[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Wed, 06 May 2026 04:50:00 -0700 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3cb302cb by Moritz Muehlenhoff at 2026-05-06T13:47:39+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -815,11 +815,15 @@ CVE-2026-42151 (Prometheus is an open-source monitoring 
system and time series d
        NOTE: https://github.com/prometheus/prometheus/pull/18590
 CVE-2026-42146 (CImg Library is a C++ library for image processing. Prior to 
commit c3 ...)
        - cimg <unfixed> (bug #1135778)
+       [trixie] - cimg <no-dsa> (Minor issue)
+       [bookworm] - cimg <no-dsa> (Minor issue)
        NOTE: 
https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv
        NOTE: https://github.com/GreycLab/CImg/issues/477
        NOTE: Fixed by: 
https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3
 (v3.7.5)
 CVE-2026-42144 (CImg Library is a C++ library for image processing. Prior to 
commit 4c ...)
        - cimg <unfixed> (bug #1135778)
+       [trixie] - cimg <no-dsa> (Minor issue)
+       [bookworm] - cimg <no-dsa> (Minor issue)
        NOTE: 
https://github.com/GreycLab/CImg/security/advisories/GHSA-4663-63fm-44gc
        NOTE: https://github.com/GreycLab/CImg/issues/478
        NOTE: Fixed by: 
https://github.com/GreycLab/CImg/commit/4ca26bce4d8c61fcd1507d5f9401b9fb1222c27d
 (v3.7.5)
@@ -3913,6 +3917,8 @@ CVE-2026-6706 (Improper  access control in the vault 
documentation feature in De
        NOT-FOR-US: Devolutions
 CVE-2026-6238 (The deprecated functions ns_printrrf, ns_printrr and fp_nquery 
in the  ...)
        - glibc <unfixed> (bug #1135231)
+       [trixie] - glibc <no-dsa> (Minor issue)
+       [bookworm] - glibc <no-dsa> (Minor issue)
        NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=34069
        NOTE: 
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0012
 CVE-2026-5944 (An improper access control vulnerability exists in the Cisco 
Intersigh ...)
@@ -3927,6 +3933,8 @@ CVE-2026-5779 (An insecure direct object reference (IDOR) 
vulnerability in MphRx
        NOT-FOR-US: MphRx Minerva
 CVE-2026-5435 (The deprecated functions ns_printrrf, ns_printrr and fp_nquery 
in the  ...)
        - glibc <unfixed> (bug #1135230)
+       [trixie] - glibc <no-dsa> (Minor issue)
+       [bookworm] - glibc <no-dsa> (Minor issue)
        NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=34033
        NOTE: 
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0011
 CVE-2026-4911 (The Booking Package plugin for WordPress is vulnerable to Price 
Manipu ...)
@@ -20255,9 +20263,11 @@ CVE-2026-4988 (A security flaw has been discovered in 
Open5GS 2.7.6. This issue
 CVE-2026-4987 (The SureForms \u2013 Contact Form, Payment Form & Other Custom 
Form Bu ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-4985 (A vulnerability was identified in dloebl CGIF up to 0.5.2. This 
vulner ...)
-       - cgif 0.5.3-1 (bug #1132167)
+       - cgif 0.5.3-1 (bug #1132167; unimportant)
        NOTE: https://github.com/dloebl/cgif/issues/110
        NOTE: https://github.com/dloebl/cgif/pull/112
+       NOTE: 
https://github.com/dloebl/cgif/commit/a9ecd7a129f3f7177dfec3e0e7b48c87131ac410
+       NOTE: No security impact per upstream
 CVE-2026-4984 (The Twilio integration webhook handler accepts any POST request 
withou ...)
        NOT-FOR-US: botpress
 CVE-2026-4982 (A user with permission "update world" in any Venueless world is 
able t ...)
@@ -27006,7 +27016,7 @@ CVE-2026-26945 (Dell Integrated Dell Remote Access 
Controller 9, 14G versions pr
 CVE-2026-26740 (Buffer Overflow vulnerability in giflib v.5.2.2 allows a 
remote attack ...)
        - giflib <unfixed> (bug #1131368)
        NOTE: 
https://github.com/zakkanijia/POC/blob/main/giflib/giftool/giflib_giftool_gce_len_heap_oobwrite_disclosure.md
-       TODO: check report upstream
+       NOTE: https://sourceforge.net/p/giflib/bugs/199/
 CVE-2026-25449 (Deserialization of Untrusted Data vulnerability in shinetheme 
Traveler ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-24063 (When a plugin is installed using the Arturia Software Center 
(MacOS),  ...)
@@ -28415,6 +28425,8 @@ CVE-2026-32628 (AnythingLLM is an application that 
turns pieces of content into
 CVE-2026-32627 (cpp-httplib is a C++11 single-file header-only cross platform 
HTTP/HTT ...)
        [experimental] - cpp-httplib 0.41.0+ds-1
        - cpp-httplib 0.41.0+ds-3 (bug #1130876)
+       [trixie] - cpp-httplib <no-dsa> (Minor issue)
+       [bookworm] - cpp-httplib <no-dsa> (Minor issue)
        NOTE: 
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g
 CVE-2026-32626 (AnythingLLM is an application that turns pieces of content 
into contex ...)
        NOT-FOR-US: AnythingLLM
@@ -31909,6 +31921,8 @@ CVE-2026-29184 (Backstage is an open framework for 
building developer portals. P
 CVE-2026-29076 (cpp-httplib is a C++11 single-file header-only cross platform 
HTTP/HTT ...)
        [experimental] - cpp-httplib 0.41.0+ds-1
        - cpp-httplib 0.41.0+ds-3 (bug #1130235)
+       [trixie] - cpp-httplib <no-dsa> (Minor issue)
+       [bookworm] - cpp-httplib <no-dsa> (Minor issue)
        NOTE: 
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69
        NOTE: Fixed by: 
https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6
 (v0.37.0)
 CVE-2026-29067 (ZITADEL is an open source identity management platform. From 
version 4 ...)
@@ -150920,13 +150934,11 @@ CVE-2025-31672 (Improper Input Validation 
vulnerability in Apache POI. The issue
        NOTE: https://www.openwall.com/lists/oss-security/2025/04/08/2
        NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=69620
 CVE-2025-31344 (Heap-based Buffer Overflow vulnerability in openEuler giflib 
on Linux. ...)
-       - giflib <unfixed> (bug #1102520)
-       [trixie] - giflib <no-dsa> (Minor issue)
-       [bookworm] - giflib <no-dsa> (Minor issue)
-       [bullseye] - giflib <postponed> (Minor issue, revisit when fixed 
upstream)
+       - giflib <unfixed> (bug #1102520; unimportant)
        NOTE: https://www.openwall.com/lists/oss-security/2025/04/07/3
        NOTE: https://sourceforge.net/p/giflib/bugs/176/
        NOTE: Fixed by: 
https://sourceforge.net/p/giflib/code/ci/7bbe8ea1a595bb7509ffa0a86b076e9b720e85af/
 (6.1.1)
+       NOTE: Crash in CLI tool, no security impact
 CVE-2025-22017 (In the Linux kernel, the following vulnerability has been 
resolved:  d ...)
        - linux 6.12.21-1
        [bookworm] - linux <not-affected> (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb302cb300e2f32ede7ad3e2441077c8a42765f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb302cb300e2f32ede7ad3e2441077c8a42765f
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to