Deps: Bump the python-packages group with 5 updates

[dependabot]

Bumps the python-packages group with 5 updates:

Package	From	To
pontos	25.8.0	25.8.1
coverage	7.10.4	7.10.5
h2	4.2.0	4.3.0
lxml	6.0.0	6.0.1
ruff	0.12.9	0.12.10

Updates pontos from 25.8.0 to 25.8.1

Release notes

Sourced from pontos's releases.

pontos 25.8.1

25.8.1 - 2025-08-20

Changed

• Rust support for workspace.package.version 83e17f1a

Dependencies

• Bump actions/checkout from 4.2.2 to 4.3.0 in the actions group c2656f8e
• Bump coverage from 7.10.3 to 7.10.4 in the python-packages group 18e2dee7

Commits

• 7189a16 Automatic release to 25.8.1
• 83e17f1 Change: Rust support for workspace.package.version
• c2656f8 Deps: Bump actions/checkout from 4.2.2 to 4.3.0 in the actions group
• 18e2dee Deps: Bump coverage from 7.10.3 to 7.10.4 in the python-packages group
• 69db3f9 Automatic adjustments after release [skip ci]
• See full diff in compare view

Updates coverage from 7.10.4 to 7.10.5

Changelog

Sourced from coverage's changelog.

Version 7.10.5 — 2025-08-23

• Big speed improvements for coverage combine: it's now about twice as fast! Huge thanks to Alex Gaynor for pull requests 2032 <pull 2032_>, 2033 <pull 2033_>, and 2034 <pull 2034_>_.

.. _pull 2032: nedbat/coveragepy#2032 .. _pull 2033: nedbat/coveragepy#2033 .. _pull 2034: nedbat/coveragepy#2034

.. _changes_7-10-4:

Commits

• 810abeb chore: make upgrade
• 3c8f1b5 build: use --universal to keep platform conditions in .pip files
• 107ae05 docs: sample HTML for 7.10.5
• b5bc6d4 docs: prep for 7.10.5
• a5c18cc style: auto-generated changes shouldn't trigger ruff re-formatting
• 1f9f840 build: tooling for ruff formatting
• 9ee5b3e chore: make upgrade
• bfeb2ae style: fix things so pylint is happy with ruff
• 82467f7 chore: ruff format .
• 0a7b733 refactor: remove unused things from lab/
• Additional commits viewable in compare view

Updates h2 from 4.2.0 to 4.3.0

Changelog

Sourced from h2's changelog.

4.3.0 (2025-08-23)

API Changes (Backward Incompatible)

• Reject header names and values containing illegal characters, based on RFC 9113, section 8.2.1. The main Python API is compatible, but some previously valid requests/response headers might now be blocked. Use the validate_inbound_headers config option if needed. Thanks to Sebastiano Sartor (sebsrt) for the report.

API Changes (Backward Compatible)

• h2 events now have tighter type bounds, e.g. stream_id is guaranteed to not be None for most events now. This simplifies downstream type checking.
• Various typing-related improvements.

Bugfixes

• Fix error value when opening a new stream on too many open streams.

Commits

• 1aae569 v4.3.0
• 9e4bbed merge surrounding whitespace and uppercase validators into illegal character ...
• 035e989 be stricter about which characters to accept for headers
• 883ed37 reject header names and values containing unpermitted characters \r, \n, ...
• 0583911 lint: fix TC006
• bbd3d90 fix(packaging): bump twine to pass meta check wildcard bugs
• ea3140f cleanup
• 9ce83ff exclude RDT from sdist
• 492d3db Update .readthedocs.yaml
• 243461d Create RTD config
• Additional commits viewable in compare view

Updates lxml from 6.0.0 to 6.0.1

Changelog

Sourced from lxml's changelog.

6.0.1 (2025-08-22)

Bugs fixed

• LP#2116333: lxml.sax._getNsTag() could fail with an exception on malformed input.

• GH#467: Some test adaptations were made for libxml2 2.15. Patch by Nick Wellnhofer.

• LP2119510, GH#473: A Python compatibility test was fixed for Python 3.14+. Patch by Lumír Balhar.

• GH#471: Wheels for "riscv64" on recent Python versions were added. Patch by ffgan.

• GH#469: The wheel build no longer requires the wheel package unconditionally. Patch by Miro Hrončok.

• Binary wheels use the library version libxml2 2.14.5.

• Windows binary wheels continue to use a security patched library version libxml2 2.11.9.

Commits

• 5aca07d Prepare release of lxml 6.0.1.
• f0e555a Build: Add Py3.14 also to tox.ini.
• afc745a Update changelog.
• 25242c6 Build: Add "riscv64" wheels for Py3.12+.
• 457c564 Build: Mark Py3.14 as officially supported.
• 66a3cc3 Remove Py2 test code.
• 6e88838 CI: Fix version usage in cache keys.
• fe5df46 Build: bump the github-actions group across 1 directory with 3 updates (#476)
• 9177121 CI: Configure library versions centrally in pyproject.toml to prevent build t...
• 525c6b9 Build: Separate libs cache by CPU architecture.
• Additional commits viewable in compare view

Updates ruff from 0.12.9 to 0.12.10

Release notes

Sourced from ruff's releases.

0.12.10

Release Notes

Preview features

• [flake8-simplify] Implement fix for maxsplit without separator (SIM905) (#19851)
• [flake8-use-pathlib] Add fixes for PTH102 and PTH103 (#19514)

Bug fixes

• [isort] Handle multiple continuation lines after module docstring (I002) (#19818)
• [pyupgrade] Avoid reporting __future__ features as unnecessary when they are used (UP010) (#19769)
• [pyupgrade] Handle nested Optionals (UP045) (#19770)

Rule changes

• [pycodestyle] Make E731 fix unsafe instead of display-only for class assignments (#19700)
• [pyflakes] Add secondary annotation showing previous definition (F811) (#19900)

Documentation

• Fix description of global config file discovery strategy (#19188)
• Update outdated links to https://typing.python.org/en/latest/source/stubs.html (#19992)
• [flake8-annotations] Remove unused import in example (ANN401) (#20000)

Contributors

• @​AlexWaygood
• @​Avasam
• @​BurntSushi
• @​Cjkjvfnby
• @​Gankra
• @​IDrokin117
• @​MatthewMckee4
• @​MichaReiser
• @​PrettyWood
• @​RazerM
• @​carljm
• @​chirizxc
• @​danparizher
• @​dcreager
• @​dhruvmanila
• @​ericmarkmartin
• @​github-actions
• @​gkowzan
• @​leandrobbraga
• @​mtshiba
• @​ntBre
• @​renovate
• @​sharkdp
• @​theammir

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.10

Preview features

• [flake8-simplify] Implement fix for maxsplit without separator (SIM905) (#19851)
• [flake8-use-pathlib] Add fixes for PTH102 and PTH103 (#19514)

Bug fixes

• [isort] Handle multiple continuation lines after module docstring (I002) (#19818)
• [pyupgrade] Avoid reporting __future__ features as unnecessary when they are used (UP010) (#19769)
• [pyupgrade] Handle nested Optionals (UP045) (#19770)

Rule changes

• [pycodestyle] Make E731 fix unsafe instead of display-only for class assignments (#19700)
• [pyflakes] Add secondary annotation showing previous definition (F811) (#19900)

Documentation

• Fix description of global config file discovery strategy (#19188)
• Update outdated links to https://typing.python.org/en/latest/source/stubs.html (#19992)
• [flake8-annotations] Remove unused import in example (ANN401) (#20000)

Commits

• c68ff8d Bump 0.12.10 (#20025)
• 5931a52 [ty] Stop running every mdtest twice
• 692be72 Move diff rendering to ruff_db (#20006)
• 14fe122 [ty] Perform assignability etc checks using new Constraints trait (#19838)
• 045cba3 [ty] Use dedent in cursor tests (#20019)
• a5cbca1 Fix rust feature activation (#20012)
• d43a3d3 [ty] Avoid unnecessary argument type expansion (#19999)
• 9911196 [ty] Add link for namespaces being partial (#20015)
• 859475f [ty] add docstrings to completions based on type (#20008)
• 7b75aee [pyupgrade] Avoid reporting __future__ features as unnecessary when they ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.

[github-actions]

🔍 Vulnerabilities of harbor-os.greenbone.net/community/greenbone-feed-sync:294-merge-amd64

📦 Image Reference harbor-os.greenbone.net/community/greenbone-feed-sync:294-merge-amd64

digest	sha256:12d5071e22af07eb4c17b118c324b8d16c18b975048a1febc05d697780056047
vulnerabilities
size	67 MB
packages	190

📦 Base Image debian:stable-20250811-slim

also known as	stable-slim
digest	sha256:a1c1968fb091b256477e675a99ab3fa6f4c2d047ae7f506f92255cf5f0c2cf5e
vulnerabilities

python3.13 3.13.5-2 (deb) pkg:deb/debian/python3.13@3.13.5-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.13.5-2 Fixed version Not Fixed EPSS Score 0.09% EPSS Percentile 26th percentile Description There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 python3.13 3.13.6-1 python3.12 python3.11 [bookworm] - python3.11 (Minor issue) python3.9 [bullseye] - python3.9 (Minor issue) python2.7 [bullseye] - python2.7 (EOL in bullseye LTS) tarfile.StreamError: seeking backwards is not allowed due to unskipped block with bad checksum python/cpython#130577 gh-130577: tarfile now validates archives to ensure member offsets are non-negative python/cpython#137027 https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/ Fixed by: python/cpython@7040aa5 (main) Fixed by: python/cpython@cdae923 (3.13-branch) Affected range >=3.13.5-2 Fixed version Not Fixed EPSS Score 0.08% EPSS Percentile 24th percentile Description The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. python3.13 3.13.6-1 python3.12 python3.11 [bookworm] - python3.11 (Minor issue) python3.9 [bullseye] - python3.9 (Minor issue; can be fixed in next update) python2.7 [bullseye] - python2.7 (EOL in bullseye LTS) pypy3 [trixie] - pypy3 (Minor issue) [bookworm] - pypy3 (Minor issue) [bullseye] - pypy3 (Minor issue; DoS) jython (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109376) [trixie] - jython (Minor issue) [bookworm] - jython (Minor issue) [bullseye] - jython (EOL in bullseye LTS) https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/ Worst case quadratic complexity in HTMLParser python/cpython#135462 gh-135462: Fix quadratic complexity in processing special input in HTMLParser python/cpython#135464 python/cpython@6eb6c5d (main) python/cpython@d851f8e (v3.14.0b3) python/cpython@4455cba (3.13-branch)

tar 1.35+dfsg-3.1 (deb) pkg:deb/debian/tar@1.35%2Bdfsg-3.1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.35+dfsg-3.1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 11th percentile Description GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). Disputed tar issue, works as documented per upstream: https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md Affected range >=1.35+dfsg-3.1 Fixed version Not Fixed EPSS Score 3.25% EPSS Percentile 87th percentile Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

openssh 1:10.0p1-7 (deb) pkg:deb/debian/openssh@1:10.0p1-7?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 0.01% EPSS Percentile 1st percentile Description OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. openssh (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059393; unimportant) https://arxiv.org/abs/2309.02545 Upstream does not consider CVE-2023-51767 a bug underlying in OpenSSH and does not intent to address it in OpenSSH. To todays knowledge (2024-03-13) it has not been demonstrated that the issue is exploitable in any real software configuration. Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 67.53% EPSS Percentile 99th percentile Description scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." openssh (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=1860487 https://github.com/cpandya2909/CVE-2020-15778 Negligible security impact, changing the scp protocol can have a good chance of breaking existing workflows. Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 2.06% EPSS Percentile 83rd percentile Description The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. openssh (unimportant) https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/ https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf The OpenSSH project is not planning to change the behaviour of OpenSSH regarding the issue, details in "3.1 OpenSSH" in the publication. Partial mitigation: https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d (V_8_4_P1) Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 53.11% EPSS Percentile 98th percentile Description In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. openssh (unimportant) https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt Not considered a vulnerability by upstream, cf. https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 0.72% EPSS Percentile 72nd percentile Description Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.' openssh (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503) https://www.openwall.com/lists/oss-security/2018/08/27/2 Not treated as a security issue by upstream Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 25.27% EPSS Percentile 96th percentile Description OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product openssh (unimportant) CVE-2016-20012 - Publickey Information leak - Only allow SSH_MSG_USERAUTH_REQUEST with signature openssh/openssh-portable#270 Negligible impact, not treated as a security issue by upstream Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 2.79% EPSS Percentile 86th percentile Description sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username. openssh (unimportant) this is by design Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 0.66% EPSS Percentile 70th percentile Description OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. openssh (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=436571; unimportant) [etch] - openssh (Minor issue) [sarge] - openssh (Minor issue) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=112279 Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 0.48% EPSS Percentile 64th percentile Description OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. openssh (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=436571; unimportant) [etch] - openssh (Minor issue) [sarge] - openssh (Minor issue)

glibc 2.41-12 (deb) pkg:deb/debian/glibc@2.41-12?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.16% EPSS Percentile 38th percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern glibc (unimportant) eglibc (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=24269 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.23% EPSS Percentile 46th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22853 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.38% EPSS Percentile 58th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22852 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.70% EPSS Percentile 71st percentile Description GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.14% EPSS Percentile 35th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 2.05% EPSS Percentile 83rd percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep. glibc (unimportant) eglibc (unimportant) https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.37% EPSS Percentile 58th percentile Description The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. glibc (unimportant) eglibc (unimportant) That's standard POSIX behaviour implemented by (e)glibc. Applications using glob need to impose limits for themselves

systemd 257.7-1 (deb) pkg:deb/debian/systemd@257.7-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.09% EPSS Percentile 27th percentile Description An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.10% EPSS Percentile 28th percentile Description An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.13% EPSS Percentile 33rd percentile Description An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.07% EPSS Percentile 21st percentile Description systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. systemd (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357) [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) https://bugzilla.redhat.com/show_bug.cgi?id=859060 only relevant to systems running systemd along with selinux

krb5 1.21.3-5 (deb) pkg:deb/debian/krb5@1.21.3-5?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.21.3-5 Fixed version Not Fixed EPSS Score 0.08% EPSS Percentile 25th percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.21.3-5 Fixed version Not Fixed EPSS Score 0.21% EPSS Percentile 43rd percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.21.3-5 Fixed version Not Fixed EPSS Score 0.46% EPSS Percentile 63rd percentile Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

coreutils 9.7-3 (deb) pkg:deb/debian/coreutils@9.7-3?os_distro=trixie&os_name=debian&os_version=13 Affected range >=9.7-3 Fixed version Not Fixed EPSS Score 0.02% EPSS Percentile 3rd percentile Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.7-3 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 17th percentile Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

sqlite3 3.46.1-7 (deb) pkg:deb/debian/sqlite3@3.46.1-7?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.46.1-7 Fixed version Not Fixed EPSS Score 0.21% EPSS Percentile 44th percentile Description A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect. sqlite3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005974) sqlite (unimportant) https://github.com/guyinatuxedo/sqlite3_record_leaking https://bugzilla.redhat.com/show_bug.cgi?id=2054793 https://sqlite.org/forum/forumpost/056d557c2f8c452ed5bb9c215414c802b215ce437be82be047726e521342161e Negligible security impact

apt 3.0.3 (deb) pkg:deb/debian/apt@3.0.3?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.0.3 Fixed version Not Fixed EPSS Score 1.51% EPSS Percentile 80th percentile Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

shadow 1:4.17.4-2 (deb) pkg:deb/debian/shadow@1:4.17.4-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1:4.17.4-2 Fixed version Not Fixed EPSS Score 0.33% EPSS Percentile 55th percentile Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. shadow (unimportant) See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so unknown usernames are not recorded on login failures

openssl 3.5.1-1 (deb) pkg:deb/debian/openssl@3.5.1-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.2.1-3 Fixed version Not Fixed EPSS Score 0.11% EPSS Percentile 30th percentile Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

util-linux 2.41-5 (deb) pkg:deb/debian/util-linux@2.41-5?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.41-5 Fixed version Not Fixed EPSS Score 0.03% EPSS Percentile 5th percentile Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

python-pip 25.1.1+dfsg-1 (deb) pkg:deb/debian/python-pip@25.1.1%2Bdfsg-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=25.1.1+dfsg-1 Fixed version Not Fixed EPSS Score 2.54% EPSS Percentile 85th percentile Description An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely python-pip (unimportant) https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html pip is inherently affected by malicious packages, use packages from Debian instead :-)

perl 5.40.1-6 (deb) pkg:deb/debian/perl@5.40.1-6?os_distro=trixie&os_name=debian&os_version=13 Affected range >=5.40.1-6 Fixed version Not Fixed EPSS Score 0.16% EPSS Percentile 38th percentile Description _is_safe in the File::Temp module for Perl does not properly handle symlinks. perl (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776268) http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177 File:Temp::_is_safe() allows unsafe traversal of symlinks [rt.cpan.org #69106] Perl-Toolchain-Gang/File-Temp#14