Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c1d56a5f by Moritz Muehlenhoff at 2026-02-20T14:00:16+01:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -221,7 +221,11 @@ CVE-2025-13671 (Cross-Site Request Forgery (CSRF)
vulnerability in OpenText\u212
NOT-FOR-US: OpenText
CVE-2026-2708 [libsoup: HTTP/1 request smuggling primitives accepted (CL.CL
and TE+CL) in soup_headers_parse()]
- libsoup3 <unfixed>
+ [trixie] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <removed>
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/500
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libsoup/-/commit/e032d3e9b0a27d10597398023532dd8f9b6654cf
CVE-2026-2817 (Use of insecure directory in Spring Data Geode snapshot import
extract ...)
@@ -737,6 +741,8 @@ CVE-2019-25402 (Comodo Dome Firewall 2.7.0 contains a
reflected cross-site scrip
TODO: check
CVE-2026-XXXX [RUSTSEC-2026-0013]
- rust-pyo3 <unfixed>
+ [trixie] - rust-pyo3 <no-dsa> (Minor issue)
+ [bookworm] - rust-pyo3 <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0013.html
CVE-2026-27206 [Potential PHP Object Injection via Unrestricted @type in
unserialize()]
- php-zumba-json-serializer <unfixed> (bug #1128481)
@@ -1216,6 +1222,8 @@ CVE-2025-65519 (mayswind ezbookkeeping versions 1.2.0 and
earlier contain a crit
NOT-FOR-US: mayswind ezbookkeeping
CVE-2025-61982 (An arbitrary code execution vulnerability exists in the Code
Stream di ...)
- openfoam <unfixed> (bug #1128475)
+ [trixie] - openfoam <no-dsa> (Minor issue)
+ [bookworm] - openfoam <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2025-2292
TODO: check upstream status
CVE-2025-60038 (A vulnerabilityhas been identified in Rexroth IndraWorks. This
flaw al ...)
@@ -1262,6 +1270,8 @@ CVE-2025-14340 (Cross-site scripting in REST Management
Interface in Payara Serv
NOT-FOR-US: Payara
CVE-2025-14009 (A critical vulnerability exists in the NLTK downloader
component of nl ...)
- nltk <unfixed> (bug #1128474)
+ [trixie] - nltk <no-dsa> (Minor issue)
+ [bookworm] - nltk <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4
NOTE: https://github.com/nltk/nltk/issues/3489
NOTE: https://github.com/nltk/nltk/pull/3468
@@ -1390,12 +1400,14 @@ CVE-2026-2625
- rust-rpm-sequoia <unfixed> (bug #1128418)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2440357
CVE-2026-2644 (A weakness has been identified in niklasso minisat up to 2.2.0.
This i ...)
- - minisat2 <unfixed>
+ - minisat2 <unfixed> (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://github.com/niklasso/minisat/issues/55
CVE-2026-2642 (A security vulnerability has been detected in ggreer
the_silver_search ...)
NOT-FOR-US: the_silver_searcher
CVE-2026-2641 (A weakness has been identified in universal-ctags ctags up to
6.2.1. T ...)
- - universal-ctags <unfixed>
+ - universal-ctags <unfixed> (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://github.com/universal-ctags/ctags/issues/4369
CVE-2026-2633 (The Gutenberg Blocks with AI by Kadence WP plugin for WordPress
is vul ...)
NOT-FOR-US: WordPress plugin
@@ -5024,6 +5036,7 @@ CVE-2026-23948 (FreeRDP is a free implementation of the
Remote Desktop Protocol.
- freerdp3 3.22.0+dfsg-1
[trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6f3c-qvqq-2px5
NOTE: Fixed by:
https://github.com/FreeRDP/FreeRDP/commit/4d44e3c097656a8b9ec696353647b0888ca45860
(3.22.0)
CVE-2026-24027 (Crafted zones can lead to increased incoming network traffic.)
@@ -12595,7 +12608,9 @@ CVE-2025-11468 (When folding a long comment in an email
header containing exclus
{DLA-4455-1}
- python3.14 3.14.3-1 (bug #1126786)
- python3.13 3.13.12-1 (bug #1126787)
+ [trixie] - python3.13 <no-dsa> (Minor issue)
- python3.11 <removed>
+ [bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- python2.7 <not-affected> (E-mail folding API introduced in Python 3.3)
- pypy3 <unfixed> (bug #1126788)
@@ -13906,7 +13921,9 @@ CVE-2011-10041 (Uploadify WordPress plugin versions up
to and including 1.0conta
CVE-2025-61730 (During the TLS 1.3 handshake if multiple messages are sent in
records ...)
- golang-1.25 1.25.6-1 (bug #1125916)
- golang-1.24 1.24.12-1 (bug #1125917)
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, minor issue,
follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
@@ -13967,7 +13984,9 @@ CVE-2025-61726 (The net/url package does not set a
limit on the number of query
CVE-2025-61728 (archive/zip uses a super-linear file name indexing algorithm
that is i ...)
- golang-1.25 1.25.6-1 (bug #1125916)
- golang-1.24 1.24.12-1 (bug #1125917)
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <not-affected> (Vulnerable code introduced later)
NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
NOTE: https://github.com/golang/go/issues/77102
=====================================
data/dsa-needed.txt
=====================================
@@ -23,8 +23,7 @@ chromium (dilinger)
cpp-httplib
Maintainer preparing updates, waiting for feedback on bookworm status
--
-frr/oldstable
- coordination with the maintainer ongoing, Daniel Baumann proposing an update
+frr
--
gh/oldstable
Santiago Vila might work on preparing an update
@@ -63,6 +62,8 @@ pillow/stable (jmm)
--
python-aiohttp
--
+python-django
+--
python-tornado (jmm)
Daniel Leidert is proposing to work on an update, asked to send debdiffs to
team for review
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1d56a5f20b6433586438da6852dee45dcb0f354
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1d56a5f20b6433586438da6852dee45dcb0f354
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
