[Git][security-tracker-team/security-tracker][master] Update NOTEs and mark CVE-2025-9086/curl as not affecting bookworm

Carlos Henrique Lima Melara (@charles) gitlab at salsa.debian.org
Wed Jan 14 00:58:51 GMT 2026 


Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8a523acb by Carlos Henrique Lima Melara at 2026-01-13T21:56:19-03:00
Update NOTEs and mark CVE-2025-9086/curl as not affecting bookworm

Upstream had initially the wrong commit marked as introducing the
vulnerability, turns out samueloph discovered it was introduced much
later and it doesn't affect bookworm and older.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -47962,9 +47962,9 @@ CVE-2025-9086 (1. A cookie is set using the `secure` keyword for `https://target
 	{DLA-4432-1}
 	- curl 8.16.0~rc2-1
 	[trixie] - curl 8.14.1-2+deb13u1
-	[bookworm] - curl <no-dsa> (Minor issue)
+	[bookworm] - curl <not-affected> (Vulnerable code introduced later)
 	NOTE: https://curl.se/docs/CVE-2025-9086.html
-	NOTE: Introduced with: https://github.com/curl/curl/commit/f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d (curl-7_31_0)
+	NOTE: Introduced with: https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603 (curl-8_13_0)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300 (rc-8_16_0-1)
 CVE-2025-10148 (curl's websocket code did not update the 32 bit mask pattern for each  ...)
 	- curl 8.16.0-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a523acb00860e336ed26a4b517816337c6ba26b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a523acb00860e336ed26a4b517816337c6ba26b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260114/a089142e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list