[Git][security-tracker-team/security-tracker][master] 7 commits: Add libxml2 to dla-needed.txt

Sun Sep 7 22:58:12 BST 2025


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8dccf3fd by Markus Koschany at 2025-09-07T23:55:37+02:00
Add libxml2 to dla-needed.txt

- - - - -
f89a9f03 by Markus Koschany at 2025-09-07T23:57:07+02:00
CVE-2025-7709,sqlite3: bullseye is not affected

The vulnerable code was introduced in version 3.45 starting with commit

https://github.com/sqlite/sqlite/commit/d1fbaa071bac376206cc009ecdce95b13e131b62

A double check for bookworm and other versions is appreciated as usual.

- - - - -
ec791629 by Markus Koschany at 2025-09-07T23:57:42+02:00
Add shibboleth-sp to dla-needed.txt

- - - - -
0176e579 by Markus Koschany at 2025-09-07T23:57:44+02:00
CVE-2024-8244,golang-1.15: bullseye is postponed

Minor issue

- - - - -
8dde8212 by Markus Koschany at 2025-09-07T23:57:45+02:00
CVE-2025-8556,golang-github-cloudflare-circl: bullseye is postponed

Minor issue

- - - - -
c243eeef by Markus Koschany at 2025-09-07T23:57:47+02:00
CVE-2025-8959,golang-github-hashicorp-go-getter: bullseye is postponed

Minor issue

- - - - -
08ef392f by Markus Koschany at 2025-09-07T23:57:48+02:00
CVE-2025-58058,golang-github-ulikunitz-xz: bullseye is postponed

Minor issue

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -216,6 +216,7 @@ CVE-2025-57807 (ImageMagick is free and open-source software used for editing an
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/ab1bb3d8ed06d0ed6aa5038b6a74aebf53af9ccf (6.9.13-29)
 CVE-2025-7709 [Integer Overflow in FTS5 Extension]
 	- sqlite3 <unfixed> (bug #1114609)
+	[bullseye] - sqlite3 <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g
 	NOTE: Fixed by: https://sqlite.org/src/info/63595b74956a9391
 	NOTE: Fixed by: https://github.com/sqlite/sqlite/commit/192d0ff8ccf0bf55776a5930cdc64e25f87299d6
@@ -2870,6 +2871,7 @@ CVE-2025-58058 (xz is a pure golang package for reading and writing xz-compresse
 	- golang-github-ulikunitz-xz 0.5.15-1 (bug #1112508)
 	[trixie] - golang-github-ulikunitz-xz <no-dsa> (Minor issue)
 	[bookworm] - golang-github-ulikunitz-xz <no-dsa> (Minor issue)
+	[bullseye] - golang-github-ulikunitz-xz <postponed> (Minor issue)
 	NOTE: https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9
 	NOTE: https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2 (v0.5.14-rc.1)
 CVE-2025-54777 (Uncaught exception issue exists in Multiple products in bizhub series. ...)
@@ -6806,6 +6808,7 @@ CVE-2025-38502 (In the Linux kernel, the following vulnerability has been resolv
 CVE-2025-8959 (HashiCorp's go-getter library subdirectory download feature is vulnera ...)
 	- golang-github-hashicorp-go-getter <unfixed> (bug #1111318)
 	[bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+	[bullseye] - golang-github-hashicorp-go-getter <postponed> (Minor issue)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
 CVE-2025-8898 (The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress  ...)
 	NOT-FOR-US: WordPress plugin
@@ -9893,6 +9896,7 @@ CVE-2024-8244 (The filepath.Walk and filepath.WalkDir functions are documented a
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <postponed> (Minor issue)
 	NOTE: https://github.com/golang/go/issues/70007
 CVE-2024-52885 (The Mobile Access Portal's File Share application is vulnerable to a d ...)
 	NOT-FOR-US: Mobile Access Portal
@@ -10258,6 +10262,7 @@ CVE-2012-10023 (A stack-based buffer overflow vulnerability exists in FreeFloat
 CVE-2025-8556 (A flaw was found in CIRCL's implementation of the FourQ elliptic curve ...)
 	- golang-github-cloudflare-circl 1.6.1-1
 	[bookworm] - golang-github-cloudflare-circl <no-dsa> (Minor issue)
+	[bullseye] - golang-github-cloudflare-circl <postponed> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2371624
 	NOTE: https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm
 CVE-2025-8586 (A vulnerability, which was classified as problematic, was found in lib ...)


=====================================
data/dla-needed.txt
=====================================
@@ -234,6 +234,11 @@ libsoup2.4
   NOTE: 20250520: seems sensible.  Or maybe someone else will have more luck
   NOTE: 20250520: than me with getting the backported tests to run.  (spwhitton)
 --
+libxml2
+  NOTE: 20250907: Added by Front-Desk (apo)
+  NOTE: 20250907: Currently insufficient information for CVE-2025-26434 but is
+  NOTE: 20250907: affected by CVE-2025-9714.
+--
 libxmltok
   NOTE: 20250421: Added by Front-Desk (ta)
   NOTE: 20250421: Also review all other expat CVEs. (bunk)
@@ -376,6 +381,9 @@ rails
   NOTE: 20250621: rails DSA uploaded the last 6.1 release before EOL (2024-11)
   NOTE: 20250621: 6.0 branch is EOL (2023-06) so all open CVEs need individual backport (Beuc)
 --
+shibboleth-sp
+  NOTE: 20250907: Added by Front-Desk (apo)
+--
 sogo
   NOTE: 20240922: Added by Front-Desk (apo)
   NOTE: 20240922: See also postponed issues.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bea20aa2483b73dc8be7e7de259e9c5c882085d2...08ef392fd4b50a23e662591d5ccaf627eb6d90ca

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bea20aa2483b73dc8be7e7de259e9c5c882085d2...08ef392fd4b50a23e662591d5ccaf627eb6d90ca
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250907/13127087/attachment-0001.htm>
