[Git][security-tracker-team/security-tracker][master] Demote CVE-2025-14369/libsdl2-mixer to unimportant

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sun Jan 25 16:08:52 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d7472cbf by Salvatore Bonaccorso at 2026-01-25T17:07:02+01:00
Demote CVE-2025-14369/libsdl2-mixer to unimportant

We could alternatively just drop the tracking as while the source for
libsdl2-mixer embbeds the vulnerable dr_libs, Debian's src:libsdl2-mixer
is compiled with that coded disabled (--enable-music-flac-libflac
--disable-music-flac-drflac).

Thanks: Simon McVittie for the analysis.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2526,13 +2526,13 @@ CVE-2025-14377 (A security issue was discovered within the legacy Ansible playbo
 CVE-2025-14376 (A security issue was discovered within the legacy ADI server component ...)
 	NOT-FOR-US: Rockwell Automation
 CVE-2025-14369 (dr_flac, an audio decoder within the dr_libs toolset, contains an inte ...)
-	- libsdl2-mixer <unfixed>
-	[trixie] - libsdl2-mixer <no-dsa> (Minor issue)
-	[bookworm] - libsdl2-mixer <no-dsa> (Minor issue)
+	- libsdl2-mixer <unfixed> (unimportant)
 	- libchdr <unfixed>
 	NOTE: qtads, dosbox-x and love bundle a copy, but these are standalone end user apps, so no security impact
 	NOTE: https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0
 	NOTE: https://www.kb.cert.org/vuls/id/924114
+	NOTE: libsdl2-mixer embedds vulnerable code in dr_flac, but is compiled with coded
+	NOTE: disabled via --enable-music-flac-libflac --disable-music-flac-drflac
 CVE-2025-14115 (IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 ...)
 	NOT-FOR-US: IBM
 CVE-2025-14027 (Multiple denial-of-service vulnerabilities exist in the affected produ ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7472cbf4471e4943484e87205d2d15959264216

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7472cbf4471e4943484e87205d2d15959264216
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260125/f13967b4/attachment.htm>

More information about the debian-security-tracker-commits mailing list