[Git][security-tracker-team/security-tracker][master] Add new python issues

Salvatore Bonaccorso (@carnil) Tue, 03 Jun 2025 13:45:56 -0700


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
33b26563 by Salvatore Bonaccorso at 2025-06-03T22:45:21+02:00
Add new python issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -59,19 +59,67 @@ CVE-2025-5103 (The Ultimate Gift Cards for WooCommerce 
plugin for WordPress is v
 CVE-2025-4671 (The Profile Builder plugin for WordPress is vulnerable to 
Stored Cross ...)
        NOT-FOR-US: WordPress plugin
 CVE-2025-4517 (Allows arbitrary filesystem writes outside the extraction 
directory du ...)
-       TODO: check
+       - python3.13 3.13.4-1
+       - python3.12 <unfixed>
+       - python3.11 <removed>
+       - python3.9 <removed>
+       - python2.7 <removed>
+       - jython <unfixed>
+       NOTE: https://github.com/python/cpython/issues/135034
+       NOTE: https://github.com/python/cpython/pull/135037
+       NOTE: 
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a
 (main)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a
 (3.14)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01
 (3.13.4)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
 (3.12.11)
 CVE-2025-4435 (When using a TarFile.errorlevel = 0and extracting with a filter 
the do ...)
-       TODO: check
+       - python3.13 3.13.4-1
+       - python3.12 <unfixed>
+       - python3.11 <removed>
+       - python3.9 <removed>
+       - python2.7 <removed>
+       - jython <unfixed>
+       NOTE: https://github.com/python/cpython/issues/135034
+       NOTE: https://github.com/python/cpython/pull/135037
+       NOTE: 
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a
 (main)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a
 (3.14)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01
 (3.13.4)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
 (3.12.11)
 CVE-2025-4420 (The Vayu Blocks \u2013 Gutenberg Blocks for WordPress & 
WooCommerce pl ...)
        NOT-FOR-US: WordPress plugin
 CVE-2025-4392 (The Shared Files \u2013 Frontend File Upload Form & Secure File 
Sharin ...)
        NOT-FOR-US: WordPress plugin
 CVE-2025-4330 (Allows the extraction filter to be ignored, allowing symlink 
targets t ...)
-       TODO: check
+       - python3.13 3.13.4-1
+       - python3.12 <unfixed>
+       - python3.11 <removed>
+       - python3.9 <removed>
+       - python2.7 <removed>
+       - jython <unfixed>
+       NOTE: https://github.com/python/cpython/issues/135034
+       NOTE: https://github.com/python/cpython/pull/135037
+       NOTE: 
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a
 (main)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a
 (3.14)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01
 (3.13.4)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
 (3.12.11)
 CVE-2025-4205 (The Popup Maker plugin for WordPress is vulnerable to Stored 
Cross-Sit ...)
        NOT-FOR-US: WordPress plugin
 CVE-2025-4138 (Allows the extraction filter to be ignored, allowing symlink 
targets t ...)
-       TODO: check
+       - python3.13 3.13.4-1
+       - python3.12 <unfixed>
+       - python3.11 <removed>
+       - python3.9 <removed>
+       - python2.7 <removed>
+       - jython <unfixed>
+       NOTE: https://github.com/python/cpython/issues/135034
+       NOTE: https://github.com/python/cpython/pull/135037
+       NOTE: 
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a
 (main)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a
 (3.14)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01
 (3.13.4)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
 (3.12.11)
 CVE-2025-48998 (DataEase is an open source business intelligence and data 
visualizatio ...)
        NOT-FOR-US: DataEase
 CVE-2025-48997 (Multer is a node.js middleware for handling 
`multipart/form-data`. A v ...)
@@ -147,7 +195,19 @@ CVE-2024-45655 (IBM Application Gateway 19.12 through 
24.09 could allow a local
 CVE-2024-36486 (A privilege escalation vulnerability exists in the virtual 
machine arc ...)
        TODO: check
 CVE-2024-12718 (Allows modifying some file metadata (e.g. last modified) with 
filter=" ...)
-       TODO: check
+       - python3.13 3.13.4-1
+       - python3.12 <unfixed>
+       - python3.11 <removed>
+       - python3.9 <removed>
+       - python2.7 <removed>
+       - jython <unfixed>
+       NOTE: https://github.com/python/cpython/issues/135034
+       NOTE: https://github.com/python/cpython/pull/135037
+       NOTE: 
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/3612d8f51741b11f36f8fb0494d79086bac9390a
 (main)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/9e0ac76d96cf80b49055f6d6b9a6763fb9215c2a
 (3.14)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/aa9eb5f757ceff461e6e996f12c89e5d9b583b01
 (3.13.4)
+       NOTE: Fixed by: 
https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da
 (3.12.11)
 CVE-2024-47081
        - requests <unfixed>
        [bookworm] - requests <postponed> (Minor issue; revisit when fixed 
upstream)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33b2656334faa49cde20efa961b546ff0dd4b818

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33b2656334faa49cde20efa961b546ff0dd4b818
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add new python issues

Reply via email to