Hi László, On Sun, Jun 14, 2026 at 11:08:33AM +0200, László Böszörményi (GCS) wrote: > Control: found -1 3.40.1-2+deb12u2 > > Hi Salvatore, > > On Sun, Jun 14, 2026 at 7:57 AM Salvatore Bonaccorso <[email protected]> > wrote: > > Can you help assess them please, info on two CVEs below hich carry the > > same fixes references in the database: > I've checked and Bookworm is definitely affected. The fixes are easy > to backport. Information I've found suggests that these might have a > PoC available. > As far as I know, there's no application in Debian that allows network > connection and uses input directly with FTS5. But as the package is > compiled with FTS5 support, local exploits might be possible. > Does this help? Can I help with more details?
Yes thank you that helps. Moritz did mark those already as no-dsa in the tracker, would you be open to fix those then via upcoming point release for trixie? Maybe, if LTS team does not consider a DLA, then the fixes might be included as well in the last bookworm point release (and if feasible along with the two more no-dsa tagged ones). Thanks for your work! Regards, Salvatore
