Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0e7e4405 by Moritz Muehlenhoff at 2026-05-06T17:20:25+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1480,19 +1480,26 @@ CVE-2026-43060 (In the Linux kernel, the following
vulnerability has been resolv
NOTE:
https://git.kernel.org/linus/36eae0956f659e48d5366d9b083d9417f3263ddc (7.0-rc5)
CVE-2026-6502
- qemu 1:11.0.0+ds-2
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/7c092f17cceef10258ed23006b40e19b14996471
(v9.2.0-rc0)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/30fad722ce68316d22b926ba0e6017f0440465df
CVE-2026-6907 (An issue was discovered in 6.0 before 6.0.5 and 5.2 before
5.2.14. `dj ...)
- python-django 3:5.2.14-1 (bug #1135755)
+ [trixie] - python-django <no-dsa> (Minor issue)
+ [bookworm] - python-django <no-dsa> (Minor issue)
NOTE:
https://www.djangoproject.com/weblog/2026/may/05/security-releases/
NOTE: Fixed by:
https://github.com/django/django/commit/2115d4eaee15107f5cd290d7cfcc5ffe3ad43661
(5.2.14)
CVE-2026-35192 (An issue was discovered in 6.0 before 6.0.5 and 5.2 before
5.2.14. Res ...)
- python-django 3:5.2.14-1 (bug #1135755)
+ [trixie] - python-django <no-dsa> (Minor issue)
+ [bookworm] - python-django <no-dsa> (Minor issue)
NOTE:
https://www.djangoproject.com/weblog/2026/may/05/security-releases/
NOTE: Fixed by:
https://github.com/django/django/commit/47cf968c125e3fab317e10fe150ec479e745f995
(5.2.14)
CVE-2026-5766 (An issue was discovered in 6.0 before 6.0.5 and 5.2 before
5.2.14. ASG ...)
- python-django 3:5.2.14-1 (bug #1135755)
+ [trixie] - python-django <no-dsa> (Minor issue)
+ [bookworm] - python-django <no-dsa> (Minor issue)
NOTE:
https://www.djangoproject.com/weblog/2026/may/05/security-releases/
NOTE: Fixed by:
https://github.com/django/django/commit/2ec27eda3ba6c14f0856e6e3eb1df07c41fd95e6
(5.2.14)
CVE-2026-43869 (Improper Validation of Certificate with Host Mismatch
vulnerability in ...)
@@ -2257,6 +2264,8 @@ CVE-2026-0703 (The NextMove Lite \u2013 Thank You Page
for WooCommerce plugin fo
NOT-FOR-US: WordPress plugin
CVE-2026-40561 (Starlet versions through 0.31 for Perl allows HTTP Request
Smuggling v ...)
- starlet 0.31-3 (bug #1135584)
+ [trixie] - starlet <no-dsa> (Minor issue)
+ [bookworm] - starlet <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/39593408/
NOTE: Fixed by:
https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0
CVE-2026-7647 (The Profile Builder Pro plugin for WordPress is vulnerable to
PHP Obje ...)
@@ -4336,6 +4345,8 @@ CVE-2026-XXXX [RUSTSEC-2026-0113]
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0113.html
CVE-2026-7111 (Text::CSV_XS versions before 1.62 for Perl have a
use-after-free when ...)
- libtext-csv-xs-perl 1.62-1 (bug #1135232)
+ [trixie] - libtext-csv-xs-perl <no-dsa> (Minor issue)
+ [bookworm] - libtext-csv-xs-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/39453344/
NOTE: https://github.com/cpan-authors/Text-CSV_XS/issues/65
NOTE: Requisite for test case:
https://github.com/cpan-authors/Text-CSV_XS/commit/b69bd94c2847cf3a28442af6286a345435955bcd
@@ -11352,6 +11363,8 @@ CVE-2026-6383 (A flaw was found in KubeVirt's
Role-Based Access Control (RBAC) e
NOT-FOR-US: KubeVirt
CVE-2026-6245 (A flaw was found in the System Security Services Daemon (SSSD).
The pa ...)
- sssd <unfixed> (bug #1134269)
+ [trixie] - sssd <no-dsa> (Minor issue)
+ [bookworm] - sssd <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2457954
NOTE: https://github.com/SSSD/sssd/pull/8622
NOTE: Fixed by:
https://github.com/SSSD/sssd/commit/550b08cabe4dd5508c7ea74f634869374204d63f
(2.13.0)
@@ -57949,9 +57962,13 @@ CVE-2025-67732 (Dify is an open-source LLM app
development platform. Prior to ve
NOT-FOR-US: Dify
CVE-2025-66648 (vega-functions provides function implementations for the Vega
expressi ...)
- vega.js 5.33.1+ds+~cs5.3.0-2 (bug #1125185)
+ [trixie] - vega.js <no-dsa> (Minor issue)
+ [bookworm] - vega.js <no-dsa> (Minor issue)
NOTE:
https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm
CVE-2025-65110 (Vega is a visualization grammar, a declarative format for
creating, sa ...)
- vega.js 5.33.1+ds+~cs5.3.0-4 (bug #1125184)
+ [trixie] - vega.js <no-dsa> (Minor issue)
+ [bookworm] - vega.js <no-dsa> (Minor issue)
NOTE:
https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r
CVE-2025-64425 (Coolify is an open-source and self-hostable tool for managing
servers, ...)
NOT-FOR-US: Coolify
@@ -79058,6 +79075,8 @@ CVE-2025-60671 (A command injection vulnerability
exists in the D-Link DIR-823G
NOT-FOR-US: D-Link
CVE-2025-59840 (Vega is a visualization grammar, a declarative format for
creating, sa ...)
- vega.js 5.33.1+ds+~cs5.3.0-4 (bug #1125183)
+ [trixie] - vega.js <no-dsa> (Minor issue)
+ [bookworm] - vega.js <no-dsa> (Minor issue)
NOTE:
https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf
CVE-2025-59480 (Mattermost Mobile Apps versions <=2.32.0 fail to verify that
SSO redir ...)
NOT-FOR-US: Mattermost Mobile Apps
@@ -156689,6 +156708,8 @@ CVE-2025-28135 (TOTOLINK A810R
V4.1.2cu.5182_B20201026 was found to contain a bu
NOT-FOR-US: TOTOLINK
CVE-2025-27793 (Vega is a visualization grammar, a declarative format for
creating, sa ...)
- vega.js 5.33.1+ds+~cs5.3.0-1 (bug #1125182)
+ [trixie] - vega.js <no-dsa> (Minor issue)
+ [bookworm] - vega.js <no-dsa> (Minor issue)
NOTE:
https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf
NOTE: Fixed by:
https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966
(v5.32.0)
CVE-2025-26909 (Improper Control of Filename for Include/Require Statement in
PHP Prog ...)
@@ -156709,6 +156730,8 @@ CVE-2025-26731 (Improper Neutralization of Input
During Web Page Generation ('Cr
NOT-FOR-US: WordPress plugin or theme
CVE-2025-26619 (Vega is a visualization grammar, a declarative format for
creating, sa ...)
- vega.js 5.33.1+ds+~cs5.3.0-1 (bug #1125181)
+ [trixie] - vega.js <no-dsa> (Minor issue)
+ [bookworm] - vega.js <no-dsa> (Minor issue)
NOTE:
https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
NOTE: https://github.com/vega/vega/issues/3984
NOTE: Fixed by:
https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c
(v5.31.0)
@@ -171069,6 +171092,7 @@ CVE-2025-25740 (D-Link DIR-853 A1 FW1.20B07 was
discovered to contain a stack-ba
NOT-FOR-US: D-Link
CVE-2025-25304 (Vega is a visualization grammar, a declarative format for
creating, sa ...)
- vega.js 5.28.0+ds+~cs5.3.0-1
+ [bookworm] - vega.js <no-dsa> (Minor issue)
NOTE:
https://github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673j
NOTE: Fixed by:
https://github.com/vega/vega/commit/9fb9ea07e27984394e463d286eb73944fa61411e
(v5.26.0)
CVE-2025-25297 (Label Studio is an open source data labeling tool. Prior to
version 1. ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -44,6 +44,8 @@ isc-kea/oldstable
--
jackson-core (apo)
--
+jetty12/stable
+--
kamailio
--
krb5
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e7e4405cfaee5a0f70e7b9d8f5a1616dbe17d69
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e7e4405cfaee5a0f70e7b9d8f5a1616dbe17d69
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
