Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
56d98c90 by Moritz Muehlenhoff at 2026-01-21T13:03:56+01:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -392,15 +392,23 @@ CVE-2025-33233 (NVIDIA Merlin Transformers4Rec for all
platforms contains a vuln
NOT-FOR-US: NVIDIA
CVE-2025-33231 (NVIDIA Nsight Systems for Windows contains a vulnerability in
the appl ...)
- nvidia-cuda-toolkit <unfixed>
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5755
CVE-2025-33230 (NVIDIA Nsight Systems for Linux contains a vulnerability in
the .run i ...)
- nvidia-cuda-toolkit <unfixed>
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5755
CVE-2025-33229 (NVIDIA Nsight Visual Studio for Windows contains a
vulnerability in Ns ...)
- nvidia-cuda-toolkit <unfixed>
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5755
CVE-2025-33228 (NVIDIA Nsight Systems contains a vulnerability in the
gfx_hotspot reci ...)
- nvidia-cuda-toolkit <unfixed>
+ [trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5755
CVE-2025-33015 (IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious
file upload ...)
NOT-FOR-US: IBM
@@ -436,6 +444,8 @@ CVE-2025-11743 (A denial-of-service security issue in the
affected product. The
NOT-FOR-US: Rockwell Automation
CVE-2025-15281 (Calling wordexp with WRDE_REUSE in conjunction with
WRDE_APPEND in the ...)
- glibc <unfixed>
+ [trixie] - glibc <no-dsa> (Minor issue)
+ [bookworm] - glibc <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/01/20/3
NOTE: Inroduced with:
https://sourceware.org/git/?p=glibc.git;a=commit;h=8f2ece695d8822e9ecc63ecd157e90bf17a6fe65
NOTE: Fixed by:
https://sourceware.org/git/?p=glibc.git;a=commit;h=80cc58ea2de214f85b0a1d902a3b668ad2ecb302
@@ -498,6 +508,7 @@ CVE-2026-23874 (ImageMagick is free and open-source
software used for editing an
- imagemagick <unfixed>
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/2a09644b10a5b146e0a7c63b778bd74a112ebec3
(7.1.2-13)
+ NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/fe2970bbbe02c6fe875cc2b269390a3165d57706
(6.9.13-38)
CVE-2026-23849 (File Browser provides a file managing interface within a
specified dir ...)
NOT-FOR-US: filebrowser
CVE-2026-23848 (MyTube is a self-hosted downloader and player for several
video websit ...)
@@ -508,6 +519,8 @@ CVE-2026-23837 (MyTube is a self-hosted downloader and
player for several video
NOT-FOR-US: MyTube
CVE-2026-22770 (ImageMagick is free and open-source software used for editing
and mani ...)
- imagemagick <unfixed>
+ [bookworm] - imagemagick <not-affected> (Vulnerable code not present,
specific to IM7)
+ [bullseye] - imagemagick <not-affected> (Vulnerable code not present,
specific to IM7)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e
(7.1.2-13)
CVE-2026-22219 (Chainlit versions prior to 2.9.4 contain a server-side request
forgery ...)
@@ -670,6 +683,8 @@ CVE-2026-1146 (A vulnerability has been found in
SourceCodester/Patrick Mvuma Pa
NOT-FOR-US: SourceCodester
CVE-2026-1145 (A flaw has been found in quickjs-ng quickjs up to 0.11.0.
Affected by ...)
- quickjs <unfixed>
+ [trixie] - quickjs <no-dsa> (Minor issue)
+ [bookworm] - quickjs <no-dsa> (Minor issue)
NOTE: https://github.com/quickjs-ng/quickjs/issues/1305
NOTE: https://github.com/quickjs-ng/quickjs/pull/1306
NOTE:
https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4
@@ -755,11 +770,12 @@ CVE-2026-23525 (1Panel is an open-source, web-based
control panel for Linux serv
NOT-FOR-US: 1Panel
CVE-2026-1144 (A vulnerability was detected in quickjs-ng quickjs up to
0.11.0. Affec ...)
- quickjs <unfixed>
+ [trixie] - quickjs <no-dsa> (Minor issue)
+ [bookworm] - quickjs <no-dsa> (Minor issue)
NOTE: https://github.com/quickjs-ng/quickjs/issues/1301
NOTE: https://github.com/quickjs-ng/quickjs/issues/1302
NOTE: https://github.com/quickjs-ng/quickjs/pull/1303
NOTE:
https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
- TODO: check, if inpacts quickjs actually or only the itp'ed quickjs-ng,
#1120722
CVE-2026-1143 (A weakness has been identified in TOTOLINK A3700R
9.1.2u.5822_B2020051 ...)
NOT-FOR-US: TOTOLINK
CVE-2026-1142 (A security flaw has been discovered in PHPGurukul News Portal
1.0. The ...)
@@ -824,6 +840,8 @@ CVE-2026-0863 (Using string formatting and exception
handling, an attacker may b
NOT-FOR-US: n8n
CVE-2025-15537 (A security vulnerability has been detected in Mapnik up to
4.2.0. This ...)
- mapnik <unfixed>
+ [trixie] - mapnik <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - mapnik <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/mapnik/mapnik/issues/4543
CVE-2025-15536 (A weakness has been identified in BYVoid OpenCC up to 1.1.9.
This vuln ...)
- opencc <unfixed> (unimportant)
@@ -1612,10 +1630,14 @@ CVE-2026-0992 (A flaw was found in the libxml2 library.
This uncontrolled resour
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d
CVE-2026-0990 (A flaw was found in libxml2, an XML parsing library. This
uncontrolled ...)
- libxml2 <unfixed> (bug #1125695)
+ [trixie] - libxml2 <no-dsa> (Minor issue)
+ [bookworm] - libxml2 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982
CVE-2026-0989 (A flaw was identified in the RelaxNG parser of libxml2 related
to how ...)
- libxml2 <unfixed> (bug #1125691)
+ [trixie] - libxml2 <no-dsa> (Minor issue)
+ [bookworm] - libxml2 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/998
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374
CVE-2026-0976 (A flaw was found in Keycloak. This improper input validation
vulnerabi ...)
@@ -3594,6 +3616,8 @@ CVE-2026-22801 (LIBPNG is a reference library for use in
applications that read,
NOTE: Fixed by:
https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
CVE-2026-22695 (LIBPNG is a reference library for use in applications that
read, creat ...)
- libpng1.6 <unfixed> (bug #1125443)
+ [trixie] - libpng1.6 <no-dsa> (Minor issue)
+ [bookworm] - libpng1.6 <no-dsa> (Minor issue)
NOTE:
https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp
NOTE: Introduced by:
https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
(v1.6.51)
NOTE: Fixed by:
https://github.com/pnggroup/libpng/commit/e4f7ad4ea2a471776c81dda4846b7691925d9786
=====================================
data/dsa-needed.txt
=====================================
@@ -53,6 +53,8 @@ openjdk-17 (jmm)
--
openjdk-21/stable (jmm)
--
+openjdk-25/stable (jmm)
+--
opennds/oldstable
pinged maintainer, but no reply yet. should most probably be bumped to 10.x
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d98c90c234e64330935d4eb4d1524cf604ed70
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d98c90c234e64330935d4eb4d1524cf604ed70
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
