Open security issues affecting trixie which are not RC (2025-04-29)

[Moritz Mühlenhoff <jmm@inutil.org>]

Hi,
giving this a try for the trixie release:

If anyone wants to help getting trixie in good shape: Here's
a list of open security issues below the RC threshold which
would still be useful to fix before the release. Many of
these haven't seen recent updates, so if anyone has time, check
their status and apply/backport patches as needed and submit
them in the BTS or as MRs or NMU if appropriate:

If anyone of these are bogus, don't apply to how we ship
them in Debian or cannot be addressed in some manner,
you can also leave a note in the bug or bounce a note to
team@security.debian.org so that we update the Security
Tracker data accordingly.


augeas:
https://security-tracker.debian.org/tracker/CVE-2025-2588

containerd:
https://security-tracker.debian.org/tracker/CVE-2024-40635      

corosync:
https://security-tracker.debian.org/tracker/CVE-2025-30472      

cvc5:
https://security-tracker.debian.org/tracker/CVE-2024-37794      
https://security-tracker.debian.org/tracker/CVE-2024-37795      

djvulibre:
https://security-tracker.debian.org/tracker/CVE-2021-46310      

freeipa:
https://security-tracker.debian.org/tracker/CVE-2024-11029      

giflib:
https://security-tracker.debian.org/tracker/CVE-2025-31344      

golang-github-antonmedv-expr:
https://security-tracker.debian.org/tracker/CVE-2025-29786      

golang-github-cli-go-gh-v2:
https://security-tracker.debian.org/tracker/CVE-2024-53859      

golang-github-dvsekhvalnov-jose2go:
https://security-tracker.debian.org/tracker/CVE-2023-50658      

golang-github-gin-contrib-cors:
https://security-tracker.debian.org/tracker/CVE-2019-25211      

golang-github-gomarkdown-markdown:
https://security-tracker.debian.org/tracker/CVE-2024-44337      

golang-github-hashicorp-go-retryablehttp:
https://security-tracker.debian.org/tracker/CVE-2024-6104       

golang-github-notaryproject-notation-go:
https://security-tracker.debian.org/tracker/CVE-2024-56138      

golang-go.crypto:
https://security-tracker.debian.org/tracker/CVE-2024-45337      
https://security-tracker.debian.org/tracker/CVE-2025-22869      

golang-golang-x-net:
https://security-tracker.debian.org/tracker/CVE-2024-45338      
https://security-tracker.debian.org/tracker/CVE-2025-22872      

grpc:
https://security-tracker.debian.org/tracker/CVE-2023-32732      
https://security-tracker.debian.org/tracker/CVE-2023-33953      
https://security-tracker.debian.org/tracker/CVE-2023-44487      
https://security-tracker.debian.org/tracker/CVE-2023-4785       
https://security-tracker.debian.org/tracker/CVE-2024-11407      
https://security-tracker.debian.org/tracker/CVE-2024-7246

hugo:
https://security-tracker.debian.org/tracker/CVE-2024-55601      

invesalius:
https://security-tracker.debian.org/tracker/CVE-2024-42845      

jboss-xnio:
https://security-tracker.debian.org/tracker/CVE-2023-5685       

jenkins-json:
https://security-tracker.debian.org/tracker/CVE-2023-5072       

jline3:
https://security-tracker.debian.org/tracker/CVE-2023-50572      

libcoap3:
https://security-tracker.debian.org/tracker/CVE-2023-51847      
https://security-tracker.debian.org/tracker/CVE-2024-0962       
https://security-tracker.debian.org/tracker/CVE-2024-31031      
https://security-tracker.debian.org/tracker/CVE-2024-46304      

libcrypto++:
https://security-tracker.debian.org/tracker/CVE-2023-50980      

libowasp-antisamy-java:
https://security-tracker.debian.org/tracker/CVE-2024-23635      

libwoodstox-java:
https://security-tracker.debian.org/tracker/CVE-2022-40152      

libxml-security-java:
https://security-tracker.debian.org/tracker/CVE-2023-44483      

logback:
https://security-tracker.debian.org/tracker/CVE-2024-12798      
https://security-tracker.debian.org/tracker/CVE-2024-12801      

mina2:
https://security-tracker.debian.org/tracker/CVE-2024-52046      

node-dompurify:
https://security-tracker.debian.org/tracker/CVE-2025-26791      

node-katex:
https://security-tracker.debian.org/tracker/CVE-2025-23207      

node-prismjs:
https://security-tracker.debian.org/tracker/CVE-2024-53382      

openimageio:
https://security-tracker.debian.org/tracker/CVE-2024-55192      
https://security-tracker.debian.org/tracker/CVE-2024-55193      
https://security-tracker.debian.org/tracker/CVE-2024-55194      

php-laravel-framework:
https://security-tracker.debian.org/tracker/CVE-2024-13918      
https://security-tracker.debian.org/tracker/CVE-2024-13919      
https://security-tracker.debian.org/tracker/CVE-2025-27515      

protobuf:
https://security-tracker.debian.org/tracker/CVE-2024-7254       

qtbase-opensource-src-gles:
https://security-tracker.debian.org/tracker/CVE-2024-39936      

quickjs:
https://security-tracker.debian.org/tracker/CVE-2024-13903      

rclone:
https://security-tracker.debian.org/tracker/CVE-2024-52522      

ros-dynamic-reconfigure:
https://security-tracker.debian.org/tracker/CVE-2024-39780      

ruby-fugit:
https://security-tracker.debian.org/tracker/CVE-2024-43380      

rust-gix-features:
https://security-tracker.debian.org/tracker/CVE-2025-31130      

sqlite3:
https://security-tracker.debian.org/tracker/CVE-2025-29088      

squirrel3:
https://security-tracker.debian.org/tracker/CVE-2021-41556      

wabt:
https://security-tracker.debian.org/tracker/CVE-2023-46332      

xorg-server:
https://security-tracker.debian.org/tracker/CVE-2022-49737      


And if anyone uses GDM on Trixie, it would be useful to test
if https://security-tracker.debian.org/tracker/CVE-2016-1000002
is still applicable and update #849432 as neeed.

Cheers,
        Moritz