Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8c94d019 by Moritz Muehlenhoff at 2026-03-18T16:04:00+01:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -116,6 +116,8 @@ CVE-2026-28673 (xiaoheiFS is a self-hosted financial and
operational system for
NOT-FOR-US: xiaoheiFS
CVE-2026-28500 (Open Neural Network Exchange (ONNX) is an open standard for
machine le ...)
- onnx <unfixed>
+ [trixie] - onnx <no-dsa> (Minor issue)
+ [bookworm] - onnx <no-dsa> (Minor issue)
NOTE:
https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m
CVE-2026-28499 (LeafKit is a templating language with Swift-inspired syntax.
Prior to ...)
NOT-FOR-US: LeafKit
@@ -1817,6 +1819,8 @@ CVE-2026-32142 (Shopware is an open commerce platform.
/api/_info/config route e
NOT-FOR-US: Shopware
CVE-2026-32141 (flatted is a circular JSON parser. Prior to 3.4.0, flatted's
parse() f ...)
- node-flatted 3.4.1~ds-1
+ [trixie] - node-flatted <no-dsa> (Minor issue)
+ [bookworm] - node-flatted <no-dsa> (Minor issue)
NOTE:
https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f
NOTE: https://github.com/WebReflection/flatted/pull/88
NOTE: Fixedby:
https://github.com/WebReflection/flatted/commit/7774aae45d3775c842abe9d071fd009171a5fc0c
(v3.4.0)
@@ -2755,6 +2759,8 @@ CVE-2026-31815 (Unicorn adds modern reactive component
functionality to your Dja
NOT-FOR-US: Django Unicorn
CVE-2026-31812 (Quinn is a pure-Rust, async-compatible implementation of the
IETF QUIC ...)
- rust-quinn-proto 0.11.14-1
+ [trixie] - rust-quinn-proto <no-dsa> (Minor issue)
+ [bookworm] - rust-quinn-proto <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0037.html
NOTE:
https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98
NOTE: https://github.com/quinn-rs/quinn/pull/2558
@@ -9437,6 +9443,7 @@ CVE-2026-26283 (ImageMagick is free and open-source
software used for editing an
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/8b47529f22404853d22205583087add01ea9fae8
(6.9.13-39)
CVE-2026-26198 (Ormar is a async mini ORM for Python. In versions 0.9.9
through 0.22.0 ...)
- ormar 0.23.0-1 (bug #1129259)
+ [bookworm] - ormar <no-dsa> (Minor issue)
NOTE:
https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr
NOTE: Fixed by:
https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16
(0.23.0)
CVE-2026-26066 (ImageMagick is free and open-source software used for editing
and mani ...)
@@ -123710,8 +123717,8 @@ CVE-2024-58036 (Net::Dropbox::API 1.9 and earlier for
Perl uses the rand() funct
NOTE: https://lists.security.metacpan.org/cve-announce/msg/28504518/
CVE-2024-57868 (Web::API 2.8 and earlier for Perl uses the rand() function as
the defa ...)
- libweb-api-perl <unfixed> (bug #1102148)
- [trixie] - libweb-api-perl <no-dsa> (Minor issue)
- [bookworm] - libweb-api-perl <no-dsa> (Minor issue)
+ [trixie] - libweb-api-perl <postponed> (Minor issue, revisit when fixed
upstream)
+ [bookworm] - libweb-api-perl <postponed> (Minor issue, revisit when
fixed upstream)
[bullseye] - libweb-api-perl <postponed> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/28503730/
CVE-2025-30473 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -30,6 +30,10 @@ gh/oldstable
--
git-lfs
--
+gst-plugins-bad1.0
+--
+gst-plugins-ugly1.0
+--
incus/stable
--
imagemagick
@@ -54,6 +58,8 @@ lxd
--
mbedtls/oldstable
--
+nodejs/oldstable
+--
node-tar
Daniel Leidert proposed to work on {bookworm,trixie}-security updates, but
maintainers should be involved
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c94d019f961e8214cea569c0161abfc1c38a847
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c94d019f961e8214cea569c0161abfc1c38a847
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
