[Git][security-tracker-team/security-tracker][master] Remove tracking for libsdl2-mixer for CVE-2025-14369 and add note in embedded-code-copies

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Jan 27 14:01:10 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fc40e63b by Salvatore Bonaccorso at 2026-01-27T15:00:35+01:00
Remove tracking for libsdl2-mixer for CVE-2025-14369 and add note in embedded-code-copies

- - - - -


2 changed files:

- data/CVE/list
- data/embedded-code-copies


Changes:

=====================================
data/CVE/list
=====================================
@@ -2916,13 +2916,10 @@ CVE-2025-14377 (A security issue was discovered within the legacy Ansible playbo
 CVE-2025-14376 (A security issue was discovered within the legacy ADI server component ...)
 	NOT-FOR-US: Rockwell Automation
 CVE-2025-14369 (dr_flac, an audio decoder within the dr_libs toolset, contains an inte ...)
-	- libsdl2-mixer <unfixed> (unimportant)
 	- libchdr <unfixed>
 	NOTE: qtads, dosbox-x and love bundle a copy, but these are standalone end user apps, so no security impact
 	NOTE: https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0
 	NOTE: https://www.kb.cert.org/vuls/id/924114
-	NOTE: libsdl2-mixer embedds vulnerable code in dr_flac, but is compiled with coded
-	NOTE: disabled via --enable-music-flac-libflac --disable-music-flac-drflac
 CVE-2025-14115 (IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 ...)
 	NOT-FOR-US: IBM
 CVE-2025-14027 (Multiple denial-of-service vulnerabilities exist in the affected produ ...)


=====================================
data/embedded-code-copies
=====================================
@@ -3902,3 +3902,8 @@ fpdi (not packaged in Debian)
 
 libucl (not packaged in Debian)
 	- rspamd <unfixed> (embed)
+
+dr_flac (not packaged in Debian)
+	- libsdl2-mixer <not-affected> (embed)
+	NOTE: libsdl2-mixer embedds vulnerable code in dr_flac, but is compiled with coded
+	NOTE: disabled via --enable-music-flac-libflac --disable-music-flac-drflac



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc40e63bb9af2d187a94f49b39e7ab0404050791

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc40e63bb9af2d187a94f49b39e7ab0404050791
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260127/fbcdb777/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list