Deps: Bump the python-packages group with 4 updates

[dependabot]

Bumps the python-packages group with 4 updates: coverage, platformdirs, ruff and typing-extensions.

Updates coverage from 7.10.5 to 7.10.6

Changelog

Sourced from coverage's changelog.

Version 7.10.6 — 2025-08-29

• Fix: source directories were not properly communicated to subprocesses that ran in different directories, as reported in issue 1499_. This is now fixed.

• Performance: Alex Gaynor continues fine-tuning <pull 2038_>_ the speed of combination, especially with many contexts.

.. _issue 1499: nedbat/coveragepy#1499 .. _pull 2038: nedbat/coveragepy#2038

.. _changes_7-10-5:

Commits

• 88c55ff docs: sample HTML for 7.10.6
• 01d8995 docs: prep for 7.10.6
• 9b0c24f docs: thanks Alex #2038
• 66d6910 fix: make source paths absolute where they exist. #1499
• bb3382f build: no need for the combine/html times now
• 9ea349a lab: warn_executed.py
• 808c9b4 build: changing metacov.ini should trigger metacov
• 384f5f2 build: oops, some 'if's are really line pragmas
• a7224af perf: pre-compute the mapping between other_db.context and main.context (#2038)
• 5c00c5b chore: bump the action-dependencies group with 3 updates (#2039)
• Additional commits viewable in compare view

Updates platformdirs from 4.3.8 to 4.4.0

Release notes

Sourced from platformdirs's releases.

4.4.0

What's Changed

• feat: improve homebrew path detection by @​daeho-ro in tox-dev/platformdirs#370

New Contributors

• @​daeho-ro made their first contribution in tox-dev/platformdirs#370

Full Changelog: tox-dev/platformdirs@4.3.8...4.4.0

Commits

• c945a28 feat: improve homebrew path detection (#370)
• 9f616e9 [pre-commit.ci] pre-commit autoupdate (#372)
• 5720f26 [pre-commit.ci] pre-commit autoupdate (#367)
• 848924d [pre-commit.ci] pre-commit autoupdate (#365)
• df2e678 Bump actions/checkout from 4 to 5 in the all group (#366)
• 009a3f8 Bump actions/download-artifact from 4 to 5 in the all group (#364)
• 3d194ee [pre-commit.ci] pre-commit autoupdate (#363)
• 6046533 [pre-commit.ci] pre-commit autoupdate (#362)
• 88389ce [pre-commit.ci] pre-commit autoupdate (#361)
• 82763ff [pre-commit.ci] pre-commit autoupdate (#360)
• Additional commits viewable in compare view

Updates ruff from 0.12.10 to 0.12.11

Release notes

Sourced from ruff's releases.

0.12.11

Release Notes

Preview features

• [airflow] Extend AIR311 and AIR312 rules (#20082)
• [airflow] Replace wrong path airflow.io.storage with airflow.io.store (AIR311) (#20081)
• [flake8-async] Implement blocking-http-call-httpx-in-async-function (ASYNC212) (#20091)
• [flake8-logging-format] Add auto-fix for f-string logging calls (G004) (#19303)
• [flake8-use-pathlib] Add autofix for PTH211 (#20009)
• [flake8-use-pathlib] Make PTH100 fix unsafe because it can change behavior (#20100)

Bug fixes

• [pyflakes, pylint] Fix false positives caused by __class__ cell handling (F841, PLE0117) (#20048)
• [pyflakes] Fix allowed-unused-imports matching for top-level modules (F401) (#20115)
• [ruff] Fix false positive for t-strings in default-factory-kwarg (RUF026) (#20032)
• [ruff] Preserve relative whitespace in multi-line expressions (RUF033) (#19647)

Rule changes

• [ruff] Handle empty t-strings in unnecessary-empty-iterable-within-deque-call (RUF037) (#20045)

Documentation

• Fix incorrect D413 links in docstrings convention FAQ (#20089)
• [flake8-use-pathlib] Update links to the table showing the correspondence between os and pathlib (#20103)

Contributors

• @​AlexWaygood
• @​Avasam
• @​BurntSushi
• @​Gankra
• @​Glyphack
• @​JelleZijlstra
• @​Lee-W
• @​MatthewMckee4
• @​MichaReiser
• @​PrettyWood
• @​Renkai
• @​TaKO8Ki
• @​amyreese
• @​carljm
• @​chirizxc
• @​danparizher
• @​dhruvmanila
• @​dylwil3
• @​github-actions
• @​hamirmahal

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.11

Preview features

• [airflow] Extend AIR311 and AIR312 rules (#20082)
• [airflow] Replace wrong path airflow.io.storage with airflow.io.store (AIR311) (#20081)
• [flake8-async] Implement blocking-http-call-httpx-in-async-function (ASYNC212) (#20091)
• [flake8-logging-format] Add auto-fix for f-string logging calls (G004) (#19303)
• [flake8-use-pathlib] Add autofix for PTH211 (#20009)
• [flake8-use-pathlib] Make PTH100 fix unsafe because it can change behavior (#20100)

Bug fixes

• [pyflakes, pylint] Fix false positives caused by __class__ cell handling (F841, PLE0117) (#20048)
• [pyflakes] Fix allowed-unused-imports matching for top-level modules (F401) (#20115)
• [ruff] Fix false positive for t-strings in default-factory-kwarg (RUF026) (#20032)
• [ruff] Preserve relative whitespace in multi-line expressions (RUF033) (#19647)

Rule changes

• [ruff] Handle empty t-strings in unnecessary-empty-iterable-within-deque-call (RUF037) (#20045)

Documentation

• Fix incorrect D413 links in docstrings convention FAQ (#20089)
• [flake8-use-pathlib] Update links to the table showing the correspondence between os and pathlib (#20103)

Commits

• c2bc15b Bump 0.12.11 (#20136)
• e586f6d [ty] Benchmarks for problematic implicit instance attributes cases (#20133)
• 76a6b7e [pyflakes] Fix allowed-unused-imports matching for top-level modules (`F4...
• 1ce6571 Move GitLab output rendering to ruff_db (#20117)
• d9aaacd [ty] Evaluate reachability of non-definitely-bound to Ambiguous (#19579)
• 18eaa65 [ty] Introduce a representation for the top/bottom materialization of an inva...
• af259fa [flake8-async] Implement blocking-http-call-httpx (ASYNC212) (#20091)
• d75ef38 [ty] print diagnostics with fully qualified name to disambiguate some cases (...
• 89ca493 [ruff] Preserve relative whitespace in multi-line expressions (RUF033) (#...
• 4b80f5f [ty] Optimize TDD atom ordering (#20098)
• Additional commits viewable in compare view

Updates typing-extensions from 4.14.1 to 4.15.0

Release notes

Sourced from typing-extensions's releases.

4.15.0

No user-facing changes since 4.15.0rc1.

New features since 4.14.1:

• Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.
• Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.
• Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

4.15.0rc1

• Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.
• Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.
• Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

Changelog

Sourced from typing-extensions's changelog.

Release 4.15.0 (August 25, 2025)

No user-facing changes since 4.15.0rc1.

Release 4.15.0rc1 (August 18, 2025)

• Add the @typing_extensions.disjoint_base decorator, as specified in PEP 800. Patch by Jelle Zijlstra.
• Add typing_extensions.type_repr, a backport of annotationlib.type_repr, introduced in Python 3.14 (CPython PR #124551, originally by Jelle Zijlstra). Patch by Semyon Moroz.
• Fix behavior of type params in typing_extensions.evaluate_forward_ref. Backport of CPython PR #137227 by Jelle Zijlstra.

Commits

• 9d1637e Prepare release 4.15.0 (#658)
• 4bd67c5 Coverage: exclude some noise (#656)
• e589a26 Coverage: add detailed report to job summary (#655)
• 67d37fe Coverage: Implement fail_under (#654)
• e9ae26f Don't delete previous coverage comment (#653)
• ac80bb7 Add Coverage workflow (#623)
• abaaafd Prepare release 4.15.0rc1 (#650)
• 9810405 Add @disjoint_base (PEP 800) (#634)
• 7ee9e05 Backport type_params fix from CPython (#646)
• 1e8eb9c Do not refer to PEP 705 as being experimental (#648)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.

[github-actions]

🔍 Vulnerabilities of harbor-os.greenbone.net/community/greenbone-feed-sync:295-merge-amd64

📦 Image Reference harbor-os.greenbone.net/community/greenbone-feed-sync:295-merge-amd64

digest	sha256:33832a75a9e1306fdd60fd9c1893e1bb6ccbd23d5a8fc155e2428153624a811b
vulnerabilities
size	67 MB
packages	190

📦 Base Image debian:stable-20250811-slim

also known as	stable-slim
digest	sha256:a1c1968fb091b256477e675a99ab3fa6f4c2d047ae7f506f92255cf5f0c2cf5e
vulnerabilities

tar 1.35+dfsg-3.1 (deb) pkg:deb/debian/tar@1.35%2Bdfsg-3.1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.35+dfsg-3.1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 11th percentile Description GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). Disputed tar issue, works as documented per upstream: https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md Affected range >=1.35+dfsg-3.1 Fixed version Not Fixed EPSS Score 3.25% EPSS Percentile 87th percentile Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

openssh 1:10.0p1-7 (deb) pkg:deb/debian/openssh@1:10.0p1-7?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 0.01% EPSS Percentile 1st percentile Description OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. openssh (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059393; unimportant) https://arxiv.org/abs/2309.02545 Upstream does not consider CVE-2023-51767 a bug underlying in OpenSSH and does not intent to address it in OpenSSH. To todays knowledge (2024-03-13) it has not been demonstrated that the issue is exploitable in any real software configuration. Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 67.53% EPSS Percentile 99th percentile Description scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." openssh (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=1860487 https://github.com/cpandya2909/CVE-2020-15778 Negligible security impact, changing the scp protocol can have a good chance of breaking existing workflows. Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 2.06% EPSS Percentile 83rd percentile Description The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. openssh (unimportant) https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/ https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf The OpenSSH project is not planning to change the behaviour of OpenSSH regarding the issue, details in "3.1 OpenSSH" in the publication. Partial mitigation: https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d (V_8_4_P1) Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 46.62% EPSS Percentile 98th percentile Description In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. openssh (unimportant) https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt Not considered a vulnerability by upstream, cf. https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-January/037475.html Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 0.72% EPSS Percentile 72nd percentile Description Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.' openssh (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503) https://www.openwall.com/lists/oss-security/2018/08/27/2 Not treated as a security issue by upstream Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 25.27% EPSS Percentile 96th percentile Description OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product openssh (unimportant) CVE-2016-20012 - Publickey Information leak - Only allow SSH_MSG_USERAUTH_REQUEST with signature openssh/openssh-portable#270 Negligible impact, not treated as a security issue by upstream Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 2.79% EPSS Percentile 86th percentile Description sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username. openssh (unimportant) this is by design Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 0.66% EPSS Percentile 70th percentile Description OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. openssh (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=436571; unimportant) [etch] - openssh (Minor issue) [sarge] - openssh (Minor issue) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=112279 Affected range >=1:10.0p1-7 Fixed version Not Fixed EPSS Score 0.48% EPSS Percentile 64th percentile Description OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. openssh (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=436571; unimportant) [etch] - openssh (Minor issue) [sarge] - openssh (Minor issue)

glibc 2.41-12 (deb) pkg:deb/debian/glibc@2.41-12?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.16% EPSS Percentile 38th percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern glibc (unimportant) eglibc (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=24269 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.23% EPSS Percentile 46th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22853 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.38% EPSS Percentile 58th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22852 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.70% EPSS Percentile 71st percentile Description GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.14% EPSS Percentile 35th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 2.05% EPSS Percentile 83rd percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep. glibc (unimportant) eglibc (unimportant) https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.37% EPSS Percentile 58th percentile Description The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. glibc (unimportant) eglibc (unimportant) That's standard POSIX behaviour implemented by (e)glibc. Applications using glob need to impose limits for themselves

systemd 257.7-1 (deb) pkg:deb/debian/systemd@257.7-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.09% EPSS Percentile 27th percentile Description An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.10% EPSS Percentile 28th percentile Description An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.13% EPSS Percentile 33rd percentile Description An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.07% EPSS Percentile 21st percentile Description systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. systemd (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357) [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) https://bugzilla.redhat.com/show_bug.cgi?id=859060 only relevant to systems running systemd along with selinux

krb5 1.21.3-5 (deb) pkg:deb/debian/krb5@1.21.3-5?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.21.3-5 Fixed version Not Fixed EPSS Score 0.08% EPSS Percentile 25th percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md Fixed by: krb5/krb5@c5f9c81 Codepath cannot be triggered via API calls, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.21.3-5 Fixed version Not Fixed EPSS Score 0.21% EPSS Percentile 43rd percentile Description Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant) https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md Fixed by: krb5/krb5@c5f9c81 Unused codepath, negligible security impact https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html Affected range >=1.21.3-5 Fixed version Not Fixed EPSS Score 0.46% EPSS Percentile 63rd percentile Description An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684) https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow non-issue, codepath is only run on trusted input, potential integer overflow is non-issue

coreutils 9.7-3 (deb) pkg:deb/debian/coreutils@9.7-3?os_distro=trixie&os_name=debian&os_version=13 Affected range >=9.7-3 Fixed version Not Fixed EPSS Score 0.02% EPSS Percentile 3rd percentile Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.7-3 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 17th percentile Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

perl 5.40.1-6 (deb) pkg:deb/debian/perl@5.40.1-6?os_distro=trixie&os_name=debian&os_version=13 Affected range >=5.40.1-6 Fixed version Not Fixed EPSS Score 0.16% EPSS Percentile 37th percentile Description _is_safe in the File::Temp module for Perl does not properly handle symlinks. perl (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776268) http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177 File:Temp::_is_safe() allows unsafe traversal of symlinks [rt.cpan.org #69106] Perl-Toolchain-Gang/File-Temp#14

sqlite3 3.46.1-7 (deb) pkg:deb/debian/sqlite3@3.46.1-7?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.46.1-7 Fixed version Not Fixed EPSS Score 0.20% EPSS Percentile 43rd percentile Description A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect. sqlite3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005974) sqlite (unimportant) https://github.com/guyinatuxedo/sqlite3_record_leaking https://bugzilla.redhat.com/show_bug.cgi?id=2054793 https://sqlite.org/forum/forumpost/056d557c2f8c452ed5bb9c215414c802b215ce437be82be047726e521342161e Negligible security impact

openssl 3.5.1-1 (deb) pkg:deb/debian/openssl@3.5.1-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.2.1-3 Fixed version Not Fixed EPSS Score 0.11% EPSS Percentile 30th percentile Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

shadow 1:4.17.4-2 (deb) pkg:deb/debian/shadow@1:4.17.4-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1:4.17.4-2 Fixed version Not Fixed EPSS Score 0.33% EPSS Percentile 55th percentile Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. shadow (unimportant) See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so unknown usernames are not recorded on login failures

util-linux 2.41-5 (deb) pkg:deb/debian/util-linux@2.41-5?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.41-5 Fixed version Not Fixed EPSS Score 0.03% EPSS Percentile 5th percentile Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

apt 3.0.3 (deb) pkg:deb/debian/apt@3.0.3?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.0.3 Fixed version Not Fixed EPSS Score 1.51% EPSS Percentile 80th percentile Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

python-pip 25.1.1+dfsg-1 (deb) pkg:deb/debian/python-pip@25.1.1%2Bdfsg-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=25.1.1+dfsg-1 Fixed version Not Fixed EPSS Score 2.54% EPSS Percentile 85th percentile Description An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely python-pip (unimportant) https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html pip is inherently affected by malicious packages, use packages from Debian instead :-)