Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1ddd3fe2 by Moritz Muehlenhoff at 2026-03-30T10:28:03+02:00
trixie/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4617,6 +4617,8 @@ CVE-2026-4540 (A vulnerability was detected in
projectworlds Online Notes Sharin
NOT-FOR-US: Project Worlds
CVE-2026-4539 (A security flaw has been discovered in pygments up to 2.19.2.
The impa ...)
- pygments <unfixed> (bug #1132233)
+ [trixie] - pygments <no-dsa> (Minor issue)
+ [bookworm] - pygments <no-dsa> (Minor issue)
NOTE: https://github.com/pygments/pygments/issues/3058
NOTE: https://github.com/pygments/pygments/pull/3064
NOTE: Fixed by:
https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc
(2.20.0)
@@ -4757,7 +4759,7 @@ CVE-2019-25546 (NetAware 1.20 contains a buffer overflow
vulnerability in the Sh
CVE-2019-25545 (Terminal Services Manager 3.2.1 contains a local buffer
overflow vulne ...)
NOT-FOR-US: Terminal Services Manager
CVE-2019-25544 (Pidgin 2.13.0 contains a denial of service vulnerability that
allows l ...)
- TODO: check
+ NOTE: Bogus CVE assignment for Pidgin, no security impact
CVE-2026-33250 (Freeciv21 is a free open source, turn-based, empire-building
strategy ...)
{DSA-6173-1}
- freeciv 3.2.4+ds-1 (bug #1131524)
@@ -5186,10 +5188,9 @@ CVE-2026-0609 (The Logo Slider \u2013 Logo Carousel,
Logo Showcase & Client Logo
NOT-FOR-US: WordPress plugin
CVE-2025-63261 (AWStats 8.0 is vulnerable to Command Injection via the open
function)
{DLA-4509-1}
- - awstats <unfixed> (bug #1131878)
- [trixie] - awstats <no-dsa> (Minor issue; requires an attacker to
modify awstats.conf)
- [bookworm] - awstats <no-dsa> (Minor issue; requires an attacker to
modify awstats.conf)
+ - awstats <unfixed> (bug #1131878; unimportant)
NOTE:
https://pentest-tools.com/PTT-2025-021-Code-Execution-in-AWStats.pdf
+ NOTE: Crosses no reasonable security boundary, requires an attacker to
modify awstats.conf
CVE-2025-55988 (An issue in the component /Controllers/RestController.php of
DreamFact ...)
NOT-FOR-US: DreamFactory Core
CVE-2025-14037 (The Invelity Product Feeds plugin for WordPress is vulnerable
to arbit ...)
@@ -6414,6 +6415,8 @@ CVE-2026-3479 (pkgutil.get_data() did not validate the
resource argument as docu
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/
NOTE: https://github.com/python/cpython/issues/146121
NOTE: https://github.com/python/cpython/pull/146133 (3.14)
@@ -12312,6 +12315,8 @@ CVE-2026-2297 (The import hook in CPython that handles
legacy *.pyc files (Sourc
- python3.11 <removed>
- python3.9 <removed>
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
- python2.7 <not-affected> (PEP 578 not introduced yet)
NOTE: https://github.com/python/cpython/issues/145506
NOTE: https://github.com/python/cpython/pull/145507
@@ -34985,6 +34990,8 @@ CVE-2025-14574 (The weDocs plugin for WordPress is
vulnerable to Sensitive Infor
NOT-FOR-US: WordPress plugin
CVE-2025-14505 (The ECDSA implementation of the Elliptic package generates
incorrect s ...)
- node-elliptic <unfixed> (bug #1125180)
+ [trixie] - node-elliptic <postponed> (Revisit when fixed upstream)
+ [bookworm] - node-elliptic <postponed> (Revisit when fixed upstream)
[bullseye] - node-elliptic <postponed> (Revisit when fixed upstream)
NOTE: https://github.com/indutny/elliptic/issues/321
NOTE: https://github.com/indutny/elliptic/pull/345
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ddd3fe2ae5bd6572c625de5b0104e396d16328a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ddd3fe2ae5bd6572c625de5b0104e396d16328a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
