On Thu, Oct 09, 2025 at 08:05:41AM +, Holger Levsen wrote:
> control: tags -1 + moreinfo
> thanks
>
> On Wed, Oct 08, 2025 at 09:12:32PM +0000, Moritz Mühlenhoff wrote:
> > The whole premise of assigning CVE IDs to data parsing bugs in HDF seems
> > flawed
>
On Mon, Oct 06, 2025 at 09:20:55PM +0200, Salvatore Bonaccorso wrote:
> Hi Henrique,
>
> On Sun, Oct 05, 2025 at 04:31:56PM -0300, Henrique de Moraes Holschuh wrote:
> > Hello Salvatore,
> >
> > On Fri, Oct 3, 2025, at 17:35, Salvatore Bonaccorso wrote:
> > > On Wed, Aug 13, 2025 at 10:45:22AM +0
On Mon, Sep 15, 2025 at 03:14:30PM -0400, Antoine Beaupré wrote:
> On 2025-09-11 22:04:03, Salvatore Bonaccorso wrote:
> > Hi Antoine,
> >
> > [Adding CC to t...@security.debian.org]
> >
> > Apologies for the delay, we had other issues which needed more
> > attention first.
>
> np.
Thanks, I'll r
On Wed, Sep 10, 2025 at 03:05:56PM +0200, Ferenc Wágner wrote:
> Dear Security Team,
>
> The reporter assigned CVE-2025-9943 to this vulnerability. I guess you
> want to enroll this info into the security tracker. I'll retroactively
> add this to the bookworm, trixie and unstable changelogs to a
Hi Laszlo,
Am Sun, Jul 27, 2025 at 03:56:36PM +0300 schrieb Shani Yosef:
> Here is the patch 😅
>
> On Sun, 27 Jul 2025 at 15:01, Shani Yosef wrote:
>
> > Source: sqlite3
> > Version: 3.40.1-2
> > Tags: security upstream
> > X-Debbugs-Cc: car...@debian.org, Debian Security Team
> >
> >
> >
> >
retitle Bug#966: bookworm-pu: package botan/2.19.3+dfsg-1+deb12u1
thanks
On Sun, Aug 24, 2025 at 05:09:28PM +0200, László Böszörményi (GCS) wrote:
> Hi Moritz,
>
> On Sun, Aug 24, 2025 at 4:09 PM Moritz Muehlenhoff wrote:
> > X-Debbugs-Cc: bot...@packages.debian.org, g...@debian.org
> > Cont
On Thu, Aug 21, 2025 at 11:55:47PM +0200, Yadd wrote:
> MISSING:
> sha.js@2.4.12
>└── to-buffer (1.2.1)
>└── typed-array-buffer (1.0.3)
>└── call-bound (1.0.4)
>└── call-bind-apply-helpers (1.0.2)
>└── es-errors (1.3.0)
>└─
On Thu, Jul 31, 2025 at 03:40:33PM +0300, Adrian Bunk wrote:
> > I think so. OpenJDK 25 is a LTS release, and will be released in September.
> > It can be updated in a point release, and then be security supported for
> > trixie's lifetime.
>
> Is there a commitment from someone to provide DSAs fo
On Tue, Jul 15, 2025 at 02:49:55PM +0100, Simon McVittie wrote:
> On Tue, 15 Jul 2025 at 14:29:13 +0200, Moritz Mühlenhoff wrote:
> > The following vulnerability was published for policykit-1.
> >
> > CVE-2025-7519[0]:
> > | When processing an XML policy with 32 or
&g
Package: sqlite3
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for sqlite3.
CVE-2025-6965[0]:
| There exists a vulnerability in SQLite versions before 3.50.2 where
| the number of aggregate terms could exceed the number of
Package: pycares
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for pycares.
CVE-2025-48945[0]:
| pycares is a Python module which provides an interface to c-ares.
| c-ares is a C library that performs DNS requests and name
Package: libowasp-esapi-java
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libowasp-esapi-java.
CVE-2025-5878[0]:
| A vulnerability was found in ESAPI esapi-java-legacy and classified
| as problematic. This issue affec
Package: jython
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jython.
CVE-2025-6069[0]:
| The html.parser.HTMLParser class had worse-case quadratic complexity
| when processing certain crafted malformed inputs potentia
Package: vim
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for vim.
CVE-2025-53905[0]:
| Vim is an open source, command line text editor. Prior to version
| 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can a
Package: virtualbox
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for virtualbox.
CVE-2025-53024[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). The supported version
Package: mysql-8.0
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2025-50077[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
Package: rlottie
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for rlottie.
CVE-2025-0634[0]:
| Use After Free vulnerability in Samsung Open Source rLottie allows
| Remote Code Inclusion.This issue affects rLottie: V0.2.
h
Package: cpp-httplib
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for cpp-httplib.
CVE-2025-52887[0]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. In version 0.21.0, when many http
Package: imagemagick
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for imagemagick.
CVE-2025-53014[0]:
| ImageMagick is free and open-source software used for editing and
| manipulating digital images. Versions prior to 7.1
Package: mruby
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for mruby.
CVE-2025-7207[0]:
| A vulnerability, which was classified as problematic, was found in
| mruby up to 3.4.0-rc2. Affected is the function scope_new of
Package: ruby3.3
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for ruby3.3.
CVE-2025-24294[0]:
| The attack vector is a potential Denial of Service (DoS). The
| vulnerability is caused by an insufficient check on the lengt
Package: python-aiohttp
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for python-aiohttp.
CVE-2025-53643[0]:
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio
| and Python. Prior to version 3.12.14, the
Package: jackrabbit
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for jackrabbit.
CVE-2025-53689[0]:
| Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-
| core in Apache Jackrabbit < 2.23.2 due to usage of an
Package: policykit-1
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for policykit-1.
CVE-2025-7519[0]:
| A flaw was found in polkit. When processing an XML policy with 32 or
| more nested elements in depth, an out-of-bounds wr
On Mon, Jun 30, 2025 at 10:01:02AM +, Debian Bug Tracking System wrote:
> > CVE-2025-5455[0]:
> > | An issue was found in the private API function qDecodeDataUrl() in
> > | QtCore, which is used in QTextDocument and QNetworkReply, and,
> > | potentially, in user code. If the function was calle
Package: qt6-base
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for qt6-base.
CVE-2025-5455[0]:
| An issue was found in the private API function qDecodeDataUrl() in
| QtCore, which is used in QTextDocument and QNetworkRepl
Package: qtbase-opensource-src-gles
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for qtbase-opensource-src-gles.
CVE-2025-5455[0]:
| An issue was found in the private API function qDecodeDataUrl() in
| QtCore, which is us
Package: coremirror-js
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for coremirror-js.
CVE-2025-6493[0]:
| A vulnerability was found in CodeMirror up to 5.17.0 and classified
| as problematic. Affected by this issue is so
Package: qtbase-opensource-src
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for qtbase-opensource-src.
CVE-2025-5455[0]:
| An issue was found in the private API function qDecodeDataUrl() in
| QtCore, which is used in QTex
Package: podman
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for podman.
CVE-2025-6032[0]:
| A flaw was found in Podman. The podman machine init command fails to
| verify the TLS certificate when downloading the VM images fro
Am Mon, Jun 16, 2025 at 02:02:57AM +0300 schrieb Adrian Bunk:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm moreinfo
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: i...@packages.debian.org, secur...@debian.org
> Control: affects -1 + src:icu
>
>
On Fri, Jun 20, 2025 at 10:40:38AM +0100, Simon McVittie wrote:
> On Wed, 18 Jun 2025 at 20:54:55 +0200, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for gdk-pixbuf.
> >
> > (Choosing RC level, since jmm is planning a DSA, so we should have
> > that fixed as well in tr
Am Tue, Jun 10, 2025 at 02:22:18PM +0200 schrieb Thomas Lange:
> >> From my PoV this could also be handled by
> > - tag #1106121 trixie-ignore
> Perfect. Who can/should set this tag? The package maintainer or only
> the release team?
It's up to the release team.
> > - update the packa
Am Tue, Jun 03, 2025 at 09:44:42AM +0200 schrieb Sebastian Ramacher:
> Hi
>
> On 2025-06-02 00:25:41 +0200, Lorenzo wrote:
> > On Thu, 22 May 2025 20:46:34 +0200 Sebastian Ramacher
> > wrote:
> > > Control: severity -1 serious
> >
> > Hi Sebastian,
> >
> > I'm a bit surprised about the timing o
Source: glibc
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for glibc.
CVE-2025-5745[0]:
| The strncmp implementation optimized for the Power10 processor in
| the GNU C Library version 2.40 and later writes to vector regis
Source: glibc
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for glibc.
CVE-2025-5702[0]:
| The strcmp implementation optimized for the Power10 processor in the
| GNU C Library version 2.39 and later writes to vector regist
Source: radare2
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerabilities were published for radare2.
CVE-2025-5646[0]:
| A vulnerability has been found in Radare2 5.9.9 and classified as
| problematic. This vulnerability affects the function
| r_co
Source: qtimageformats-opensource-src
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for qtimageformats-opensource-src.
CVE-2025-5683[0]:
| When loading a specifically crafted ICNS format image file in QImage
| then it will
Source: qt6-imageformats
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for qt6-imageformats.
CVE-2025-5683[0]:
| When loading a specifically crafted ICNS format image file in QImage
| then it will trigger a crash. This iss
On Tue, Jun 03, 2025 at 01:33:44PM +0200, Daniel Leidert wrote:
> On Tue, 2025-06-03 at 08:42 +0200, Salvatore Bonaccorso wrote:
> > On Fri, May 30, 2025 at 05:38:30AM +0200, Daniel Leidert wrote:
>
> [Bookworm PU for CVE-2025-47287.patch]
> > Technically we had the package already in mind for a D
Am Wed, May 14, 2025 at 01:28:51PM +0200 schrieb Mario Rimann:
> On 2025-03-29 13:56, Aurelien Jarno wrote:
>
>> Any news on that? This warning is annoying when running puppet, so it
>would be nice to get it fixed for Trixie.
>
>We tracked this down to a missing 'augparse' binary. Wo
Source: assimp
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for assimp.
CVE-2025-5203[0]:
| A vulnerability was found in Open Asset Import Library Assimp 5.4.3.
| It has been rated as problematic. Affected by this issue is t
Source: assimp
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for assimp.
CVE-2025-5200[0]:
| A vulnerability was found in Open Asset Import Library Assimp 5.4.3
| and classified as problematic. This issue affects the function
Source: nvidia-cuda-toolkit
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for nvidia-cuda-toolkit.
CVE-2025-23247[0]:
| NVIDIA CUDA Toolkit for all platforms contains a vulnerability in
| the cuobjdump binary, where a fail
Source: coreutils
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for coreutils.
CVE-2025-5278[0]:
| A flaw was found in GNU Coreutils. The sort utility's begfield()
| function is vulnerable to a heap buffer under-read. The pro
Source: assimp
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for assimp.
CVE-2025-5202[0]:
| A vulnerability was found in Open Asset Import Library Assimp 5.4.3.
| It has been declared as problematic. Affected by this vulnera
Source: assimp
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for assimp.
CVE-2025-5201[0]:
| A vulnerability was found in Open Asset Import Library Assimp 5.4.3.
| It has been classified as problematic. Affected is the functi
Source: jq
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jq.
CVE-2024-23337[0]:
| jq is a command-line JSON processor. In versions up to and including
| 1.7.1, an integer overflow arises when assigning value using an
|
Source: jq
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jq.
CVE-2025-48060[0]:
| jq is a command-line JSON processor. In versions up to and including
| 1.7.1, a heap-buffer-overflow is present in function
| `jv_string
Source: jgit
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jgit.
CVE-2025-4949[0]:
| In Eclipse JGit versions 7.2.0.202503040940-r and older, the
| ManifestParser class used by the repo command and the AmazonS3 class
|
Source: gst-plugins-bad1.0
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for gst-plugins-bad1.0.
CVE-2025-3887[0]:
| GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code
| Execution Vulnerability. This vulnerab
Source: modsecurity-apache
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for modsecurity-apache.
CVE-2025-47947[0]:
| ModSecurity is an open source, cross platform web application
| firewall (WAF) engine for Apache, IIS and Ng
Am Tue, May 13, 2025 at 11:45:58PM +0200 schrieb Moritz Mühlenhoff:
> Source: golang-github-openpubkey-openpubkey
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for
> golang-g
Source: golang-github-openpubkey-openpubkey
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for
golang-github-openpubkey-openpubkey.
The details are rather scarce, basically just the CVE description, might
be worth reaching
Hi Moritz,
> > Let's also fix that one via a DSA. Moritz, could you please prepare an
> > update
> > for bookworm-security?
>
> Please see the attached debdiff and give me a go ahead to upload.
>
> I tested this patch on our fleet of webservers running bookworm and verified
> it
> still works
On Wed, May 07, 2025 at 07:36:34AM +0200, Salvatore Bonaccorso wrote:
> Hi Moritz,
>
> On Fri, May 02, 2025 at 02:31:06PM +0200, Salvatore Bonaccorso wrote:
> > Hi Moritz,
> >
> > On Fri, May 02, 2025 at 02:13:01PM +0200, Moritz Schlarb wrote:
> > > Hi carnil,
> > >
> > > On Thu, 2025-05-01 at 0
On Mon, May 05, 2025 at 04:00:31PM +0200, Salvatore Bonaccorso wrote:
> Thanks for this aditional datapoints. Assuming you wont be able to
> thest the other stable series where the commit d05af90d6218
> ("md/raid10: fix missing discard IO accounting") went in, might you at
> least be able to test t
Am Wed, Apr 30, 2025 at 05:55:20PM +0200 schrieb Salvatore Bonaccorso:
> Hi
>
> We got a regression report in Debian after the update from 6.1.133 to
> 6.1.135. Melvin is reporting that discard/trimm trhough a RAID10 array
> stalls idefintively. The full report is inlined below and originates
> fr
Am Thu, May 01, 2025 at 10:13:24PM +0200 schrieb Salvatore Bonaccorso:
> Hi Andres,
>
> [very personal opinion]
>
> On Thu, May 01, 2025 at 01:22:00PM -0400, Andres Salomon wrote:
> > Package: dput
> > Version: 1.1.3
> > X-Debbugs-Cc: Debian Security Team
> >
> > In chromium, I have the followi
Source: dnsdist
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for dnsdist.
CVE-2025-30194[0]:
| When DNSdist is configured to provide DoH via the nghttp2 provider,
| an attacker can cause a denial of service by crafting a DoH
On Sat, Apr 26, 2025 at 06:17:28PM +, Mathias Gibbens wrote:
> control: severity -1 minor
> control: tags -1 + wontfix
>
> Due to code changes/refactoring between LXD 5.0.4 and the snapshot of
> 5.0.2 in Debian, an unreasonable amount of work would be required to
> fix this minor issue. Lowe
On Thu, Apr 24, 2025 at 01:35:16PM +0300, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm moreinfo
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: secur...@debian.org, Dylan Aïssi
>
> * CVE-2025-32776: out-of-bounds read
>
> Ta
On Wed, Apr 23, 2025 at 05:04:22PM -0500, Serge E. Hallyn wrote:
> On Tue, Apr 22, 2025 at 09:46:14PM +0200, Chris Hofstaedtler wrote:
> > * Serge E. Hallyn [250422 15:48]:
> > > On Mon, Apr 21, 2025 at 08:08:50PM +0200, Salvatore Bonaccorso wrote:
> > > > Thought this will not really be fixable i
On Tue, Apr 22, 2025 at 10:46:57PM +0200, Robin Gustafsson wrote:
> Hi Moritz,
>
> Thanks for the report.
>
> On 4/22/25 14:09, Moritz Mühlenhoff wrote:
> > [...]
> > The following vulnerability was published for php-laravel-framework.
> >
> > CVE-2025-2
Am Wed, May 29, 2024 at 10:26:24AM +0400 schrieb Yadd:
> On 5/29/24 00:40, Moritz Mühlenhoff wrote:
> > Source: node-ip
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following vu
Am Thu, Oct 17, 2024 at 11:12:18AM +0200 schrieb Andreas Beckmann:
> Source: nvidia-graphics-drivers-tesla-470
> Version: 470.256.02-3
> Severity: normal
> Tags: sid trixie
>
> The upstream support for the Tesla 470 driver series has ended
> in 07/2024: https://docs.nvidia.com/datacenter/tesla/dri
Source: php-laravel-framework
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for php-laravel-framework.
CVE-2025-27515[0]:
| Laravel is a web application framework. When using wildcard
| validation to validate a given file or i
Am Tue, Apr 15, 2025 at 07:52:49PM +0200 schrieb Alexander Kjäll:
> pprof was at some point needed for the gix stack, if they have moved
> away from using it then I agree that it's not needed in trixie.
>
> Will this bug be enought to block it, or do we need to do anything more?
If it's entirely
Source: lxd
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for lxd.
CVE-2024-6156[0]:
| Mark Laing discovered that LXD's PKI mode, until version 5.21.2,
| could be bypassed if the client's certificate was present in the
| t
Source: mitmproxy
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for mitmproxy.
CVE-2025-23217[0]:
| mitmproxy is a interactive TLS-capable intercepting HTTP proxy for
| penetration testers and software developers and mitmweb i
Source: krb5
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for krb5.
CVE-2025-3576[0]:
| A vulnerability in the MIT Kerberos implementation allows GSSAPI-
| protected messages using RC4-HMAC-MD5 to be spoofed due to
| weak
Source: nsis
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for nsis.
Does also affect nsis as packaged in Debian, probably yes since it's
meant to provide installers which will then run on Windows?
CVE-2025-43715[0]:
| Nu
Source: mysql-8.0
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2025-30722[0]:
| Vulnerability in the MySQL Client product of Oracle MySQL
| (component: Client: mysqldump). Supported versions that are
|
Source: node-tar-fs
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-tar-fs.
CVE-2024-12905[0]:
| An Improper Link Resolution Before File Access ("Link Following")
| and Improper Limitation of a Pathname to a Restric
Source: assimp
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for assimp.
CVE-2025-2751[0]:
| A vulnerability has been found in Open Asset Import Library Assimp
| 5.4.3 and classified as problematic. This vulnerability affe
On Sat, Apr 05, 2025 at 04:55:37PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sat, Apr 05, 2025 at 04:47:13PM +0200, Moritz Mühlenhoff wrote:
> > Am Mon, Mar 31, 2025 at 10:26:11PM -0300 schrieb Carlos Henrique Lima
> > Melara:
> > > Hi,
> > >
> &g
Am Mon, Mar 31, 2025 at 10:26:11PM -0300 schrieb Carlos Henrique Lima Melara:
> Hi,
>
> On Sat, Mar 22, 2025 at 11:08:18AM -0300, Carlos Henrique Lima Melara wrote:
> > I'm planning to fix [CVE-2025-27795] and [CVE-2025-27796] for Debian LTS
> > (disclaimer: it's a pro-bono upload as part of onboa
Am Tue, Apr 01, 2025 at 12:13:53AM +0300 schrieb Adrian Bunk:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm moreinfo
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: secur...@debian.org, Varnish Package Maintainers
>
>
> * CVE-2025-30346: HTTP/1
Source: 389-ds-base
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for 389-ds-base.
CVE-2025-2487[0]:
| A flaw was found in the 389-ds-base LDAP Server. This issue occurs
| when issuing a Modify DN LDAP operation through th
Hi Thorsten,
> >Am Fri, May 10, 2024 at 06:39:20PM + schrieb Thorsten Glaser:
> >> This is a bit like the limited security support for binutils,
> >> I suppose. Could/should we document that in the same places?
> >
> >Sure thing, this sounds similar to what was done for Lilypond,
>
> Ah, okay
Source: gunicorn
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for gunicorn.
CVE-2024-6827[0]:
| Gunicorn version 21.2.0 does not properly validate the value of the
| 'Transfer-Encoding' header as specified in the RFC stan
Source: python-flask-cors
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for python-flask-cors.
CVE-2024-6866[0]:
| corydolphin/flask-cors version 4.01 contains a vulnerability where
| the request path matching is case-i
Source: condor
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for condor.
CVE-2025-30093[0]:
| HTCondor 23.0.x before 23.0.22, 23.10.x before 23.10.22, 24.0.x
| before 24.0.6, and 24.6.x before 24.6.1 allows authenticated
| att
Source: assimp
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for assimp.
CVE-2025-2752[0]:
| A vulnerability was found in Open Asset Import Library Assimp 5.4.3
| and classified as problematic. This issue affects the funct
Source: libstring-compare-constanttime-perl
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for
libstring-compare-constanttime-perl.
CVE-2024-13939[0]:
| String::Compare::ConstantTime for Perl through 0.321 is vulnerable
|
Source: upx-ucl
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for upx-ucl.
CVE-2025-2849[0]:
| A vulnerability, which was classified as problematic, was found in
| UPX up to 5.0.0. Affected is the function PackLinuxElf64::un_D
Source: libdata-entropy-perl
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libdata-entropy-perl.
CVE-2025-1860[0]:
| Data::Entropy for Perl 0.007 and earlier use the rand() function as
| the default source of entropy,
Source: mbedtls
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for mbedtls.
CVE-2025-27809[0]:
| Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side,
| accepts servers that have trusted certificates for arbi
Source: assimp
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for assimp.
CVE-2025-2750[0]:
| A vulnerability, which was classified as critical, was found in Open
| Asset Import Library Assimp 5.4.3. This affects the functi
On Sat, Mar 22, 2025 at 03:15:02PM +0100, Andreas Metzler wrote:
> On 2025-03-21 Moritz Mühlenhoff wrote:
> [...]
> > The following vulnerability was published for gnupg2.
>
> > CVE-2025-30258[0]:
> > | In GnuPG before 2.5.5, if a user chooses to import a certificate
Source: xmedcon
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for xmedcon.
CVE-2025-2581[0]:
| A vulnerability has been found in xmedcon 0.25.0 and classified as
| problematic. Affected by this vulnerability is the functio
Source: quickjs
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for quickjs.
CVE-2024-13903[0]:
| A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has
| been declared as problematic. Affected by this vulnerabi
Source: libeddsa-java
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for libeddsa-java.
CVE-2020-36843[0]:
| The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through
| 0.3.0 exhibits signature malleability and does
Source: libmatio
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for libmatio.
CVE-2025-2337[0]:
| A vulnerability, which was classified as critical, has been found in
| tbeu matio 1.5.28. This issue affects the function
Source: docker-buildx
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for docker-buildx.
CVE-2025-0495[0]:
| Buildx is a Docker CLI plugin that extends build capabilities using
| BuildKit. Cache backends support credentials
Source: gnupg2
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for gnupg2.
CVE-2025-30258[0]:
| In GnuPG before 2.5.5, if a user chooses to import a certificate
| with certain crafted subkey data that lacks a valid backsig o
On Thu, Mar 20, 2025 at 05:28:08PM +, Holger Levsen wrote:
> hi Santiago,
>
> On Thu, Mar 20, 2025 at 12:15:51PM -0300, Santiago Ruano Rincón wrote:
> > I would like to propose EOL'ing odoo in bullseye, because 14.0 has been
> > EOL'ed by upstream and the complexity of backporting patches seem
On Fri, Mar 14, 2025 at 10:12:36PM +0100, Ferenc Wágner wrote:
> Dear Security Team,
>
> Please review the following source debdiff:
Thanks, the debdiff looks good. Please build with -sa (since this is the
first upload on security-master for opensaml in bookworm-security)
and upload to security-m
retitle 1092183 RM: kanboard -- RoQA; unmaintained, RC-buggy, open security
issues
reassign 1092183 ftp.debian.org
severity 1092183 normal
thanks
Am Fri, Jan 03, 2025 at 07:29:44PM +0100 schrieb Helmut Grohne:
> Source: kanboard
> Version: 1.2.31+ds2-1
> Severity: important
>
> Hi,
>
> kanboard
On Sat, Mar 01, 2025 at 02:23:29PM +0100, Mike Gabriel wrote:
> Control: clone -1 -2
> Control: retitle -1 ofono CVE-2024-7538 CVE-2024-7539 CVE-2024-7540
> CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 CVE-2024-7545
> CVE-2024-7546 CVE-2024-7547
> Control: retitle -2 ofono: CVE-2024-75
1 - 100 of 1267 matches
Mail list logo
