Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
82c81a47 by Moritz Muehlenhoff at 2026-02-05T13:07:53+01:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -803,6 +803,8 @@ CVE-2019-25260 (OXID eShop versions 6.x prior to 6.3.4
contains a SQL injection
NOT-FOR-US: OXID eShop
CVE-2026-25541 (Bytes is a utility library for working with bytes. From
version 1.2.1 ...)
- rust-bytes 1.11.1-1
+ [trixie] - rust-bytes <no-dsa> (Minor issue)
+ [bookworm] - rust-bytes <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0007.html
NOTE: https://github.com/advisories/GHSA-434x-w66g-qw3r
NOTE: Fixed by:
https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f
(v1.11.1)
@@ -3079,9 +3081,10 @@ CVE-2026-24810 (Buffer Copy without Checking Size of
Input ('Classic Buffer Over
CVE-2026-24809 (An issue from the component luaG_runerror in
dependencies/lua/src/ldeb ...)
NOT-FOR-US: praydog/REFramework
CVE-2026-24808 (Integer Overflow or Wraparound vulnerability in RawTherapee
(rtengine ...)
- - rawtherapee 5.12-1
+ - rawtherapee 5.12-1 (unimportant)
NOTE: https://github.com/RawTherapee/RawTherapee/pull/7359
NOTE: Fixed by:
https://github.com/RawTherapee/RawTherapee/commit/e86bc3f638f8db3ac7b2d1d12df6ee38155788e7
(5.12-rc1)
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-24807 (Improper Verification of Cryptographic Signature vulnerability
in liuy ...)
NOT-FOR-US: liuyueyi quick-media
CVE-2026-24806 (Improper Control of Generation of Code ('Code Injection')
vulnerabilit ...)
@@ -3475,6 +3478,7 @@ CVE-2026-22796 (Issue summary: A type confusion
vulnerability exists in the sign
NOTE: Fixed by:
https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
(openssl-3.0.19)
CVE-2026-XXXX [RUSTSEC-2026-0005: Potential use-after-free in oneshot when
used asynchronously]
- rust-oneshot <unfixed>
+ [trixie] - rust-oneshot <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0005.html
NOTE: https://github.com/faern/oneshot/issues/73
CVE-2026-24686 (go-tuf is a Go implementation of The Update Framework (TUF).
go-tuf's ...)
@@ -4549,6 +4553,7 @@ CVE-2026-24138 (FOG is a free open-source
cloning/imaging/rescue suite/inventory
NOT-FOR-US: FOG
CVE-2026-24137 (sigstore framework is a common go library shared across
sigstore servi ...)
- golang-github-sigstore-sigstore 1.10.4-1 (bug #1126553)
+ [trixie] - golang-github-sigstore-sigstore <no-dsa> (Minor issue)
NOTE:
https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf
NOTE: Fixed by:
https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e
(v1.10.4)
CVE-2026-24132 (Orval generates type-safe JS clients (TypeScript) from any
valid OpenA ...)
@@ -4735,10 +4740,12 @@ CVE-2024-11976 (The The BuddyPress plugin for WordPress
is vulnerable to arbitra
NOT-FOR-US: WordPress plugin
CVE-2026-24117 (Rekor is a software supply chain transparency log. In versions
1.4.3 a ...)
- rekor 1.5.0-1 (bug #1126276)
+ [trixie] - rekor <no-dsa> (Minor issue)
NOTE:
https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j
NOTE: Fixed by:
https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f
(v1.5.0)
CVE-2026-23831 (Rekor is a software supply chain transparency log. In versions
1.4.3 a ...)
- rekor 1.5.0-1 (bug #1126275)
+ [trixie] - rekor <no-dsa> (Minor issue)
NOTE:
https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833
NOTE: Fixed by:
https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd
(v1.5.0)
CVE-2026-24390 (Improper Control of Filename for Include/Require Statement in
PHP Prog ...)
@@ -4844,10 +4851,12 @@ CVE-2026-23996 (FastAPI Api Key provides a
backend-agnostic library that provide
NOT-FOR-US: FastAPI Api Key
CVE-2026-23992 (go-tuf is a Go implementation of The Update Framework (TUF).
Starting ...)
- golang-github-theupdateframework-go-tuf <unfixed> (bug #1126271)
+ [trixie] - golang-github-theupdateframework-go-tuf <no-dsa> (Minor
issue)
NOTE:
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525
NOTE: Fixed by:
https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0
(v2.3.1)
CVE-2026-23991 (go-tuf is a Go implementation of The Update Framework (TUF).
Starting ...)
- golang-github-theupdateframework-go-tuf <unfixed> (bug #1126269)
+ [trixie] - golang-github-theupdateframework-go-tuf <no-dsa> (Minor
issue)
NOTE:
https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324
NOTE: Fixed by:
https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6
(v2.3.1)
CVE-2026-23990 (The Flux Operator is a Kubernetes CRD controller that manages
the life ...)
@@ -6480,6 +6489,7 @@ CVE-2026-23949 (jaraco.context, an open-source software
package that provides so
[trixie] - jaraco.context <no-dsa> (Minor issue)
[bookworm] - jaraco.context <not-affected> (Vulnerable code not present)
- setuptools <unfixed> (bug #1126729)
+ [trixie] - setuptools <no-dsa> (Minor issue)
[bookworm] - setuptools <not-affected> (Vulnerable code not present,
bundled jaraco.context too old)
[bullseye] - setuptools <not-affected> (Vulnerable code not present,
bundled jaraco.context too old)
NOTE:
https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2
@@ -37696,6 +37706,8 @@ CVE-2023-7320 (The WooCommerce plugin for WordPress is
vulnerable to Sensitive I
NOT-FOR-US: WordPress plugin
CVE-2025-62727 (Starlette is a lightweight ASGI framework/toolkit. Starting in
version ...)
- starlette 0.50.0-1 (bug #1119662)
+ [trixie] - starlette <no-dsa> (Minor issue)
+ [bookworm] - starlette <no-dsa> (Minor issue)
[bullseye] - starlette <postponed> (minor issue; DoS)
NOTE:
https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
NOTE: Fixed by:
https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5
(0.49.1)
@@ -77657,6 +77669,8 @@ CVE-2024-9453 (A vulnerability was found in Red Hat
OpenShift Jenkins. The beare
NOT-FOR-US: Red Hat OpenShift Jenkins
CVE-2026-23553 (In the context switch logic Xen attempts to skip an IBPB in
the case o ...)
- xen <unfixed>
+ [trixie] - xen <postponed> (Minor issue, fix along with next Xen update)
+ [bookworm] - xen <postponed> (Minor issue, fix along with next Xen
update)
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
NOTE: https://xenbits.xen.org/xsa/advisory-479.html
CVE-2025-58151 [varstored: TOCTOU issues with mapped guest memory]
@@ -77664,6 +77678,8 @@ CVE-2025-58151 [varstored: TOCTOU issues with mapped
guest memory]
NOTE: https://xenbits.xen.org/xsa/advisory-478.html
CVE-2025-58150 (Shadow mode tracing code uses a set of per-CPU variables to
avoid cumb ...)
- xen <unfixed>
+ [trixie] - xen <postponed> (Minor issue, fix along with next Xen update)
+ [bookworm] - xen <postponed> (Minor issue, fix along with next Xen
update)
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
NOTE: https://xenbits.xen.org/xsa/advisory-477.html
CVE-2025-58149 (When passing through PCI devices, the detach logic in libxl
won't remo ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -77,7 +77,7 @@ ruby-saml/oldstable
--
runc
--
-shaarli
+shaarli (jmm)
Maintainer proposed update for trixie-security, open questions about bookworm
--
smb4k/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82c81a47f929fad7265339e416ba76101e0a9e14
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82c81a47f929fad7265339e416ba76101e0a9e14
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
