Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 8dccf3fd by Markus Koschany at 2025-09-07T23:55:37+02:00 Add libxml2 to dla-needed.txt - - - - - f89a9f03 by Markus Koschany at 2025-09-07T23:57:07+02:00 CVE-2025-7709,sqlite3: bullseye is not affected The vulnerable code was introduced in version 3.45 starting with commit https://github.com/sqlite/sqlite/commit/d1fbaa071bac376206cc009ecdce95b13e131b62 A double check for bookworm and other versions is appreciated as usual. - - - - - ec791629 by Markus Koschany at 2025-09-07T23:57:42+02:00 Add shibboleth-sp to dla-needed.txt - - - - - 0176e579 by Markus Koschany at 2025-09-07T23:57:44+02:00 CVE-2024-8244,golang-1.15: bullseye is postponed Minor issue - - - - - 8dde8212 by Markus Koschany at 2025-09-07T23:57:45+02:00 CVE-2025-8556,golang-github-cloudflare-circl: bullseye is postponed Minor issue - - - - - c243eeef by Markus Koschany at 2025-09-07T23:57:47+02:00 CVE-2025-8959,golang-github-hashicorp-go-getter: bullseye is postponed Minor issue - - - - - 08ef392f by Markus Koschany at 2025-09-07T23:57:48+02:00 CVE-2025-58058,golang-github-ulikunitz-xz: bullseye is postponed Minor issue - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -216,6 +216,7 @@ CVE-2025-57807 (ImageMagick is free and open-source software used for editing an NOTE: https://github.com/ImageMagick/ImageMagick6/commit/ab1bb3d8ed06d0ed6aa5038b6a74aebf53af9ccf (6.9.13-29) CVE-2025-7709 [Integer Overflow in FTS5 Extension] - sqlite3 <unfixed> (bug #1114609) + [bullseye] - sqlite3 <not-affected> (The vulnerable code was introduced later) NOTE: https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g NOTE: Fixed by: https://sqlite.org/src/info/63595b74956a9391 NOTE: Fixed by: https://github.com/sqlite/sqlite/commit/192d0ff8ccf0bf55776a5930cdc64e25f87299d6 @@ -2870,6 +2871,7 @@ CVE-2025-58058 (xz is a pure golang package for reading and writing xz-compresse - golang-github-ulikunitz-xz 0.5.15-1 (bug #1112508) [trixie] - golang-github-ulikunitz-xz <no-dsa> (Minor issue) [bookworm] - golang-github-ulikunitz-xz <no-dsa> (Minor issue) + [bullseye] - golang-github-ulikunitz-xz <postponed> (Minor issue) NOTE: https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9 NOTE: https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2 (v0.5.14-rc.1) CVE-2025-54777 (Uncaught exception issue exists in Multiple products in bizhub series. ...) @@ -6806,6 +6808,7 @@ CVE-2025-38502 (In the Linux kernel, the following vulnerability has been resolv CVE-2025-8959 (HashiCorp's go-getter library subdirectory download feature is vulnera ...) - golang-github-hashicorp-go-getter <unfixed> (bug #1111318) [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) + [bullseye] - golang-github-hashicorp-go-getter <postponed> (Minor issue) NOTE: https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242 CVE-2025-8898 (The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress ...) NOT-FOR-US: WordPress plugin @@ -9893,6 +9896,7 @@ CVE-2024-8244 (The filepath.Walk and filepath.WalkDir functions are documented a - golang-1.19 <removed> [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <postponed> (Minor issue) NOTE: https://github.com/golang/go/issues/70007 CVE-2024-52885 (The Mobile Access Portal's File Share application is vulnerable to a d ...) NOT-FOR-US: Mobile Access Portal @@ -10258,6 +10262,7 @@ CVE-2012-10023 (A stack-based buffer overflow vulnerability exists in FreeFloat CVE-2025-8556 (A flaw was found in CIRCL's implementation of the FourQ elliptic curve ...) - golang-github-cloudflare-circl 1.6.1-1 [bookworm] - golang-github-cloudflare-circl <no-dsa> (Minor issue) + [bullseye] - golang-github-cloudflare-circl <postponed> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2371624 NOTE: https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm CVE-2025-8586 (A vulnerability, which was classified as problematic, was found in lib ...) ===================================== data/dla-needed.txt ===================================== @@ -234,6 +234,11 @@ libsoup2.4 NOTE: 20250520: seems sensible. Or maybe someone else will have more luck NOTE: 20250520: than me with getting the backported tests to run. (spwhitton) -- +libxml2 + NOTE: 20250907: Added by Front-Desk (apo) + NOTE: 20250907: Currently insufficient information for CVE-2025-26434 but is + NOTE: 20250907: affected by CVE-2025-9714. +-- libxmltok NOTE: 20250421: Added by Front-Desk (ta) NOTE: 20250421: Also review all other expat CVEs. (bunk) @@ -376,6 +381,9 @@ rails NOTE: 20250621: rails DSA uploaded the last 6.1 release before EOL (2024-11) NOTE: 20250621: 6.0 branch is EOL (2023-06) so all open CVEs need individual backport (Beuc) -- +shibboleth-sp + NOTE: 20250907: Added by Front-Desk (apo) +-- sogo NOTE: 20240922: Added by Front-Desk (apo) NOTE: 20240922: See also postponed issues. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bea20aa2483b73dc8be7e7de259e9c5c882085d2...08ef392fd4b50a23e662591d5ccaf627eb6d90ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bea20aa2483b73dc8be7e7de259e9c5c882085d2...08ef392fd4b50a23e662591d5ccaf627eb6d90ca You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
