[Git][security-tracker-team/security-tracker][master] bookworm EOL
Sylvain Beucler (@beuc)
gitlab at salsa.debian.org
Sat Jun 13 12:16:47 BST 2026
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
929c7d23 by Sylvain Beucler at 2026-06-13T13:16:01+02:00
bookworm EOL
Cf. https://lists.debian.org/debian-lts/2026/05/msg00037.html
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -41644,6 +41644,7 @@ CVE-2026-34178 (In Canonical LXD before 6.8, the backup import path validates pr
- incus 6.0.6-3
- lxd <removed>
[trixie] - lxd 5.0.2+git20231211.1364ae4-9+deb13u5
+ [bookworm] - lxd <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-q96j-3fmm-7fv4
NOTE: https://github.com/canonical/lxd/pull/17921
NOTE: https://github.com/lxc/incus/pull/3088
@@ -114457,6 +114458,7 @@ CVE-2025-59438 (Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.)
{DLA-4551-1}
- mbedtls 3.6.5-0.1 (bug #1118752)
[trixie] - mbedtls 3.6.5-0.1~deb13u1
+ [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/
NOTE: https://github.com/Mbed-TLS/mbedtls/commit/155de2ab775e77ab6fa81bf2b1e6e63768123bc1 (mbedtls-3.6.5)
NOTE: https://github.com/Mbed-TLS/mbedtls/commit/d179dc80a5b13189c79fe4531eacb28698a7a0e9 (mbedtls-3.6.5)
@@ -114669,6 +114671,7 @@ CVE-2025-60781 (PHP Education Manager v1.0 is vulnerable to Cross Site Scripting
CVE-2025-54764 (Mbed TLS before 3.6.5 allows a local timing attack against certain RSA ...)
- mbedtls 3.6.5-0.1 (bug #1118750)
[trixie] - mbedtls 3.6.5-0.1~deb13u1
+ [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-ssbleed-mstep/
CVE-2025-26392 (SolarWinds Observability Self-Hosted is susceptible to SQL injection v ...)
NOT-FOR-US: SolarWinds
@@ -143374,6 +143377,7 @@ CVE-2025-54573 (CVAT is an open source interactive video and image annotation to
CVE-2025-54572 (The Ruby SAML library is for implementing the client side of a SAML au ...)
{DLA-4288-1}
- ruby-saml <removed>
+ [bookworm] - ruby-saml <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966
NOTE: https://github.com/SAML-Toolkits/ruby-saml/pull/770
NOTE: Fixed by: https://github.com/SAML-Toolkits/ruby-saml/commit/fd2f532862b6453069d69d07a541e668609c2bbc
@@ -151347,10 +151351,12 @@ CVE-2023-50786 (Dradis through 4.16.0 allows referencing external images (resour
CVE-2025-47917 (Mbed TLS before 3.6.4 allows a use-after-free in certain situations of ...)
{DLA-4274-2 DLA-4274-1}
- mbedtls 3.6.4-1 (bug #1108791)
+ [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-7.md
CVE-2025-48965 (Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_a ...)
{DLA-4274-1}
- mbedtls 3.6.4-1 (bug #1108790)
+ [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-6.md
CVE-2025-49087 (In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in ...)
- mbedtls 3.6.4-1 (bug #1108789)
@@ -151439,10 +151445,12 @@ CVE-2025-52718 (Improper Control of Generation of Code ('Code Injection') vulner
CVE-2025-52497 (Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer und ...)
{DLA-4274-1}
- mbedtls 3.6.4-1 (bug #1108786)
+ [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-2.md
CVE-2025-52496 (Mbed TLS before 3.6.4 has a race condition in AESNI detection if certa ...)
{DLA-4274-1}
- mbedtls 3.6.4-1 (bug #1108785)
+ [bookworm] - mbedtls <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-1.md
CVE-2025-50039 (Missing Authorization vulnerability in vgwort VG WORT METIS vgw-metis ...)
NOT-FOR-US: WordPress plugin
@@ -174521,6 +174529,7 @@ CVE-2024-12543 (User Enumeration and Data Integrity in Barcode functionality in
NOT-FOR-US: OpenText
CVE-2024-40446 (An issue in forkosh Mime Tex before v.1.77 allows an attacker to execu ...)
- mimetex 1.76-6 (bug #1103801)
+ [bookworm] - mimetex <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/TaiYou-TW/CVE-2024-40445_CVE-2024-40446
CVE-2024-40445 (A directory traversal vulnerability in forkosh Mime TeX before version ...)
- mimetex <not-affected> (Only affects MimeTeX on Windows, cf bug #1105117)
@@ -188219,6 +188228,7 @@ CVE-2025-2104 (The Page Builder: Pagelayer \u2013 Drag and Drop website builder
CVE-2025-25293 (ruby-saml provides security assertion markup language (SAML) single si ...)
{DLA-4115-1}
- ruby-saml <removed> (bug #1100441)
+ [bookworm] - ruby-saml <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq
NOTE: Vulnerability might be the result of an incomplete fix for a zipbomb attack.
NOTE: https://github.com/SAML-Toolkits/ruby-saml/pull/383 (v1.12.0)
@@ -188232,6 +188242,7 @@ CVE-2025-25293 (ruby-saml provides security assertion markup language (SAML) sin
CVE-2025-25292 (ruby-saml provides security assertion markup language (SAML) single si ...)
{DLA-4115-1}
- ruby-saml <removed> (bug #1100441)
+ [bookworm] - ruby-saml <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2
NOTE: https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 (v1.18.0)
NOTE: https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9 (v1.12.4)
@@ -188239,6 +188250,7 @@ CVE-2025-25292 (ruby-saml provides security assertion markup language (SAML) sin
CVE-2025-25291 (ruby-saml provides security assertion markup language (SAML) single si ...)
{DLA-4115-1}
- ruby-saml <removed> (bug #1100441)
+ [bookworm] - ruby-saml <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm
NOTE: https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 (v1.18.0)
NOTE: https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9 (v1.12.4)
@@ -302163,6 +302175,7 @@ CVE-2024-25767 (nanomq 0.21.2 contains a Use-After-Free vulnerability in /nanomq
NOT-FOR-US: NanoMQ
CVE-2024-25763 (openNDS 10.2.0 is vulnerable to Use-After-Free via /openNDS/src/auth.c ...)
- opennds 10.3.0+dfsg-0.1 (bug #1081792)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/LuMingYinDetect/openNDS_defects/blob/main/openNDS_detect_1.md
NOTE: https://github.com/openNDS/openNDS/issues/600
NOTE: https://github.com/openNDS/openNDS/issues/571
@@ -321676,10 +321689,12 @@ CVE-2023-42428 (Directory traversal vulnerability in CubeCart prior to 6.5.3 all
NOT-FOR-US: CubeCart
CVE-2023-41102 (An issue was discovered in the captive portal in OpenNDS before versio ...)
- opennds 10.2.0+dfsg-1 (bug #1059452)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: https://github.com/openNDS/openNDS/commit/69dde77927b252e2a4347170504a785ac5d50c33 (v10.1.3)
CVE-2023-41101 (An issue was discovered in the captive portal in OpenNDS before versio ...)
- opennds 10.2.0+dfsg-1 (bug #1059452)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: https://github.com/openNDS/openNDS/commit/69dde77927b252e2a4347170504a785ac5d50c33 (v10.1.3)
CVE-2023-40314 (Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS ...)
@@ -321696,51 +321711,63 @@ CVE-2023-39544 (CLUSTERPRO X Ver5.1 and earlier and EXPRESSCLUSTER X 5.1 and ear
NOT-FOR-US: CLUSTERPRO
CVE-2023-38324 (An issue was discovered in OpenNDS before 10.1.2. It allows users to s ...)
- opennds 10.2.0+dfsg-1 (bug #1059451)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
CVE-2023-38323 (An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize ...)
- opennds 10.2.0+dfsg-1
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: From v10 onwards, statuspath configuration value is urlencoded, marking first 10.x upload as fixed for sid
CVE-2023-38322 (An issue was discovered in OpenNDS Captive Portal before version 10.1. ...)
- opennds 10.2.0+dfsg-1 (bug #1059451)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
CVE-2023-38321 (OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other p ...)
- opennds 10.2.0+dfsg-1 (bug #1059451)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: While not specifically listed in the commit message, this appears to be the same fix as for CVE-2023-38320/CVE-2023-38322
CVE-2023-38320 (An issue was discovered in OpenNDS Captive Portal before version 10.1. ...)
- opennds 10.2.0+dfsg-1 (bug #1059451)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
CVE-2023-38319 (An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize ...)
- opennds 10.2.0+dfsg-1
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: From v10 onwards, faskey configuration value is urlencoded, marking first 10.x upload as fixed for sid
CVE-2023-38318 (An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize ...)
- opennds 10.2.0+dfsg-1
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: From v10 onwards, gatewayfqdn configuration value is urlencoded, marking first 10.x upload as fixed for sid
CVE-2023-38317 (An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize ...)
- opennds 10.2.0+dfsg-1
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: From v10 onwards, gateway interface configuration value is urlencoded, marking first 10.x upload as fixed for sid
CVE-2023-38316 (An issue was discovered in OpenNDS Captive Portal before version 10.1. ...)
- opennds 10.2.0+dfsg-1 (bug #1059451)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
CVE-2023-38315 (An issue was discovered in OpenNDS Captive Portal before version 10.1. ...)
- opennds 10.2.0+dfsg-1 (bug #1059451)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
CVE-2023-38314 (An issue was discovered in OpenNDS Captive Portal before version 10.1. ...)
- opennds 10.2.0+dfsg-1 (bug #1059451)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
CVE-2023-38313 (An issue was discovered in OpenNDS Captive Portal before 10.1.2. it ha ...)
- opennds 10.2.0+dfsg-1 (bug #1059451)
+ [bookworm] - opennds <end-of-life> (EOL in bookworm LTS)
NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
CVE-2023-38130 (Cross-site request forgery (CSRF) vulnerability in CubeCart prior to 6 ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/929c7d23809e1e892513c78539bec8832ea8e20a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/929c7d23809e1e892513c78539bec8832ea8e20a
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260613/ede21816/attachment.htm>
More information about the debian-security-tracker-commits
mailing list