[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Sep 12 12:45:07 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c8e9f0e1 by Moritz Muehlenhoff at 2025-09-12T13:44:32+02:00
bookworm/trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -16,6 +16,8 @@ CVE-2025-58781 (WTW-EAGLE App does not properly validate server certificates, wh
 	NOT-FOR-US: WTW-EAGLE App
 CVE-2025-58754 (Axios is a promise based HTTP client for the browser and Node.js. When ...)
 	- node-axios <unfixed> (bug #1114963)
+	[trixie] - node-axios <no-dsa> (Minor issue)
+	[bookworm] - node-axios <no-dsa> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj
 	NOTE: https://github.com/axios/axios/pull/7011
 	NOTE: https://github.com/axios/axios/commit/945435fc51467303768202250debb8d4ae892593 (v1.12.0)
@@ -94,24 +96,32 @@ CVE-2025-56556 (An issue was discovered in Subrion CMS 4.2.1, allowing authentic
 	NOT-FOR-US: Subrion CMS
 CVE-2025-48041 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
 	- erlang <unfixed>
+	[trixie] - erlang <no-dsa> (Minor issue)
+	[bookworm] - erlang <no-dsa> (Minor issue)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-79c4-cvv7-4qm3
 	NOTE: https://github.com/erlang/otp/pull/10157
 	NOTE: https://github.com/erlang/otp/commit/5f9af63eec4657a37663828d206517828cb9f288 (OTP-27.3.4.3, OTP-28.0.3)
 	NOTE: https://github.com/erlang/otp/commit/d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401 (OTP-26.2.5.15)
 CVE-2025-48040 (Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh ...)
 	- erlang <unfixed>
+	[trixie] - erlang <no-dsa> (Minor issue)
+	[bookworm] - erlang <no-dsa> (Minor issue)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-h7rg-6rjg-4cph
 	NOTE: https://github.com/erlang/otp/pull/10162
 	NOTE: https://github.com/erlang/otp/commit/7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a (OTP-27.3.4.3, OTP-28.0.3)
 	NOTE: https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a (OTP-26.2.5.15)
 CVE-2025-48039 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
 	- erlang <unfixed>
+	[trixie] - erlang <no-dsa> (Minor issue)
+	[bookworm] - erlang <no-dsa> (Minor issue)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-rr5p-6856-j7h8
 	NOTE: https://github.com/erlang/otp/pull/10155
 	NOTE: https://github.com/erlang/otp/commit/c242e6458967e9514bea351814151695807a54ac (OTP-27.3.4.3, OTP-28.0.3)
 	NOTE: https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0 (OTP-26.2.5.15)
 CVE-2025-48038 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
 	- erlang <unfixed>
+	[trixie] - erlang <no-dsa> (Minor issue)
+	[bookworm] - erlang <no-dsa> (Minor issue)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-pvj7-9652-7h9r
 	NOTE: https://github.com/erlang/otp/pull/10156
 	NOTE: https://github.com/erlang/otp/commit/4e3bf86777ab3db7220c11d8ddabf15970ddd10a (OTP-27.3.4.3, OTP-28.0.3)
@@ -825,6 +835,7 @@ CVE-2025-9994 (The Amp\u2019ed RF BT-AP 111 Bluetooth access point's HTTP admin
 CVE-2025-9951 (A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows ...)
 	- ffmpeg <unfixed>
 	[trixie] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 7.1 branch)
+	[bookworm] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 5.1 branch)
 	[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 4.3 branch)
 	NOTE: https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg
 CVE-2025-9872 (Insufficient filename validation in Ivanti Endpoint Manager before 202 ...)
@@ -12843,7 +12854,7 @@ CVE-2025-53399 (In Sipwise rtpengine before 13.4.1.1, an origin-validation error
 	- rtpengine 12.5.1.35-1 (bug #1110316)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/07/31/1
 	NOTE: https://github.com/EnableSecurity/advisories/tree/master/ES2025-01-rtpengine-improper-behavior-bleed-inject
-	NOTE: Fixed by: https://github.com/sipwise/rtpengine/commits/a68f3dd1e65ba1d81bb8996d7bfab82641f20b50 (mr12.5.1.35)
+	NOTE: Fixed by: https://github.com/sipwise/rtpengine/commit/a68f3dd1e65ba1d81bb8996d7bfab82641f20b50 (mr12.5.1.35)
 	NOTE: https://github.com/sipwise/rtpengine/commits/rfuchs/security/ (MT#62735)
 CVE-2025-8426 (Marvell QConvergeConsole compressConfigFiles Directory Traversal Infor ...)
 	NOT-FOR-US: Marvell


=====================================
data/dsa-needed.txt
=====================================
@@ -60,6 +60,8 @@ python-django
 python-internetarchive
   Antoine followed up on #1114635, needs handling both in trixie and bookworm
 --
+rtpengine
+--
 ruby-rack/oldstable
 --
 ruby-saml/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8e9f0e10e1bc94f8d9c258641763d97cea25176

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8e9f0e10e1bc94f8d9c258641763d97cea25176
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250912/fb9acb54/attachment.htm>

More information about the debian-security-tracker-commits mailing list