 +224474,7 @@ CVE-2023-28756 (A ReDoS issue was discovered in the Time component through 0.2.1
CVE-2023-28755 (A ReDoS issue was discovered in the URI component through 0.12.0 in Ru ...)
{DLA-4163-1 DLA-3858-1 DLA-3447-1 DLA-3408-1}
- rubygems 3.4.20-1
- [bookworm] - rubygems <no-dsa> (Minor issue)
+ [bookworm] - rubygems 3.3.15-2+deb12u1
- ruby3.1 <removed> (bug #1038408)
[bookworm] - ruby3.1 <no-dsa> (Minor issue)
- ruby2.7 <removed>
@@ -230567,7 +230572,7 @@ CVE-2023-26820 (siteproxy v1.0 was discovered to contain a path traversal vulner
CVE-2023-26819 (cJSON 1.7.15 might allow a denial of service via a crafted JSON docume ...)
{DLA-4216-1}
- cjson 1.7.18-3.1 (bug #1103687)
- [bookworm] - cjson <no-dsa> (Minor issue)
+ [bookworm] - cjson 1.7.15-1+deb12u3
NOTE: https://github.com/boofish/json_bugs/tree/main/cjson
NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/a328d65ad490b64da8c87523cbbfe16050ba5bf6
CVE-2023-26818 (Telegram 9.3.1 and 9.4.0 allows attackers to access restricted files, ...)
@@ -279261,7 +279266,7 @@ CVE-2022-37661 (SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable t
CVE-2022-37660 (In hostapd 2.10 and earlier, the PKEX code remains active even after a ...)
{DLA-4123-1}
- wpa 2:2.10-24
- [bookworm] - wpa <no-dsa> (Minor issue)
+ [bookworm] - wpa 2:2.10-12+deb12u3
NOTE: https://link.springer.com/article/10.1007/s10207-025-00988-3
NOTE: Fixed by: https://w1.fi/cgit/hostap/commit/?id=15af83cf1846870873a011ed4d714732f01cd2e4 (hostap_2_11)
CVE-2022-37659
@@ -291770,7 +291775,7 @@ CVE-2022-33066
CVE-2022-33065 (Multiple signed integers overflow in function au_read_header in src/au ...)
{DLA-4287-1}
- libsndfile 1.2.2-2 (bug #1051891)
- [bookworm] - libsndfile <no-dsa> (Minor issue)
+ [bookworm] - libsndfile 1.2.0-1+deb12u1
[buster] - libsndfile <no-dsa> (Minor issue)
NOTE: https://github.com/libsndfile/libsndfile/issues/833
NOTE: https://github.com/libsndfile/libsndfile/issues/789
@@ -321965,7 +321970,7 @@ CVE-2021-46313 (The binary MP4Box in GPAC v1.0.1 was discovered to contain a seg
CVE-2021-46312 (An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in all ...)
{DLA-4247-1}
- djvulibre 3.5.28-2.2 (bug #1052669)
- [bookworm] - djvulibre <ignored> (Minor issue)
+ [bookworm] - djvulibre 3.5.28-2.2~deb12u1
[buster] - djvulibre <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/djvu/bugs/344/
NOTE: Fixed by: (only IW44EncodeCodec.cpp changes): https://sourceforge.net/p/djvu/djvulibre-git/ci/05d00e831a5c55af2d407a513a9157a03449dc2c/
@@ -321979,7 +321984,7 @@ CVE-2021-46311 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 v
CVE-2021-46310 (An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows at ...)
{DLA-4247-1}
- djvulibre 3.5.28-2.2 (bug #1052668)
- [bookworm] - djvulibre <ignored> (Minor issue)
+ [bookworm] - djvulibre 3.5.28-2.2~deb12u1
[buster] - djvulibre <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/djvu/bugs/345/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/
@@ -384001,7 +384006,7 @@ CVE-2021-25744
RESERVED
CVE-2021-25743 (kubectl does not neutralize escape, meta or control sequences containe ...)
- kubernetes 1.31.4+ds-1 (bug #1016441)
- [bookworm] - kubernetes <no-dsa> (will be fixed in point release)
+ [bookworm] - kubernetes 1.20.5+really1.20.2-1.1
[bullseye] - kubernetes <no-dsa> (Minor issue)
NOTE: https://github.com/kubernetes/kubernetes/issues/101695
CVE-2021-25742 (A security issue was discovered in ingress-nginx where a user that can ...)
=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -1,261 +1,3 @@
-CVE-2025-46712
- [bookworm] - erlang 1:25.2.3+dfsg-1+deb12u2
-CVE-2025-4748
- [bookworm] - erlang 1:25.2.3+dfsg-1+deb12u2
-CVE-2025-46397
- [bookworm] - fig2dev 1:3.2.8b-3+deb12u2
-CVE-2025-46398
- [bookworm] - fig2dev 1:3.2.8b-3+deb12u2
-CVE-2025-46399
- [bookworm] - fig2dev 1:3.2.8b-3+deb12u2
-CVE-2025-46400
- [bookworm] - fig2dev 1:3.2.8b-3+deb12u2
-CVE-2024-45234
- [bookworm] - fort-validator 1.5.4-1+deb12u1
-CVE-2024-45235
- [bookworm] - fort-validator 1.5.4-1+deb12u1
-CVE-2024-45236
- [bookworm] - fort-validator 1.5.4-1+deb12u1
-CVE-2024-45237
- [bookworm] - fort-validator 1.5.4-1+deb12u1
-CVE-2024-45238
- [bookworm] - fort-validator 1.5.4-1+deb12u1
-CVE-2024-45239
- [bookworm] - fort-validator 1.5.4-1+deb12u1
-CVE-2024-48943
- [bookworm] - fort-validator 1.5.4-1+deb12u1
-CVE-2022-37660
- [bookworm] - wpa 2:2.10-12+deb12u3
-CVE-2023-52425
- [bookworm] - expat 2.5.0-1+deb12u2
-CVE-2024-50602
- [bookworm] - expat 2.5.0-1+deb12u2
-CVE-2024-8176
- [bookworm] - expat 2.5.0-1+deb12u2
-CVE-2024-8376
- [bookworm] - mosquitto 2.0.11-1.2+deb12u2
-CVE-2024-3935
- [bookworm] - mosquitto 2.0.11-1.2+deb12u2
-CVE-2024-10525
- [bookworm] - mosquitto 2.0.11-1.2+deb12u2
-CVE-2025-27221
- [bookworm] - rubygems 3.3.15-2+deb12u1
-CVE-2023-28755
- [bookworm] - rubygems 3.3.15-2+deb12u1
-CVE-2025-46337
- [bookworm] - libphp-adodb 5.21.4-1+deb12u1
-CVE-2023-52969
- [bookworm] - mariadb 1:10.11.13-0+deb12u1
-CVE-2023-52970
- [bookworm] - mariadb 1:10.11.13-0+deb12u1
-CVE-2023-52971
- [bookworm] - mariadb 1:10.11.13-0+deb12u1
-CVE-2025-30693
- [bookworm] - mariadb 1:10.11.13-0+deb12u1
-CVE-2025-30722
- [bookworm] - mariadb 1:10.11.13-0+deb12u1
-CVE-2025-3576
- [bookworm] - krb5 1.20.1-2+deb12u4
-CVE-2025-27773
- [bookworm] - simplesamlphp 1.19.7-1+deb12u2
-CVE-2025-47203
- [bookworm] - dropbear 2022.83-1+deb12u3
-CVE-2024-57823
- [bookworm] - raptor2 2.0.15-4+deb12u1
-CVE-2024-57822
- [bookworm] - raptor2 2.0.15-4+deb12u1
-CVE-2024-5569
- [bookworm] - python-zipp 1.0.0-6+deb12u1
-CVE-2025-27516
- [bookworm] - jinja2 3.1.2-1+deb12u3
-CVE-2025-43961
- [bookworm] - libraw 0.20.2-2.1+deb12u1
-CVE-2025-43962
- [bookworm] - libraw 0.20.2-2.1+deb12u1
-CVE-2025-43963
- [bookworm] - libraw 0.20.2-2.1+deb12u1
-CVE-2025-43964
- [bookworm] - libraw 0.20.2-2.1+deb12u1
-CVE-2025-47273
- [bookworm] - setuptools 66.1.1-1+deb12u2
-CVE-2025-4802
- [bookworm] - glibc 2.36-9+deb12u11
-CVE-2025-3818
- [bookworm] - webpy 1:0.62-4+deb12u1
-CVE-2025-40908
- [bookworm] - libyaml-libyaml-perl 0.86+ds-1+deb12u1
-CVE-2024-50624
- [bookworm] - kmail-account-wizard 4:22.12.3-1+deb12u1
-CVE-2025-30472
- [bookworm] - corosync 3.1.7-1+deb12u1
-CVE-2024-12905
- [bookworm] - node-tar-fs 2.1.3-0+deb12u1
-CVE-2025-48387
- [bookworm] - node-tar-fs 2.1.3-0+deb12u1
-CVE-2023-26819
- [bookworm] - cjson 1.7.15-1+deb12u3
-CVE-2023-53154
- [bookworm] - cjson 1.7.15-1+deb12u3
-CVE-2024-56161
- [bookworm] - amd64-microcode 3.20250311.1~deb12u1
-CVE-2024-1681
- [bookworm] - python-flask-cors 3.0.10-2+deb12u1
-CVE-2024-6866
- [bookworm] - python-flask-cors 3.0.10-2+deb12u1
-CVE-2024-6839
- [bookworm] - python-flask-cors 3.0.10-2+deb12u1
-CVE-2024-6844
- [bookworm] - python-flask-cors 3.0.10-2+deb12u1
-CVE-2025-20128
- [bookworm] - clamav 1.0.9+dfsg-1~deb12u1
-CVE-2025-20260
- [bookworm] - clamav 1.0.9+dfsg-1~deb12u1
-CVE-2024-33899
- [bookworm] - rar 2:7.01-1~deb12u1
-CVE-2021-25743
- [bookworm] - kubernetes 1.20.5+really1.20.2-1.1
-CVE-2025-48060
- [bookworm] - jq 1.6-2.1+deb12u1
-CVE-2024-6174
- [bookworm] - cloud-init 22.4.2-1+deb12u3
-CVE-2024-11584
- [bookworm] - cloud-init 22.4.2-1+deb12u3
-CVE-2024-52530
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2024-52531
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2024-52532
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-32050
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-32051
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-32052
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-32053
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-2784
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-32909
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-32910
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-32911
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-46420
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-32912
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-32906
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-46421
- [bookworm] - libsoup3 3.2.3-0+deb12u1
-CVE-2025-27553
- [bookworm] - commons-vfs 2.1-4+deb12u1
-CVE-2021-46310
- [bookworm] - djvulibre 3.5.28-2.2~deb12u1
-CVE-2021-46312
- [bookworm] - djvulibre 3.5.28-2.2~deb12u1
-CVE-2025-8058
- [bookworm] - glibc 2.36-9+deb12u13
-CVE-2024-42516
- [bookworm] - apache2 2.4.65-1~deb12u1
-CVE-2024-43204
- [bookworm] - apache2 2.4.65-1~deb12u1
-CVE-2024-47252
- [bookworm] - apache2 2.4.65-1~deb12u1
-CVE-2025-23048
- [bookworm] - apache2 2.4.65-1~deb12u1
-CVE-2025-49630
- [bookworm] - apache2 2.4.65-1~deb12u1
-CVE-2025-49812
- [bookworm] - apache2 2.4.65-1~deb12u1
-CVE-2025-53020
- [bookworm] - apache2 2.4.65-1~deb12u1
-CVE-2025-7783
- [bookworm] - node-form-data 4.0.1-1+deb12u1
-CVE-2025-50952
- [bookworm] - openjpeg2 2.5.0-2+deb12u2
-CVE-2025-7394
- [bookworm] - wolfssl 5.5.4-2+deb12u2
-CVE-2025-48734
- [bookworm] - commons-beanutils 1.9.4-1+deb12u1
-CVE-2025-8713
- [bookworm] - postgresql-15 15.14-0+deb12u1
-CVE-2025-8714
- [bookworm] - postgresql-15 15.14-0+deb12u1
-CVE-2025-8715
- [bookworm] - postgresql-15 15.14-0+deb12u1
-CVE-2025-54798
- [bookworm] - node-tmp 0.2.2+dfsg+~0.2.3-1.1~deb12u1
-CVE-2025-4373
- [bookworm] - glib2.0 2.74.6-2+deb12u7
-CVE-2025-7039
- [bookworm] - glib2.0 2.74.6-2+deb12u7
-CVE-2024-49768
- [bookworm] - waitress 2.1.2-2+deb12u1
-CVE-2024-49769
- [bookworm] - waitress 2.1.2-2+deb12u1
-CVE-2025-23016
- [bookworm] - libfcgi 2.4.2-2+deb12u1
-CVE-2025-47806
- [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u5
-CVE-2025-47807
- [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u5
-CVE-2025-47808
- [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u5
-CVE-2024-34702
- [bookworm] - botan 2.19.3+dfsg-1+deb12u1
-CVE-2024-34703
- [bookworm] - botan 2.19.3+dfsg-1+deb12u1
-CVE-2024-39312
- [bookworm] - botan 2.19.3+dfsg-1+deb12u1
-CVE-2024-50382
- [bookworm] - botan 2.19.3+dfsg-1+deb12u1
-CVE-2024-50383
- [bookworm] - botan 2.19.3+dfsg-1+deb12u1
-CVE-2022-33065
- [bookworm] - libsndfile 1.2.0-1+deb12u1
-CVE-2024-50612
- [bookworm] - libsndfile 1.2.0-1+deb12u1
-CVE-2019-25211
- [bookworm] - golang-github-gin-contrib-cors 1.4.0-1+deb12u1
-CVE-2025-54989
- [bookworm] - firebird3.0 3.0.11.33637.ds4-2+deb12u1
-CVE-2025-47219
- [bookworm] - gst-plugins-good1.0 1.22.0-5+deb12u3
-CVE-2024-25176
- [bookworm] - luajit 2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
-CVE-2024-25177
- [bookworm] - luajit 2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
-CVE-2024-25178
- [bookworm] - luajit 2.1.0~beta3+git20220320+dfsg-4.1+deb12u1
-CVE-2025-49133
- [bookworm] - libtpms 0.9.2-3.1+deb12u1
-CVE-2025-6965
- [bookworm] - sqlite3 3.40.1-2+deb12u2
-CVE-2025-54350
- [bookworm] - iperf3 3.12-1+deb12u2
-CVE-2025-54349
- [bookworm] - iperf3 3.12-1+deb12u2
-CVE-2025-5914
- [bookworm] - libarchive 3.6.2-1+deb12u3
-CVE-2025-5915
- [bookworm] - libarchive 3.6.2-1+deb12u3
-CVE-2025-5916
- [bookworm] - libarchive 3.6.2-1+deb12u3
-CVE-2025-5917
- [bookworm] - libarchive 3.6.2-1+deb12u3
-CVE-2025-40927
- [bookworm] - libcgi-simple-perl 1.280-2+deb12u1
-CVE-2023-31484
- [bookworm] - perl 5.36.0-7+deb12u3
-CVE-2025-40909
- [bookworm] - perl 5.36.0-7+deb12u3
-CVE-2025-53859
- [bookworm] - nginx 1.22.1-9+deb12u3
-CVE-2025-55291
- [bookworm] - shaarli 0.12.1+dfsg-8+deb12u1
CVE-2024-39329
[bookworm] - python-django 3:3.2.19-1+deb12u2
CVE-2024-39330
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/20fd0dedb2d8404c34a5b0a9e5c042115cd647a9...b8609ddd69c2a2a0c0ccf48963adf643015e5610
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/20fd0dedb2d8404c34a5b0a9e5c042115cd647a9...b8609ddd69c2a2a0c0ccf48963adf643015e5610
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250906/01a5aca9/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list