[Git][security-tracker-team/security-tracker][master] Update pdfminer tracking after separate CVE assingment for incomplete fix

Tue Feb 3 21:28:14 GMT 2026


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0a74b1dc by Salvatore Bonaccorso at 2026-02-03T22:26:25+01:00
Update pdfminer tracking after separate CVE assingment for incomplete fix

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -215,7 +215,12 @@ CVE-2025-70758 (chetans9 core-php-admin-panel through commit a94a780d6 contains
 CVE-2025-70560 (Boltz 2.0.0 contains an insecure deserialization vulnerability in its  ...)
 	- boltz <itp> (bug #1109350)
 CVE-2025-70559 (pdfminer.six before 20251230 contains an insecure deserialization vuln ...)
-	TODO: check
+	- pdfminer 20260107+dfsg-1
+	NOTE: https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc
+	NOTE: https://github.com/pdfminer/pdfminer.six/pull/1172
+	NOTE: Proper fix by replacing pickle for SON for CMap storage.
+	NOTE: Fixed by: https://github.com/pdfminer/pdfminer.six/commit/41a247c2d66ea962823459403b828375ccc7bd33 (20251230)
+	NOTE: CVE exists because of an incomplete fix for CVE-2025-64512
 CVE-2025-70311 (JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malici ...)
 	NOT-FOR-US: JEEWMS
 CVE-2025-6397 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
@@ -33287,13 +33292,11 @@ CVE-2025-64518 (The CycloneDX core module provides a model representation of the
 CVE-2025-64513 (Milvus is an open-source vector database built for generative AI appli ...)
 	NOT-FOR-US: Milvus
 CVE-2025-64512 (Pdfminer.six is a community maintained fork of the original PDFMiner,  ...)
-	{DSA-6062-1 DLA-4374-2 DLA-4374-1}
-	- pdfminer 20260107+dfsg-1 (bug #1120642)
+	{DSA-6062-1 DLA-4374-1}
+	- pdfminer 20221105+dfsg-1.1 (bug #1120642)
 	NOTE: https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
 	NOTE: Fixed by: https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086 (20251107)
-	NOTE: Initial fix incomplete: https://github.com/pdfminer/pdfminer.six/pull/1172
-	NOTE: Proper fix by replacing pickle for SON for CMap storage.
-	NOTE: Fixed by: https://github.com/pdfminer/pdfminer.six/commit/41a247c2d66ea962823459403b828375ccc7bd33 (20251230)
+	NOTE: Initial fix incomplete resulting in CVE-2025-70559
 CVE-2025-64509 (Bugsink is a self-hosted error tracking tool. In versions prior to 2.0 ...)
 	NOT-FOR-US: Bugsink
 CVE-2025-64508 (Bugsink is a self-hosted error tracking tool. In versions prior to 2.0 ...)


=====================================
data/DLA/list
=====================================
@@ -90,7 +90,7 @@
 	{CVE-2024-47666 CVE-2025-37899 CVE-2025-38057 CVE-2025-38556 CVE-2025-38593 CVE-2025-38678 CVE-2025-39805 CVE-2025-40083 CVE-2025-40211 CVE-2025-40214 CVE-2025-40248 CVE-2025-40252 CVE-2025-40253 CVE-2025-40254 CVE-2025-40257 CVE-2025-40258 CVE-2025-40259 CVE-2025-40261 CVE-2025-40262 CVE-2025-40263 CVE-2025-40264 CVE-2025-40269 CVE-2025-40271 CVE-2025-40272 CVE-2025-40273 CVE-2025-40275 CVE-2025-40277 CVE-2025-40278 CVE-2025-40279 CVE-2025-40280 CVE-2025-40281 CVE-2025-40282 CVE-2025-40283 CVE-2025-40284 CVE-2025-40285 CVE-2025-40286 CVE-2025-40288 CVE-2025-40292 CVE-2025-40293 CVE-2025-40294 CVE-2025-40297 CVE-2025-40301 CVE-2025-40304 CVE-2025-40306 CVE-2025-40308 CVE-2025-40309 CVE-2025-40312 CVE-2025-40313 CVE-2025-40314 CVE-2025-40315 CVE-2025-40317 CVE-2025-40318 CVE-2025-40319 CVE-2025-40321 CVE-2025-40322 CVE-2025-40323 CVE-2025-40324 CVE-2025-40331 CVE-2025-40341 CVE-2025-40342 CVE-2025-40343 CVE-2025-40345 CVE-2025-40360 CVE-2025-40363 CVE-2025-68168 CVE-2025-68171 CVE-2025-68173 CVE-2025-68176 CVE-2025-68177 CVE-2025-68185 CVE-2025-68191 CVE-2025-68192 CVE-2025-68194 CVE-2025-68200 CVE-2025-68204 CVE-2025-68214 CVE-2025-68217 CVE-2025-68218 CVE-2025-68220 CVE-2025-68227 CVE-2025-68229 CVE-2025-68231 CVE-2025-68233 CVE-2025-68237 CVE-2025-68238 CVE-2025-68241 CVE-2025-68244 CVE-2025-68245 CVE-2025-68246 CVE-2025-68282 CVE-2025-68283 CVE-2025-68284 CVE-2025-68285 CVE-2025-68286 CVE-2025-68287 CVE-2025-68288 CVE-2025-68289 CVE-2025-68290 CVE-2025-68295 CVE-2025-68301 CVE-2025-68302 CVE-2025-68303 CVE-2025-68307 CVE-2025-68308 CVE-2025-68310 CVE-2025-68312 CVE-2025-68321 CVE-2025-68327 CVE-2025-68328 CVE-2025-68330 CVE-2025-68331 CVE-2025-68339 CVE-2025-68343 CVE-2025-68734}
 	[bullseye] - linux-6.1 6.1.159-1~deb11u1
 [08 Jan 2026] DLA-4374-2 pdfminer - regression update
-	{CVE-2025-64512}
+	{CVE-2025-70559}
 	[bullseye] - pdfminer 20200726-1+deb11u2
 [07 Jan 2026] DLA-4435-1 libsodium - security update
 	{CVE-2025-69277}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a74b1dc370e6a1560056f451eaea1bce1aee9ca

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a74b1dc370e6a1560056f451eaea1bce1aee9ca
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260203/932504b5/attachment-0001.htm>
