Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
78fefc4c by Moritz Muehlenhoff at 2026-04-05T22:42:45+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -9,6 +9,8 @@ CVE-2026-XXXX [Local unprivileged user can trigger an assert in
systemd]
NOTE: Fixed by:
https://github.com/systemd/systemd/commit/6f3074088a9f89f89d3188f7b3b4f0ddc0cfc73b
(v260.1)
CVE-2026-XXXX [nspawn: escape-to-host via malformed optional config file]
- systemd 260~rc3-1
+ [trixie] - systemd <no-dsa> (Minor issue)
+ [bookworm] - systemd <no-dsa> (Minor issue)
NOTE:
https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx
NOTE: Fixed by:
https://github.com/systemd/systemd/commit/61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40
(v260-rc3)
NOTE: Fixed by:
https://github.com/systemd/systemd/commit/7b85f5498a958e5bb660c703b8f4a71cceed3373
(v260-rc3)
@@ -16,6 +18,8 @@ CVE-2026-XXXX [nspawn: escape-to-host via malformed optional
config file]
NOTE: Fixed by:
https://github.com/systemd/systemd/commit/bfa0a842822c4f79da9d47f8a773fd128d8f8a0a
(v257.12)
CVE-2026-XXXX [udev: local root execution via malicious hardware devices and
unsanitized kernel output]
- systemd 260~rc4-1
+ [trixie] - systemd <no-dsa> (Minor issue)
+ [bookworm] - systemd <no-dsa> (Minor issue)
NOTE:
https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx
NOTE: Fixed by:
https://github.com/systemd/systemd/commit/16325b35fa6ecb25f66534a562583ce3b96d52f3
(v260-rc3)
NOTE: Fixed by:
https://github.com/systemd/systemd/commit/54f880b02ecf7362e630ffc885d1466df6ee6820
(v260-rc4)
@@ -985,6 +989,8 @@ CVE-2026-5344 (A security vulnerability has been detected
in Textpattern up to 4
- textpattern <removed>
CVE-2026-5342 (A flaw has been found in LibRaw up to 0.22.0. This affects the
functio ...)
- libraw <unfixed> (bug #1132655)
+ [trixie] - libraw <no-dsa> (Minor issue)
+ [bookworm] - libraw <no-dsa> (Minor issue)
NOTE: https://github.com/LibRaw/LibRaw/issues/795
NOTE: Fixed by:
https://github.com/LibRaw/LibRaw/commit/b8397cd45657b84e88bd1202528d1764265f185c
CVE-2026-5339 (A vulnerability was detected in Tenda G103 1.0.0.5. The
impacted eleme ...)
@@ -2715,7 +2721,8 @@ CVE-2026-27854 (An attacker might be able to trigger a
use-after-free by sending
NOTE: https://downloads.powerdns.com/patches/2026-02/
CVE-2026-5185 (A security flaw has been discovered in Nothings stb_image up to
2.30. ...)
- libstb <unfixed>
- TODO: check upstream details
+ [trixie] - libstb <no-dsa> (Minor issue)
+ [bookworm] - libstb <no-dsa> (Minor issue)
CVE-2026-5184 (A vulnerability was identified in TRENDnet TEW-713RE up to
1.02. The i ...)
NOT-FOR-US: TRENDnet
CVE-2026-5183 (A vulnerability was determined in TRENDnet TEW-713RE up to
1.02. The a ...)
@@ -3320,7 +3327,7 @@ CVE-2018-25225 (SIPP 3.3 contains a stack-based buffer
overflow vulnerability th
CVE-2018-25224 (PMS 0.42 contains a stack-based buffer overflow vulnerability
that all ...)
NOT-FOR-US: Bogus CVE assignment for pms
CVE-2018-25223 (Crashmail 1.6 contains a stack-based buffer overflow
vulnerability tha ...)
- - crashmail <undetermined>
+ NOTE: Bogus CVE, this crosses no security boundary
NOTE: https://www.exploit-db.com/exploits/44331
CVE-2018-25222 (SC v7.16 contains a stack-based buffer overflow vulnerability
that all ...)
- sc <unfixed> (unimportant)
@@ -4342,6 +4349,8 @@ CVE-2026-32286 (The DataRow.Decode function fails to
properly validate field len
NOTE: https://github.com/jackc/pgx/issues/2507
CVE-2026-32285 (The Delete function fails to properly validate offsets when
processing ...)
- golang-github-buger-jsonparser 1.1.2-1
+ [trixie] - golang-github-buger-jsonparser <no-dsa> (Minor issue)
+ [bookworm] - golang-github-buger-jsonparser <no-dsa> (Minor issue)
[bullseye] - golang-github-buger-jsonparser <postponed> (Limited
support, minor issue, follow bookworm DSAs/point-releases)
NOTE: https://github.com/buger/jsonparser/issues/275
CVE-2026-32284 (The msgpack decoder fails to properly validate the input
buffer length ...)
@@ -5588,14 +5597,20 @@ CVE-2026-3608 (Sending a maliciously crafted message to
the kea-ctrl-agent, kea-
NOTE: https://kb.isc.org/docs/cve-2026-3608
CVE-2026-33515 (Squid is a caching proxy for the Web. Prior to version 7.5,
due to imp ...)
- squid 7.5-1
+ [trixie] - squid <no-dsa> (Minor issue)
+ [bookworm] - squid <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/03/25/4
NOTE: Fxied by:
https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
(SQUID_7_5)
CVE-2026-32748 (Squid is a caching proxy for the Web. Prior to version 7.5,
due to pre ...)
- squid 7.5-1
+ [trixie] - squid <no-dsa> (Minor issue)
+ [bookworm] - squid <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/03/25/3
NOTE: Fixed by:
https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b
(SQUID_7_5)
CVE-2026-33526 (Squid is a caching proxy for the Web. Prior to version 7.5,
due to hea ...)
- squid 7.5-1
+ [trixie] - squid <no-dsa> (Minor issue)
+ [bookworm] - squid <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/03/25/2
NOTE: Fixed by:
https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91
(SQUID_7_5)
CVE-2026-23395 (In the Linux kernel, the following vulnerability has been
resolved: B ...)
@@ -7334,6 +7349,8 @@ CVE-2026-2412 (The Quiz and Survey Master (QSM) plugin
for WordPress is vulnerab
NOT-FOR-US: WordPress plugin
CVE-2026-29111 (systemd, a system and service manager, (as PID 1) hits an
assert and f ...)
- systemd 260~rc2-1
+ [trixie] - systemd <no-dsa> (Minor issue)
+ [bookworm] - systemd <no-dsa> (Minor issue)
NOTE:
https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764
NOTE: Fixed by:
https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f
(v260-rc2)
NOTE: Fixed by:
https://github.com/systemd/systemd/commit/efa6ba2ab625aaa160ac435a09e6482fc63bdbe8
(v260-rc2)
@@ -8148,14 +8165,20 @@ CVE-2026-33237 (WWBN AVideo is an open source video
platform. Prior to version 2
NOT-FOR-US: WWBN AVideo
CVE-2026-33236 (NLTK (Natural Language Toolkit) is a suite of open source
Python modul ...)
- nltk <unfixed> (bug #1131460)
+ [trixie] - nltk <no-dsa> (Minor issue)
+ [bookworm] - nltk <no-dsa> (Minor issue)
NOTE:
https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7
NOTE: Fixed by:
https://github.com/nltk/nltk/commit/75917efc66ab122bf4b7ea9ffc33e8f8b39c5dce
CVE-2026-33231 (NLTK (Natural Language Toolkit) is a suite of open source
Python modul ...)
- nltk <unfixed> (bug #1131459)
+ [trixie] - nltk <no-dsa> (Minor issue)
+ [bookworm] - nltk <no-dsa> (Minor issue)
NOTE:
https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g
NOTE: Fixed by:
https://github.com/nltk/nltk/commit/1b6a569d7bab2c697bc1fc245f55ac0102079c18
CVE-2026-33230 (NLTK (Natural Language Toolkit) is a suite of open source
Python modul ...)
- nltk <unfixed> (bug #1131457)
+ [trixie] - nltk <no-dsa> (Minor issue)
+ [bookworm] - nltk <no-dsa> (Minor issue)
NOTE:
https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7
NOTE:
https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f
CVE-2026-33228 (flatted is a circular JSON parser. Prior to version 3.4.2, the
parse() ...)
@@ -14188,6 +14211,8 @@ CVE-2026-21736 (Software installed and run as a
non-privileged user may conduct
NOT-FOR-US: Imagination Technologies
CVE-2026-0846 (A vulnerability in the `filestring()` function of the
`nltk.util` modu ...)
- nltk 3.9.3-1
+ [trixie] - nltk <no-dsa> (Minor issue)
+ [bookworm] - nltk <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb
NOTE: https://github.com/nltk/nltk/pull/3485
NOTE: Fixed by:
https://github.com/nltk/nltk/commit/1fc626969f013bba104a40e5e760b9d67b2994ea
(3.9.3)
@@ -15456,6 +15481,8 @@ CVE-2026-1128 (The WP eCommerce WordPress plugin
through 3.15.1 does not have CS
NOT-FOR-US: WordPress plugin
CVE-2026-0848 (NLTK versions <=3.9.2 are vulnerable to arbitrary code
execution due t ...)
- nltk 3.9.3-1
+ [trixie] - nltk <no-dsa> (Minor issue)
+ [bookworm] - nltk <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/08b109bb-ac24-403f-9422-1c246ce60202
NOTE: https://github.com/nltk/nltk/pull/3477
NOTE: Fixed by:
https://github.com/nltk/nltk/commit/27fab63c5b7689a125feb282958f630ced3a4f77
(3.9.3)
@@ -16643,6 +16670,8 @@ CVE-2026-1236 (The Envira Gallery for WordPress plugin
for WordPress is vulnerab
NOT-FOR-US: WordPress plugin
CVE-2026-0847 (A vulnerability in NLTK versions up to and including 3.9.2
allows arbi ...)
- nltk 3.9.3-1
+ [trixie] - nltk <no-dsa> (Minor issue)
+ [bookworm] - nltk <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f96
NOTE: https://github.com/nltk/nltk/pull/3479
NOTE: Fixed by (merge):
https://github.com/nltk/nltk/commit/603e34d25a2cad4612185ebfa6bc1c0dcfcfb2ab
(3.9.3)
=====================================
data/dsa-needed.txt
=====================================
@@ -75,6 +75,8 @@ redis
rtpengine
Victor Seva prepared a debdiff for trixie-security for review,
bookworm-security debdiff missing
--
+ruby-rack
+--
ruby-saml/oldstable
Utkarsh Gupta might work on an update
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78fefc4c674a9b6aab809f7ae5d95ae0d96fbc53
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78fefc4c674a9b6aab809f7ae5d95ae0d96fbc53
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
