[Git][security-tracker-team/security-tracker][master] 6 commits: Add Debian bug reference for CVE-2025-8869/python-pip
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Sep 25 20:38:10 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
051e2fc2 by Salvatore Bonaccorso at 2025-09-25T21:34:33+02:00
Add Debian bug reference for CVE-2025-8869/python-pip
- - - - -
f0a1f629 by Salvatore Bonaccorso at 2025-09-25T21:35:01+02:00
Add Debian bug reference for CVE-2025-59343/node-tar-fs
- - - - -
d58c6c66 by Salvatore Bonaccorso at 2025-09-25T21:35:23+02:00
Add Debian bug reference for CVE-2025-58457/zookeeper
- - - - -
fea66d81 by Salvatore Bonaccorso at 2025-09-25T21:36:07+02:00
Add Debian bug reference for CVE-2025-57352/node-min-document
- - - - -
f760c3ec by Salvatore Bonaccorso at 2025-09-25T21:36:33+02:00
Add Debian bug reference for CVE-2025-59825/rust-astral-tokio-tar
- - - - -
41c81b72 by Salvatore Bonaccorso at 2025-09-25T21:37:25+02:00
Add Debian bug reference for CVE-2025-47910/golang-1.25
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -25,7 +25,7 @@ CVE-2025-9054 (The MultiLoca - WooCommerce Multi Locations Inventory Management
CVE-2025-9031 (Observable Timing Discrepancy vulnerability in DivvyDrive Information ...)
NOT-FOR-US: DivvyDrive Web
CVE-2025-8869 (When extracting a tar archive pip may not check symbolic links point i ...)
- - python-pip <unfixed>
+ - python-pip <unfixed> (bug #1116336)
NOTE: https://github.com/pypa/pip/pull/13550
NOTE: Merge commit: https://github.com/pypa/pip/commit/f2b92314da012b9fffa36b3f3e67748a37ef464a
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/
@@ -38,7 +38,7 @@ CVE-2025-59525 (Horilla is a free and open source Human Resource Management Syst
CVE-2025-59524 (Horilla is a free and open source Human Resource Management System (HR ...)
NOT-FOR-US: Horilla
CVE-2025-59343 (tar-fs provides filesystem bindings for tar-stream. Versions prior to ...)
- - node-tar-fs <unfixed>
+ - node-tar-fs <unfixed> (bug #1116338)
NOTE: https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v
NOTE: https://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09 (v3.1.1)
CVE-2025-59305 (Improper authorization in the background migration endpoints of Langfu ...)
@@ -46,7 +46,7 @@ CVE-2025-59305 (Improper authorization in the background migration endpoints of
CVE-2025-59251 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability)
NOT-FOR-US: Microsoft
CVE-2025-58457 (Improper permission check in ZooKeeper AdminServer lets authorized cli ...)
- - zookeeper <unfixed>
+ - zookeeper <unfixed> (bug #1116339)
[bookworm] - zookeeper <not-affected> (Vulnerable code not present)
[bullseye] - zookeeper <not-affected> (Vulnerable code not present)
NOTE: https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx
@@ -59,7 +59,7 @@ CVE-2025-57354 (A vulnerability exists in the 'counterpart' library for Node.js
CVE-2025-57353 (The Runtime components of messageformat package for Node.js prior to v ...)
NOT-FOR-US: messageformat package for Node.js
CVE-2025-57352 (A vulnerability exists in the 'min-document' package prior to version ...)
- - node-min-document <unfixed>
+ - node-min-document <unfixed> (bug #1116340)
NOTE: https://github.com/Raynos/min-document/issues/54
CVE-2025-57351 (A prototype pollution vulnerability exists in the ts-fns package versi ...)
NOT-FOR-US: ts-fns package for Node.js
@@ -452,7 +452,7 @@ CVE-2023-47538
CVE-2017-20200 (A vulnerability has been found in Coinomi up to 1.7.6. This issue affe ...)
NOT-FOR-US: Coinomi
CVE-2025-59825 (astral-tokio-tar is a tar archive reading/writing library for async Ru ...)
- - rust-astral-tokio-tar <unfixed>
+ - rust-astral-tokio-tar <unfixed> (bug #1116337)
NOTE: https://github.com/advisories/GHSA-3wgq-wrwc-vqmv
NOTE: https://github.com/astral-sh/tokio-tar/commit/036fdecc85c52458ace92dc9e02e9cef90684e75 (v0.5.4)
CVE-2025-10894 (Malicious code was inserted into the Nx (build system) package and sev ...)
@@ -529,7 +529,7 @@ CVE-2025-57205 (iNiLabs School Express (SMS Express) 6.2 is affected by a Stored
CVE-2025-57204 (Stocky POS with Inventory Management & HRM (ui-lib) version 5.0 is aff ...)
NOT-FOR-US: Stocky POS with Inventory Management
CVE-2025-47910 (When using http.CrossOriginProtection, the AddInsecureBypassPattern me ...)
- - golang-1.25 <unfixed>
+ - golang-1.25 <unfixed> (bug #1116341)
- golang-1.24 <not-affected> (Vulnerable code introduced later)
- golang-1.23 <not-affected> (Vulnerable code introduced later)
- golang-1.19 <not-affected> (Vulnerable code introduced later)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/442d70774511bb20a99edff2baf2fdfa6f12f16c...41c81b72f10b6bb18692dafb7bdc4fa315ceb1ac
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/442d70774511bb20a99edff2baf2fdfa6f12f16c...41c81b72f10b6bb18692dafb7bdc4fa315ceb1ac
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250925/386b1ffa/attachment.htm>
More information about the debian-security-tracker-commits
mailing list