[Git][security-tracker-team/security-tracker][master] Drop CVE-2025-9086/curl from DLA-4432-1 and mark bullseye not-affected

Carlos Henrique Lima Melara (@charles) gitlab at salsa.debian.org
Wed Jan 14 22:20:45 GMT 2026 


Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9ab52126 by Carlos Henrique Lima Melara at 2026-01-14T19:18:58-03:00
Drop CVE-2025-9086/curl from DLA-4432-1 and mark bullseye not-affected

The vulnerability was initially assessed as introduced in a very old
version of curl, but it actually was introduced in 8.13.0 which is
newer than bookworm so it doesn't affect bullseye. The patch applied as
part of DLA-4432-1 does not cause any regressions and is at most a small
bugfix.

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -48737,10 +48737,10 @@ CVE-2025-10200 (Use after free in Serviceworker in Google Chrome on Desktop prio
 	- chromium 140.0.7339.127-1
 	[bullseye] - chromium <end-of-life> (see #1061268)
 CVE-2025-9086 (1. A cookie is set using the `secure` keyword for `https://target`   2 ...)
-	{DLA-4432-1}
 	- curl 8.16.0~rc2-1
 	[trixie] - curl 8.14.1-2+deb13u1
 	[bookworm] - curl <not-affected> (Vulnerable code introduced later)
+	[bullseye] - curl <not-affected> (Vulnerable code introduced later)
 	NOTE: https://curl.se/docs/CVE-2025-9086.html
 	NOTE: Introduced with: https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603 (curl-8_13_0)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300 (rc-8_16_0-1, curl-8_16_0)


=====================================
data/DLA/list
=====================================
@@ -20,7 +20,6 @@
 	{CVE-2023-5349}
 	[bullseye] - ruby-rmagick 2.16.0-7+deb11u1
 [04 Jan 2026] DLA-4432-1 curl - security update
-	{CVE-2025-9086}
 	[bullseye] - curl 7.74.0-1.3+deb11u16
 [02 Jan 2026] DLA-4431-1 gimp - security update
 	{CVE-2022-30067 CVE-2025-14422 CVE-2025-14425}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ab52126db12b14182d36dda188900b0a98cab49

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ab52126db12b14182d36dda188900b0a98cab49
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260114/0ab48a56/attachment.htm>

More information about the debian-security-tracker-commits mailing list