Skip to content

Deps: Bump the python-packages group with 3 updates#291

Merged
greenbonebot merged 1 commit intomainfrom
dependabot/pip/python-packages-3d6fa0b16f
Aug 11, 2025
Merged

Deps: Bump the python-packages group with 3 updates#291
greenbonebot merged 1 commit intomainfrom
dependabot/pip/python-packages-3d6fa0b16f

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Aug 11, 2025

Bumps the python-packages group with 3 updates: coverage, anyio and ruff.

Updates coverage from 7.10.2 to 7.10.3

Changelog

Sourced from coverage's changelog.

Version 7.10.3 — 2025-08-10

  • Fixes for patch = subprocess:

    • If subprocesses spawned yet more subprocesses simultaneously, some coverage could be missed. This is now fixed, closing issue 2024_.

    • If subprocesses were created in other directories, their data files were stranded there and not combined into the totals, as described in issue 2025_. This is now fixed.

    • On Windows (or maybe only some Windows?) the patch would fail with a ModuleNotFound error trying to import coverage. This is now fixed, closing issue 2022_.

    • Originally only options set in the coverage configuration file would apply to subprocesses. Options set on the coverage run command line (such as --branch) wouldn't be communicated to the subprocesses. This could lead to combining failures, as described in issue 2021_. Now the entire configuration is used in subprocesses, regardless of its origin.

    • Added debug=patch to help diagnose problems.

  • Fix: really close all SQLite databases, even in-memory ones. Closes issue 2017_.

.. _issue 2017: nedbat/coveragepy#2017 .. _issue 2021: nedbat/coveragepy#2021 .. _issue 2022: nedbat/coveragepy#2022 .. _issue 2024: nedbat/coveragepy#2024 .. _issue 2025: nedbat/coveragepy#2025

.. _changes_7-10-2:

Commits

Updates anyio from 4.9.0 to 4.10.0

Release notes

Sourced from anyio's releases.

4.10.0

  • Added the feed_data() method to the BufferedByteReceiveStream class, allowing users to inject data directly into the buffer
  • Added various class methods to wrap existing sockets as listeners or socket streams:
    • SocketListener.from_socket()
    • SocketStream.from_socket()
    • UNIXSocketStream.from_socket()
    • UDPSocket.from_socket()
    • ConnectedUDPSocket.from_socket()
    • UNIXDatagramSocket.from_socket()
    • ConnectedUNIXDatagramSocket.from_socket()
  • Added a hierarchy of connectable stream classes for transparently connecting to various remote or local endpoints for exchanging bytes or objects
  • Added context manager mix-in classes (anyio.ContextManagerMixin and anyio.AsyncContextManagerMixin) to help write classes that embed other context managers, particularly cancel scopes or task groups (#905; PR by @​agronholm and @​tapetersen)
  • Added the ability to specify the thread name in start_blocking_portal() (#818; PR by @​davidbrochart)
  • Added anyio.notify_closing to allow waking anyio.wait_readable and anyio.wait_writable before closing a socket. Among other things, this prevents an OSError on the ProactorEventLoop. (#896; PR by @​graingert)
  • Incorporated several documentation improvements from the EuroPython 2025 sprint (special thanks to the sprinters: Emmanuel Okedele, Jan Murre, Euxenia Miruna Goia and Christoffer Fjord)
  • Added a documentation page explaining why one might want to use AnyIO's APIs instead of asyncio's
  • Updated the to_interpreters module to use the public concurrent.interpreters API on Python 3.14 or later
  • Fixed anyio.Path.copy() and anyio.Path.copy_into() failing on Python 3.14.0a7
  • Fixed return annotation of __aexit__ on async context managers. CMs which can suppress exceptions should return bool, or None otherwise. (#913; PR by @​Enegg)
  • Fixed rollover boundary check in SpooledTemporaryFile so that rollover only occurs when the buffer size exceeds max_size (#915; PR by @​11kkw)
  • Migrated testing and documentation dependencies from extras to dependency groups
  • Fixed compatibility of anyio.to_interpreter with Python 3.14.0b2 (#926; PR by @​hroncok)
  • Fixed SyntaxWarning on Python 3.14 about return in finally (#816)
  • Fixed RunVar name conflicts. RunVar instances with the same name should not share storage (#880; PR by @​vimfu)
  • Renamed the BrokenWorkerIntepreter exception to BrokenWorkerInterpreter. The old name is available as a deprecated alias. (#938; PR by @​ayussh-verma)
  • Fixed an edge case in CapacityLimiter on asyncio where a task, waiting to acquire a limiter gets cancelled and is subsequently granted a token from the limiter, but before the cancellation is delivered, and then fails to notify the next waiting task (#947)
Changelog

Sourced from anyio's changelog.

Version history

This library adheres to Semantic Versioning 2.0 <http://semver.org/>_.

4.10.0

  • Added the feed_data() method to the BufferedByteReceiveStream class, allowing users to inject data directly into the buffer

  • Added various class methods to wrap existing sockets as listeners or socket streams:

    • SocketListener.from_socket()
    • SocketStream.from_socket()
    • UNIXSocketStream.from_socket()
    • UDPSocket.from_socket()
    • ConnectedUDPSocket.from_socket()
    • UNIXDatagramSocket.from_socket()
    • ConnectedUNIXDatagramSocket.from_socket()

  • Added a hierarchy of connectable stream classes for transparently connecting to various remote or local endpoints for exchanging bytes or objects

  • Added context manager mix-in classes (anyio.ContextManagerMixin and anyio.AsyncContextManagerMixin) to help write classes that embed other context managers, particularly cancel scopes or task groups ([#905](https://github.com/agronholm/anyio/issues/905) <https://github.com/agronholm/anyio/pull/905>_; PR by @​agronholm and @​tapetersen)

  • Added the ability to specify the thread name in start_blocking_portal() ([#818](https://github.com/agronholm/anyio/issues/818) <https://github.com/agronholm/anyio/issues/818>_; PR by @​davidbrochart)

  • Added anyio.notify_closing to allow waking anyio.wait_readable and anyio.wait_writable before closing a socket. Among other things, this prevents an OSError on the ProactorEventLoop. ([#896](https://github.com/agronholm/anyio/issues/896) <https://github.com/agronholm/anyio/pull/896>_; PR by @​graingert)

  • Incorporated several documentation improvements from the EuroPython 2025 sprint (special thanks to the sprinters: Emmanuel Okedele, Jan Murre, Euxenia Miruna Goia and Christoffer Fjord)

  • Added a documentation page explaining why one might want to use AnyIO's APIs instead of asyncio's

  • Updated the to_interpreters module to use the public concurrent.interpreters API on Python 3.14 or later

  • Fixed anyio.Path.copy() and anyio.Path.copy_into() failing on Python 3.14.0a7

  • Fixed return annotation of __aexit__ on async context managers. CMs which can suppress exceptions should return bool, or None otherwise. ([#913](https://github.com/agronholm/anyio/issues/913) <https://github.com/agronholm/anyio/pull/913>_; PR by @​Enegg)

  • Fixed rollover boundary check in SpooledTemporaryFile so that rollover only occurs when the buffer size exceeds max_size ([#915](https://github.com/agronholm/anyio/issues/915) <https://github.com/agronholm/anyio/pull/915>_; PR by @​11kkw)

  • Migrated testing and documentation dependencies from extras to dependency groups

  • Fixed compatibility of anyio.to_interpreter with Python 3.14.0b2 ([#926](https://github.com/agronholm/anyio/issues/926) <https://github.com/agronholm/anyio/issues/926>_; PR by @​hroncok)

  • Fixed SyntaxWarning on Python 3.14 about return in finally ([#816](https://github.com/agronholm/anyio/issues/816) <https://github.com/agronholm/anyio/issues/816>_)

... (truncated)

Commits
  • 0cf55b8 Bumped up the version
  • b029df5 Updated the to_interpreter module to use the public API on Python 3.14 (#956)
  • 01f02cf Incorporated EP2025 sprint feedback and added a new section (#955)
  • d896480 [pre-commit.ci] pre-commit autoupdate (#954)
  • 0282b81 Added the BufferedByteReceiveStream.feed_data() method (#945)
  • 19e5477 Fixed a cancellation edge case for asyncio CapacityLimiter (#952)
  • 4666df3 [pre-commit.ci] pre-commit autoupdate (#946)
  • 38c2567 [pre-commit.ci] pre-commit autoupdate (#942)
  • 3db73ac Add missing imports for Readcting to cancellation in worker threads example (...
  • 2eda004 Added an example on how to use move_on_after() with shielding
  • Additional commits viewable in compare view

Updates ruff from 0.12.7 to 0.12.8

Release notes

Sourced from ruff's releases.

0.12.8

Release Notes

Preview features

  • [flake8-use-pathlib] Expand PTH201 to check all PurePath subclasses (#19440)

Bug fixes

  • [flake8-blind-except] Change BLE001 to correctly parse exception tuples (#19747)
  • [flake8-errmsg] Exclude typing.cast from EM101 (#19656)
  • [flake8-simplify] Fix raw string handling in SIM905 for embedded quotes (#19591)
  • [flake8-import-conventions] Avoid false positives for NFKC-normalized __debug__ import aliases in ICN001 (#19411)
  • [isort] Fix syntax error after docstring ending with backslash (I002) (#19505)
  • [pylint] Mark PLC0207 fixes as unsafe when *args unpacking is present (#19679)
  • [pyupgrade] Prevent infinite loop with I002 (UP010, UP035) (#19413)
  • [ruff] Parenthesize generator expressions in f-strings (RUF010) (#19434)

Rule changes

  • [eradicate] Don't flag pyrefly pragmas as unused code (ERA001) (#19731)

Documentation

  • Replace "associative" with "commutative" in docs for RUF036 (#19706)
  • Fix copy and line separator colors in dark mode (#19630)
  • Fix link to typing documentation (#19648)
  • [refurb] Make more examples error out-of-the-box (#19695,#19673,#19672)

Other changes

  • Include column numbers in GitLab output format (#19708)
  • Always expand tabs to four spaces in diagnostics (#19618)
  • Update pre-commit's ruff id (#19654)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.8

Preview features

  • [flake8-use-pathlib] Expand PTH201 to check all PurePath subclasses (#19440)

Bug fixes

  • [flake8-blind-except] Change BLE001 to correctly parse exception tuples (#19747)
  • [flake8-errmsg] Exclude typing.cast from EM101 (#19656)
  • [flake8-simplify] Fix raw string handling in SIM905 for embedded quotes (#19591)
  • [flake8-import-conventions] Avoid false positives for NFKC-normalized __debug__ import aliases in ICN001 (#19411)
  • [isort] Fix syntax error after docstring ending with backslash (I002) (#19505)
  • [pylint] Mark PLC0207 fixes as unsafe when *args unpacking is present (#19679)
  • [pyupgrade] Prevent infinite loop with I002 (UP010, UP035) (#19413)
  • [ruff] Parenthesize generator expressions in f-strings (RUF010) (#19434)

Rule changes

  • [eradicate] Don't flag pyrefly pragmas as unused code (ERA001) (#19731)

Documentation

  • Replace "associative" with "commutative" in docs for RUF036 (#19706)
  • Fix copy and line separator colors in dark mode (#19630)
  • Fix link to typing documentation (#19648)
  • [refurb] Make more examples error out-of-the-box (#19695,#19673,#19672)

Other changes

  • Include column numbers in GitLab output format (#19708)
  • Always expand tabs to four spaces in diagnostics (#19618)
  • Update pre-commit's ruff id (#19654)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Deps: Bump the python-packages group with 3 updates
3cdbd04 
Bumps the python-packages group with 3 updates: [coverage](https://github.com/nedbat/coveragepy), [anyio](https://github.com/agronholm/anyio) and [ruff](https://github.com/astral-sh/ruff).


Updates `coverage` from 7.10.2 to 7.10.3
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](coveragepy/coveragepy@7.10.2...7.10.3)

Updates `anyio` from 4.9.0 to 4.10.0
- [Release notes](https://github.com/agronholm/anyio/releases)
- [Changelog](https://github.com/agronholm/anyio/blob/master/docs/versionhistory.rst)
- [Commits](agronholm/anyio@4.9.0...4.10)

Updates `ruff` from 0.12.7 to 0.12.8
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.12.7...0.12.8)

---
updated-dependencies:
- dependency-name: coverage
  dependency-version: 7.10.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-packages
- dependency-name: anyio
  dependency-version: 4.10.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: python-packages
- dependency-name: ruff
  dependency-version: 0.12.8
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: python-packages
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Aug 11, 2025
@dependabot dependabot Bot requested a review from a team as a code owner August 11, 2025 05:58
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Aug 11, 2025
@dependabot dependabot Bot requested a review from a team as a code owner August 11, 2025 05:58
@dependabot dependabot Bot added the python Pull requests that update Python code label Aug 11, 2025
@greenbonebot greenbonebot enabled auto-merge (rebase) August 11, 2025 05:58
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Aug 11, 2025

Conventional Commits Report

Type Number
Dependencies 1

🚀 Conventional commits found.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Aug 11, 2025

🔍 Vulnerabilities of harbor-os.greenbone.net/community/greenbone-feed-sync:291-merge-amd64

📦 Image Reference harbor-os.greenbone.net/community/greenbone-feed-sync:291-merge-amd64
digestsha256:1ac8768f06a66b01150ca3404574efbcb237f20fb7c51e9026c238df88430f9b
vulnerabilitiescritical: 1 high: 9 medium: 18 low: 35
size78 MB
packages204
📦 Base Image debian:stable-20250721-slim
also known as
  • stable-slim
digestsha256:3249eafa46d713ba80c92f750b222ba4bfb8a7a71f52ad9925cedbc2f11aa208
vulnerabilitiescritical: 0 high: 1 medium: 1 low: 24
critical: 1 high: 0 medium: 0 low: 0 zlib 1:1.2.13.dfsg-1 (deb)

pkg:deb/debian/zlib@1:1.2.13.dfsg-1?os_distro=trixie&os_name=debian&os_version=13

critical : CVE--2023--45853

Affected range<1:1.3.dfsg-2
Fixed version1:1.3.dfsg-2
EPSS Score0.51%
EPSS Percentile65th percentile
Description

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

critical: 0 high: 2 medium: 7 low: 1 gnutls28 3.7.9-2+deb12u5 (deb)

pkg:deb/debian/gnutls28@3.7.9-2%2Bdeb12u5?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2024--0567

Affected range<3.8.3-1
Fixed version3.8.3-1
EPSS Score1.01%
EPSS Percentile76th percentile
Description

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

high : CVE--2024--0553

Affected range<3.8.3-1
Fixed version3.8.3-1
EPSS Score1.03%
EPSS Percentile76th percentile
Description

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

medium : CVE--2025--6395

Affected range<3.8.9-3
Fixed version3.8.9-3
EPSS Score0.05%
EPSS Percentile16th percentile
Description

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

medium : CVE--2025--32990

Affected range<3.8.9-3
Fixed version3.8.9-3
EPSS Score0.06%
EPSS Percentile18th percentile
Description

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

medium : CVE--2025--32988

Affected range<3.8.9-3
Fixed version3.8.9-3
EPSS Score0.05%
EPSS Percentile16th percentile
Description

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

medium : CVE--2023--5981

Affected range<3.8.2-1
Fixed version3.8.2-1
EPSS Score0.56%
EPSS Percentile67th percentile
Description

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

medium : CVE--2024--28834

Affected range<3.8.4-2
Fixed version3.8.4-2
EPSS Score1.14%
EPSS Percentile78th percentile
Description

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

[experimental] - gnutls28 3.8.4-1

medium : CVE--2024--12243

Affected range<3.8.9-2
Fixed version3.8.9-2
EPSS Score0.75%
EPSS Percentile72nd percentile
Description

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

[experimental] - gnutls28 3.8.9-1

medium : CVE--2024--28835

Affected range<3.8.4-2
Fixed version3.8.4-2
EPSS Score0.01%
EPSS Percentile1st percentile
Description

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

[experimental] - gnutls28 3.8.4-1

low : CVE--2025--32989

Affected range<3.8.9-3
Fixed version3.8.9-3
EPSS Score0.02%
EPSS Percentile4th percentile
Description

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

critical: 0 high: 2 medium: 2 low: 0 systemd 252.38-1~deb12u1 (deb)

pkg:deb/debian/systemd@252.38-1~deb12u1?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2023--50868

Affected range<255.4-1
Fixed version255.4-1
EPSS Score47.86%
EPSS Percentile98th percentile
Description

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

high : CVE--2023--50387

Affected range<255.4-1
Fixed version255.4-1
EPSS Score37.71%
EPSS Percentile97th percentile
Description

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

medium : CVE--2023--7008

Affected range<255.1-3
Fixed version255.1-3
EPSS Score0.30%
EPSS Percentile52nd percentile
Description

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

medium : CVE--2025--4598

Affected range<257.6-1
Fixed version257.6-1
EPSS Score0.01%
EPSS Percentile1st percentile
Description

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

critical: 0 high: 2 medium: 1 low: 2 perl 5.36.0-7+deb12u2 (deb)

pkg:deb/debian/perl@5.36.0-7%2Bdeb12u2?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2023--31484

Affected range<5.38.2-2
Fixed version5.38.2-2
EPSS Score0.91%
EPSS Percentile75th percentile
Description

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

[experimental] - perl 5.38.0~rc2-1

high : CVE--2023--47038

Affected range<5.36.0-10
Fixed version5.36.0-10
EPSS Score0.14%
EPSS Percentile35th percentile
Description

A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

medium : CVE--2025--40909

Affected range<5.40.1-5
Fixed version5.40.1-5
EPSS Score0.01%
EPSS Percentile0th percentile
Description

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

[experimental] - perl 5.40.1-4

low : CVE--2024--56406

Affected range<5.40.1-3
Fixed version5.40.1-3
EPSS Score0.05%
EPSS Percentile15th percentile
Description

A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

low : CVE--2023--31486

Affected range<5.38.2-2
Fixed version5.38.2-2
EPSS Score0.45%
EPSS Percentile63rd percentile
Description

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

critical: 0 high: 1 medium: 2 low: 1 pam 1.5.2-6+deb12u1 (deb)

pkg:deb/debian/pam@1.5.2-6%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2025--6020

Affected range<1.7.0-5
Fixed version1.7.0-5
EPSS Score0.02%
EPSS Percentile3rd percentile
Description

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

[experimental] - pam 1.7.0-4

medium : CVE--2024--22365

Affected range<1.5.3-4
Fixed version1.5.3-4
EPSS Score0.08%
EPSS Percentile24th percentile
Description

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

[experimental] - pam 1.5.3-2

medium : CVE--2024--10041

Affected range<1.7.0-2
Fixed version1.7.0-2
EPSS Score0.03%
EPSS Percentile7th percentile
Description

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

[experimental] - pam 1.7.0-1

low : CVE--2024--10963

Affected range<1.7.0-5
Fixed version1.7.0-5
EPSS Score0.22%
EPSS Percentile44th percentile
Description

A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.

critical: 0 high: 1 medium: 1 low: 0 python3.13 3.13.5-2 (deb)

pkg:deb/debian/python3.13@3.13.5-2?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2025--8194

Affected range>=3.13.5-2
Fixed versionNot Fixed
EPSS Score0.09%
EPSS Percentile26th percentile
Description

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

medium : CVE--2025--6069

Affected range>=3.13.5-2
Fixed versionNot Fixed
EPSS Score0.08%
EPSS Percentile24th percentile
Description

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

critical: 0 high: 1 medium: 0 low: 0 dpkg 1.21.22 (deb)

pkg:deb/debian/dpkg@1.21.22?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2025--6297

Affected range<1.22.21
Fixed version1.22.21
EPSS Score0.08%
EPSS Percentile25th percentile
Description

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

critical: 0 high: 0 medium: 1 low: 1 tar 1.34+dfsg-1.2+deb12u1 (deb)

pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2023--39804

Affected range<1.34+dfsg-1.3
Fixed version1.34+dfsg-1.3
EPSS Score0.04%
EPSS Percentile9th percentile
Description

In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.

low : CVE--2022--48303

Affected range<1.34+dfsg-1.4
Fixed version1.34+dfsg-1.4
EPSS Score0.03%
EPSS Percentile7th percentile
Description

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

critical: 0 high: 0 medium: 1 low: 1 shadow 1:4.13+dfsg1-1+deb12u1 (deb)

pkg:deb/debian/shadow@1:4.13%2Bdfsg1-1%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2023--4641

Affected range<1:4.13+dfsg1-2
Fixed version1:4.13+dfsg1-2
EPSS Score0.02%
EPSS Percentile2nd percentile
Description

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

low : CVE--2023--29383

Affected range<1:4.13+dfsg1-2
Fixed version1:4.13+dfsg1-2
EPSS Score0.03%
EPSS Percentile8th percentile
Description

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

critical: 0 high: 0 medium: 1 low: 0 libtasn1-6 4.19.0-2+deb12u1 (deb)

pkg:deb/debian/libtasn1-6@4.19.0-2%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2024--12133

Affected range<4.20.0-1
Fixed version4.20.0-1
EPSS Score0.32%
EPSS Percentile55th percentile
Description

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

critical: 0 high: 0 medium: 1 low: 0 ncurses 6.5+20250216-2 (deb)

pkg:deb/debian/ncurses@6.5%2B20250216-2?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2025--6141

Affected range>=6.5+20250216-2
Fixed versionNot Fixed
EPSS Score0.02%
EPSS Percentile2nd percentile
Description

A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.

critical: 0 high: 0 medium: 1 low: 0 libcap2 1:2.66-4+deb12u1 (deb)

pkg:deb/debian/libcap2@1:2.66-4%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2025--1390

Affected range<1:2.73-4
Fixed version1:2.73-4
EPSS Score0.03%
EPSS Percentile6th percentile
Description

The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.

critical: 0 high: 0 medium: 0 low: 9 openssh 1:10.0p1-7 (deb)

pkg:deb/debian/openssh@1:10.0p1-7?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2023--51767

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score0.01%
EPSS Percentile1st percentile
Description

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

low : CVE--2020--15778

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score67.53%
EPSS Percentile98th percentile
Description

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

low : CVE--2020--14145

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score2.01%
EPSS Percentile83rd percentile
Description

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

low : CVE--2019--6110

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score52.53%
EPSS Percentile98th percentile
Description

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

low : CVE--2018--15919

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score0.72%
EPSS Percentile72nd percentile
Description

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

low : CVE--2016--20012

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score25.27%
EPSS Percentile96th percentile
Description

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product

low : CVE--2008--3234

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score2.79%
EPSS Percentile86th percentile
Description

sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.

  • openssh (unimportant)
    this is by design

low : CVE--2007--2768

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score0.66%
EPSS Percentile70th percentile
Description

OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.

low : CVE--2007--2243

Affected range>=1:10.0p1-7
Fixed versionNot Fixed
EPSS Score0.50%
EPSS Percentile65th percentile
Description

OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.

critical: 0 high: 0 medium: 0 low: 7 glibc 2.41-12 (deb)

pkg:deb/debian/glibc@2.41-12?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2019--9192

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.16%
EPSS Percentile38th percentile
Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

low : CVE--2019--1010025

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.23%
EPSS Percentile46th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

low : CVE--2019--1010024

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.38%
EPSS Percentile58th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

low : CVE--2019--1010023

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.70%
EPSS Percentile71st percentile
Description

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

low : CVE--2019--1010022

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.14%
EPSS Percentile36th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

low : CVE--2018--20796

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score2.00%
EPSS Percentile83rd percentile
Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

low : CVE--2010--4756

Affected range>=2.41-12
Fixed versionNot Fixed
EPSS Score0.37%
EPSS Percentile58th percentile
Description

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

  • glibc (unimportant)
  • eglibc (unimportant)
    That's standard POSIX behaviour implemented by (e)glibc. Applications using
    glob need to impose limits for themselves
critical: 0 high: 0 medium: 0 low: 3 krb5 1.21.3-5 (deb)

pkg:deb/debian/krb5@1.21.3-5?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2024--26461

Affected range>=1.21.3-5
Fixed versionNot Fixed
EPSS Score0.08%
EPSS Percentile25th percentile
Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

low : CVE--2024--26458

Affected range>=1.21.3-5
Fixed versionNot Fixed
EPSS Score0.21%
EPSS Percentile43rd percentile
Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

low : CVE--2018--5709

Affected range>=1.21.3-5
Fixed versionNot Fixed
EPSS Score0.46%
EPSS Percentile63rd percentile
Description

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

critical: 0 high: 0 medium: 0 low: 2 xz-utils 5.4.1-1 (deb)

pkg:deb/debian/xz-utils@5.4.1-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2025--31115

Affected range<5.8.1-1
Fixed version5.8.1-1
EPSS Score0.12%
EPSS Percentile32nd percentile
Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

low : CVE--2024--3094

Affected range<5.6.1+really5.4.5-1
Fixed version5.6.1+really5.4.5-1
EPSS Score84.17%
EPSS Percentile99th percentile
Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

critical: 0 high: 0 medium: 0 low: 2 coreutils 9.1-1 (deb)

pkg:deb/debian/coreutils@9.1-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2024--0684

Affected range<9.5-1
Fixed version9.5-1
EPSS Score0.07%
EPSS Percentile22nd percentile
Description

A flaw was found in the GNU coreutils "split" program. A heap overflow with user-controlled data of multiple hundred bytes in length could occur in the line_bytes_split() function, potentially leading to an application crash and denial of service.

low : CVE--2016--2781

Affected range<9.4-1
Fixed version9.4-1
EPSS Score0.07%
EPSS Percentile22nd percentile
Description

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

  • coreutils 9.4-1 (low; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816320)
    [bookworm] - coreutils (Minor issue)
    [bullseye] - coreutils (Minor issue)
    [buster] - coreutils (Minor issue)
    [stretch] - coreutils (Minor issue)
    [jessie] - coreutils (Minor issue)
    [wheezy] - coreutils (Minor issue)
    Restricting ioctl on the kernel side seems the better approach, but rejected by Linux upstream
    Fixing this issue via setsid() would introduce regressions:
    https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes
    Since Linux 6.4.4-1 (uploaded on 23 Jul 2023), TIOCSTI is disabled on the
    kernel side, marking the first coreutils upload after that date (9.4-1) as the
    fixed version
critical: 0 high: 0 medium: 0 low: 1 util-linux 2.38.1-5+deb12u3 (deb)

pkg:deb/debian/util-linux@2.38.1-5%2Bdeb12u3?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2024--28085

Affected range<2.39.3-11
Fixed version2.39.3-11
EPSS Score11.73%
EPSS Percentile93rd percentile
Description

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.

critical: 0 high: 0 medium: 0 low: 1 openssl 3.5.1-1 (deb)

pkg:deb/debian/openssl@3.5.1-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2010--0928

Affected range>=3.2.1-3
Fixed versionNot Fixed
EPSS Score0.11%
EPSS Percentile30th percentile
Description

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."

http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf
openssl/openssl#24540
Fault injection based attacks are not within OpenSSLs threat model according
to the security policy: https://www.openssl.org/policies/general/security-policy.html

critical: 0 high: 0 medium: 0 low: 1 python-pip 25.1.1+dfsg-1 (deb)

pkg:deb/debian/python-pip@25.1.1%2Bdfsg-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2018--20225

Affected range>=25.1.1+dfsg-1
Fixed versionNot Fixed
EPSS Score2.54%
EPSS Percentile85th percentile
Description

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

critical: 0 high: 0 medium: 0 low: 1 gnupg2 2.2.40-1.1 (deb)

pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2025--30258

Affected range<2.2.46-5
Fixed version2.2.46-5
EPSS Score0.02%
EPSS Percentile3rd percentile
Description

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

critical: 0 high: 0 medium: 0 low: 1 sqlite3 3.46.1-7 (deb)

pkg:deb/debian/sqlite3@3.46.1-7?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2021--45346

Affected range>=3.46.1-7
Fixed versionNot Fixed
EPSS Score0.20%
EPSS Percentile43rd percentile
Description

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

critical: 0 high: 0 medium: 0 low: 1 gcc-12 12.2.0-14+deb12u1 (deb)

pkg:deb/debian/gcc-12@12.2.0-14%2Bdeb12u1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2023--4039

Affected range<12.3.0-9
Fixed version12.3.0-9
EPSS Score0.15%
EPSS Percentile36th percentile
Description

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

@greenbonebot greenbonebot merged commit a32a521 into main Aug 11, 2025
22 checks passed
@greenbonebot greenbonebot deleted the dependabot/pip/python-packages-3d6fa0b16f branch August 11, 2025 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@y0urself y0urself y0urself approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@y0urself @greenbonebot