bookworm triage

Moritz Muehlenhoff (@jmm) Thu, 07 May 2026 03:44:08 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
5345aab3 by Moritz Muehlenhoff at 2026-05-07T12:43:41+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -235,6 +235,8 @@ CVE-2026-33441
        REJECTED
 CVE-2026-44353
        - streamlink 8.4.0-1
+       [trixie] - streamlink <no-dsa> (Minor issue)
+       [bookworm] - streamlink <no-dsa> (Minor issue)
        NOTE: 
https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f
 CVE-2026-8031 (A vulnerability was detected in PicoTronica e-Clinic Healthcare 
System ...)
        NOT-FOR-US: PicoTronica e-Clinic Healthcare System
@@ -696,6 +698,7 @@ CVE-2026-34473 (Unauthenticated DoS in ZTE H8102E, H168N, 
H167A, H199A, H288A, H
        NOT-FOR-US: ZTE
 CVE-2026-33079 (In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS 
(Regula ...)
        - mistune <unfixed>
+       [trixie] - mistune <postponed> (Minor issue, revisit when fixed 
upstream)
        [bookworm] - mistune <not-affected> (Vulnerable code not present)
        [bullseye] - mistune <not-affected> (Vulnerable code not present)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp
@@ -6111,8 +6114,9 @@ CVE-2026-42379 (Insertion of Sensitive Information Into 
Sent Data vulnerability
 CVE-2026-41635 (Apache MINA's AbstractIoBuffer.resolveClass() contains two 
branches, o ...)
        - mina2 <unfixed> (bug #1135167)
        [trixie] - mina2 <no-dsa> (Minor issue)
-       [bookworm] - mina2 <no-dsa> (Minor issue)
+       [bookworm] - mina2 <ignored> (Minor issue)
        - mina <removed>
+       [bookworm] - mina <ignored> (Minor issue)
        NOTE: https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm
 CVE-2026-41467 (ProjeQtor versions 7.0 through 12.4.3 contain a stored 
cross-site scri ...)
        NOT-FOR-US: ProjeQtor
@@ -6640,6 +6644,7 @@ CVE-2026-41244 (Mojic is a CLI tool to transform readable 
C code into an unrecog
        NOT-FOR-US: Mojic
 CVE-2026-XXXX [RUSTSEC-2026-0104]
        - rust-rustls-webpki 0.103.13+ds-1
+       [trixie] - rust-rustls-webpki <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0104.html
        NOTE: https://github.com/advisories/GHSA-82j2-j2ch-gfr8
 CVE-2026-42254 (Hickory DNS hickory-recursor 0.1 through 0.25.2 allows 
cross-zone pois ...)
@@ -13561,7 +13566,7 @@ CVE-2026-6100 (Use-after-free (UAF) was possible in the 
`lzma.LZMADecompressor`,
        {DLA-4532-1}
        - python3.14 3.14.5~rc1-1
        - python3.13 <unfixed>
-       [bookworm] - python3.13 <no-dsa> (Minor issue)
+       [trixie] - python3.13 <no-dsa> (Minor issue)
        - python3.11 <removed>
        [bookworm] - python3.11 <no-dsa> (Minor issue)
        - python3.9 <removed>
@@ -15487,6 +15492,7 @@ CVE-2026-1403
        - gitlab <unfixed>
 CVE-2026-XXXX [RUSTSEC-2026-0049]
        - rust-rustls-webpki 0.103.10+ds-1 (bug #1133085)
+       [trixie] - rust-rustls-webpki <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0049.html
 CVE-2026-5919 (Insufficient validation of untrusted input in WebSockets in 
Google Chr ...)
        {DSA-6205-1}
@@ -29429,6 +29435,7 @@ CVE-2025-71239 (In the Linux kernel, the following 
vulnerability has been resolv
        NOTE: 
https://git.kernel.org/linus/4f493a6079b588cf1f04ce5ed6cdad45ab0d53dc (7.0-rc1)
 CVE-2026-32829 (lz4_flex is a pure Rust implementation of LZ4 
compression/decompressio ...)
        - rust-lz4-flex 0.13.0-1
+       [trixie] - rust-lz4-flex <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0041.html
        NOTE: https://github.com/advisories/GHSA-vvp9-7p8x-rfvv
 CVE-2026-4312 (GCB/FCB Audit Software developed by DrangSoft has a Missing 
Authentica ...)
@@ -337538,10 +337545,12 @@ CVE-2023-26488 (OpenZeppelin Contracts is a library 
for secure smart contract de
        NOT-FOR-US: OpenZeppelin
 CVE-2023-26487 (Vega is a visualization grammar, a declarative format for 
creating, sa ...)
        - vega.js 5.25.0+ds+~cs5.3.0-1
+       [bookworm] - vega.js <no-dsa> (Minor issue)
        NOTE: 
https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55
        NOTE: 
https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689 
(v5.23.0)
 CVE-2023-26486 (Vega is a visualization grammar, a declarative format for 
creating, sa ...)
        - vega.js 5.25.0+ds+~cs5.3.0-1
+       [bookworm] - vega.js <no-dsa> (Minor issue)
        NOTE: 
https://github.com/vega/vega/security/advisories/GHSA-4vq7-882g-wcg4
 CVE-2023-26485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and 
renderin ...)
        - cmark-gfm 0.29.0.gfm.13-1 (bug #1034171)


=====================================
data/dsa-needed.txt
=====================================
@@ -122,5 +122,7 @@ tomcat10 (apo)
 --
 tomcat11/stable (apo)
 --
+tor
+--
 xrdp
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5345aab3e474d102f67fb87041a0f423e58e27c7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5345aab3e474d102f67fb87041a0f423e58e27c7
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Reply via email to