[Git][security-tracker-team/security-tracker][master] Reserve DLA-4652-1 for gdcm

Emmanuel Arias (@eamanu) eamanu at debian.org
Fri Jun 26 21:19:03 BST 2026



Emmanuel Arias pushed to branch master at Debian Security Tracker / security-tracker


Commits:
62988f97 by Emmanuel Arias at 2026-06-26T17:18:46-03:00
Reserve DLA-4652-1 for gdcm

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -103939,14 +103939,12 @@ CVE-2025-53619 (An out-of-bounds read vulnerability exists in the JPEGBITSCodec:
 	- gdcm 3.0.24-11 (bug #1123587)
 	[trixie] - gdcm <no-dsa> (Minor issue)
 	[bookworm] - gdcm <no-dsa> (Minor issue)
-	[bullseye] - gdcm <postponed> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2210
 	NOTE: https://github.com/malaterre/GDCM/commit/f0e359c87947326c7fb2f7b91ecbe351e9d8c683 (v3.2.3)
 CVE-2025-53618 (An out-of-bounds read vulnerability exists in the JPEGBITSCodec::Inter ...)
 	- gdcm 3.0.24-11 (bug #1123587)
 	[trixie] - gdcm <no-dsa> (Minor issue)
 	[bookworm] - gdcm <no-dsa> (Minor issue)
-	[bullseye] - gdcm <postponed> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2210
 	NOTE: https://github.com/malaterre/GDCM/commit/f0e359c87947326c7fb2f7b91ecbe351e9d8c683 (v3.2.3)
 CVE-2025-53524 (Fuji Electric Monitouch V-SFT-6 is vulnerable to an out-of-bounds writ ...)
@@ -103955,14 +103953,12 @@ CVE-2025-52582 (An out-of-bounds read vulnerability exists in the Overlay::GrabO
 	- gdcm 3.0.24-11 (bug #1123576)
 	[trixie] - gdcm <no-dsa> (Minor issue)
 	[bookworm] - gdcm <no-dsa> (Minor issue)
-	[bullseye] - gdcm <postponed> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2211
 	NOTE: https://github.com/malaterre/GDCM/commit/14825ceb1cb6855f32e726ee5cd2968e3051da2a (v3.2.3)
 CVE-2025-48429 (An out-of-bounds read vulnerability exists in the RLECodec::DecodeBySt ...)
 	- gdcm 3.0.24-11 (bug #1123589)
 	[trixie] - gdcm <no-dsa> (Minor issue)
 	[bookworm] - gdcm <no-dsa> (Minor issue)
-	[bullseye] - gdcm <postponed> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2214
 	NOTE: https://github.com/malaterre/GDCM/commit/0393310f8bb27c3bec8b67c6bfb18f71f6a15bb8 (v3.2.3)
 CVE-2025-34288 (Nagios XI versions prior to 2026R1.1 arevulnerable to local privilege  ...)
@@ -106199,7 +106195,6 @@ CVE-2025-11266 (An out-of-bounds write vulnerability exists in the Grassroots DI
 	- gdcm 3.0.24-11 (bug #1122862)
 	[trixie] - gdcm <no-dsa> (Minor issue)
 	[bookworm] - gdcm <no-dsa> (Minor issue)
-	[bullseye] - gdcm <postponed> (Minor issue)
 	NOTE: Fixed by: https://github.com/malaterre/GDCM/commit/5829c95c8ac3afa9a3a3413675e948959c28a789 (v3.2.2)
 CVE-2025-11164 (The Mavix Education theme for WordPress is vulnerable to unauthorized  ...)
 	NOT-FOR-US: WordPress plugin
@@ -293625,7 +293620,6 @@ CVE-2024-25624 (Iris is a web collaborative platform aiming to help incident res
 CVE-2024-25569 (An out-of-bounds read vulnerability exists in the RAWCodec::DecodeByte ...)
 	- gdcm 3.0.24-1 (bug #1070387)
 	[bookworm] - gdcm <no-dsa> (Minor issue)
-	[bullseye] - gdcm <no-dsa> (Minor issue)
 	[buster] - gdcm <postponed> (Minor issue, follow bullseye)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1944
 	NOTE: https://github.com/malaterre/GDCM/commit/dda17aa8d5939e4e255ebba67aacf34b09d88692 (v3.0.24)
@@ -293634,14 +293628,12 @@ CVE-2024-25026 (IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Appl
 CVE-2024-22391 (A heap-based buffer overflow vulnerability exists in the LookupTable:: ...)
 	- gdcm 3.0.24-1 (bug #1070387)
 	[bookworm] - gdcm <no-dsa> (Minor issue)
-	[bullseye] - gdcm <no-dsa> (Minor issue)
 	[buster] - gdcm <postponed> (Minor issue, follow bullseye)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924
 	NOTE: https://github.com/malaterre/GDCM/commit/21a793095ab3aecb794c56439873e5b181ea9d91 (v3.0.24)
 CVE-2024-22373 (An out-of-bounds write vulnerability exists in the JPEG2000Codec::Deco ...)
 	- gdcm 3.0.24-1 (bug #1070387)
 	[bookworm] - gdcm <no-dsa> (Minor issue)
-	[bullseye] - gdcm <no-dsa> (Minor issue)
 	[buster] - gdcm <postponed> (Minor issue, follow bullseye)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935
 	NOTE: https://github.com/malaterre/GDCM/commit/371c2d937e37b08a46eeb0628c553ce4608a45df (v3.0.24)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[26 Jun 2026] DLA-4652-1 gdcm - security update
+	{CVE-2024-22373 CVE-2024-22391 CVE-2024-25569 CVE-2025-11266 CVE-2025-48429 CVE-2025-52582 CVE-2025-53618 CVE-2025-53619 CVE-2026-3650}
+	[bullseye] - gdcm 3.0.8-2+deb11u1
 [26 Jun 2026] DLA-4651-1 python-urllib3 - security update
 	{CVE-2026-44431}
 	[bullseye] - python-urllib3 1.26.5-1~exp1+deb11u4


=====================================
data/dla-needed.txt
=====================================
@@ -192,18 +192,6 @@ gdal/bullseye
   NOTE: 20260419: Investigate why embded zblib and maybe deemded beginning from sid (rouca/FD)
   NOTE: 20260419: check other zlib CVE (rouca/FD)
 --
-gdcm/bullseye (eamanu)
-  NOTE: 20251214: Added by Front-Desk (dleidert)
-  NOTE: 20251214: Take care of OSPU as well (dleidert/front-desk)
-  NOTE: 20251220: CVE-2024-* were fixed by Étienne Mollie. I fixed CVE-2025-11266 in salsa (eamanu).
-  NOTE: 20260102: Contact upstream to know if they plan fix last CVEs. I'm starting to work on a patch for them.
-  NOTE: 20260108: Upstream is working on the fix.
-  NOTE: 20260218: Fix for CVE-2024-* and CVE-2025-11266 are ready in salsa. Upstream was contacted asking for a plan for the rest of CVEs.
-  NOTE: 20260325: CVE-2025-68158 fixed in repository.
-  NOTE: 20260513: New ping to upstream to know about open CVEs.
-  NOTE: 20260528: Ping upstream again.
-  NOTE: 20260618: Upstream confirmed the fixes, I'm working on the patches.
---
 gh/bookworm
   NOTE: 20241230: Added by Security Team (carnil)
   NOTE: 20260611: bookworm LTS handover.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62988f97b9090b399d794c3f5e9fb7e03d5b4ac9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62988f97b9090b399d794c3f5e9fb7e03d5b4ac9
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260626/8d285fa2/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list