[Git][security-tracker-team/security-tracker][master] Track proposed update for mbedtls via trixie-pu

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Jan 2 22:32:49 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
551484d9 by Salvatore Bonaccorso at 2026-01-02T23:32:14+01:00
Track proposed update for mbedtls via trixie-pu

- - - - -


2 changed files:

- data/CVE/list
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -28210,6 +28210,7 @@ CVE-2025-5496 (ZohoCorp ManageEngine Endpoint Central versions earlier than 11.4
 	NOT-FOR-US: Zoho
 CVE-2025-59438 (Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.)
 	- mbedtls 3.6.5-0.1 (bug #1118752)
+	[trixie] - mbedtls <no-dsa> (Will be fixed via point release update)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/
 	NOTE: https://github.com/Mbed-TLS/mbedtls/commit/155de2ab775e77ab6fa81bf2b1e6e63768123bc1 (mbedtls-3.6.5)
 	NOTE: https://github.com/Mbed-TLS/mbedtls/commit/d179dc80a5b13189c79fe4531eacb28698a7a0e9 (mbedtls-3.6.5)
@@ -28421,6 +28422,7 @@ CVE-2025-60781 (PHP Education Manager v1.0 is vulnerable to Cross Site Scripting
 	NOT-FOR-US: PHP Education Manager
 CVE-2025-54764 (Mbed TLS before 3.6.5 allows a local timing attack against certain RSA ...)
 	- mbedtls 3.6.5-0.1 (bug #1118750)
+	[trixie] - mbedtls <no-dsa> (Will be fixed via point release update)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-ssbleed-mstep/
 CVE-2025-26392 (SolarWinds Observability Self-Hosted is susceptible to SQL injection v ...)
 	NOT-FOR-US: SolarWinds


=====================================
data/next-point-update.txt
=====================================
@@ -118,3 +118,7 @@ CVE-2025-67746
 	[trixie] - composer 2.8.8-1+deb13u1
 CVE-2025-67897
 	[trixie] - rust-sequoia-openpgp 2.0.0-2+deb13u1
+CVE-2025-54764
+	[trixie] - mbedtls 3.6.5-0.1~deb13u1
+CVE-2025-59438
+	[trixie] - mbedtls 3.6.5-0.1~deb13u1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/551484d90928f6a6664839501f85347d84677c16

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/551484d90928f6a6664839501f85347d84677c16
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260102/8eac0c26/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list