Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f3a896b1 by Moritz Muehlenhoff at 2026-05-11T19:25:01+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -671,6 +671,8 @@ CVE-2026-41496 (PraisonAI is a multi-agent teams system.
Prior to praisonai vers
NOT-FOR-US: PraisonAI
CVE-2026-41493 (YARD is a Ruby Documentation tool. Prior to version 0.9.42, a
path tra ...)
- yard <unfixed> (bug #1136076)
+ [trixie] - yard <no-dsa> (Minor issue)
+ [bookworm] - yard <no-dsa> (Minor issue)
NOTE:
https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
CVE-2026-41491 (Dapr is a portable, event-driven, runtime for building
distributed app ...)
NOT-FOR-US: Dapr
@@ -1944,10 +1946,14 @@ CVE-2026-8097 (A security flaw has been discovered in
CodeAstro Online Classroom
NOT-FOR-US: CodeAstro
CVE-2026-8088 (A weakness has been identified in OSGeo gdal up to 3.13.0dev-4.
The af ...)
- gdal <unfixed> (bug #1135997)
+ [trixie] - gdal <no-dsa> (Minor issue)
+ [bookworm] - gdal <no-dsa> (Minor issue)
NOTE:
https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c
(v3.13.0RC1)
NOTE: https://github.com/OSGeo/gdal/issues/14379
CVE-2026-8087 (A security flaw has been discovered in OSGeo gdal up to
3.13.0dev-4. I ...)
- gdal <unfixed> (bug #1135997)
+ [trixie] - gdal <no-dsa> (Minor issue)
+ [bookworm] - gdal <no-dsa> (Minor issue)
NOTE: https://github.com/OSGeo/gdal/issues/14363
NOTE:
https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b
(v3.13.0RC1)
CVE-2026-8069 (PredatorSense version 3.00.3136 to 3.00.3196 contain Local
Privilege E ...)
@@ -1994,6 +2000,7 @@ CVE-2026-42501 (A malicious module proxy can exploit a
flaw in the go command's
- golang-1.25 1.25.10-1
- golang-1.26 1.26.3-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
- golang-1.15 <removed>
NOTE: https://go-review.googlesource.com/c/go/+/775321
@@ -2003,6 +2010,7 @@ CVE-2026-42499 (Pathological inputs could cause DoS
through consumePhrase when p
- golang-1.25 1.25.10-1
- golang-1.26 1.26.3-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
- golang-1.15 <removed>
NOTE: https://go-review.googlesource.com/c/go/+/771520
@@ -2162,6 +2170,8 @@ CVE-2026-33823 (Improper authorization in Microsoft Teams
allows an authorized a
NOT-FOR-US: Microsoft
CVE-2026-33814 (When processing HTTP/2 SETTINGS frames, transport will enter
an infini ...)
- golang-golang-x-net <unfixed> (bug #1136030)
+ [trixie] - golang-golang-x-net <no-dsa> (Minor issue)
+ [bookworm] - golang-golang-x-net <no-dsa> (Minor issue)
NOTE: https://go-review.googlesource.com/c/go/+/761581
NOTE: https://go-review.googlesource.com/c/net/+/761640
NOTE: https://github.com/golang/go/issues/78476
@@ -2267,11 +2277,15 @@ CVE-2026-8090 (Use-after-free in the DOM: Networking
component. This vulnerabili
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-44/#CVE-2026-8090
CVE-2026-8086 (A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4.
This i ...)
- gdal <unfixed> (bug #1135997)
+ [trixie] - gdal <no-dsa> (Minor issue)
+ [bookworm] - gdal <no-dsa> (Minor issue)
NOTE: https://github.com/OSGeo/gdal/issues/14356
NOTE: https://github.com/OSGeo/gdal/pull/14361
NOTE:
https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636
(v3.12.4RC1)
CVE-2026-8084 (A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4.
This v ...)
- gdal <unfixed> (bug #1135997)
+ [trixie] - gdal <no-dsa> (Minor issue)
+ [bookworm] - gdal <no-dsa> (Minor issue)
NOTE: https://github.com/OSGeo/gdal/issues/14378
NOTE:
https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c
(v3.13.0RC1)
CVE-2026-8083 (A vulnerability was found in SourceCodester Pharmacy Sales and
Invento ...)
@@ -4682,6 +4696,8 @@ CVE-2026-6918 (In Eclipse Open9J versions 0.21 to 0.58, a
pre-authentication rem
NOT-FOR-US: Eclipse
CVE-2026-6322 (fast-uri normalize() decoded percent-encoded authority
delimiters insi ...)
- node-ajv 8.20.0~ds+~cs6.1.3-1 (bug #1135998)
+ [trixie] - node-ajv <no-dsa> (Minor issue)
+ [bookworm] - node-ajv <no-dsa> (Minor issue)
NOTE:
https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc
NOTE:
https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293
(v3.1.2)
NOTE: Embedded fast-uri used and provided as node-fast-uri
@@ -5027,6 +5043,8 @@ CVE-2026-6418 (An issue was discovered in the Shared
Account Synchronization com
NOT-FOR-US: PaperCut
CVE-2026-6321 (fast-uri decoded percent-encoded path separators and dot
segments befo ...)
- node-ajv 8.20.0~ds+~cs6.1.3-1 (bug #1135998)
+ [trixie] - node-ajv <no-dsa> (Minor issue)
+ [bookworm] - node-ajv <no-dsa> (Minor issue)
NOTE:
https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6
NOTE: Fixed by:
https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35
(v3.1.1)
NOTE: Embedded fast-uri used and provided as node-fast-uri
@@ -5199,6 +5217,8 @@ CVE-2026-42075 (Evolver is a GEP-powered self-evolving
engine for AI agents. Pri
NOT-FOR-US: Evolver
CVE-2026-42052 (Beets is the media library management system. Prior to version
2.10.0, ...)
- beets <unfixed> (bug #1135779)
+ [trixie] - beets <no-dsa> (Minor issue)
+ [bookworm] - beets <no-dsa> (Minor issue)
NOTE:
https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
CVE-2026-42027 (Arbitrary Class Instantiation via Model Manifest in Apache
OpenNLP Ext ...)
- apache-opennlp 2.5.9-1 (bug #1135782)
@@ -8542,6 +8562,8 @@ CVE-2026-7183 (A vulnerability has been found in aligungr
UERANSIM up to 3.2.7.
NOT-FOR-US: aligungr UERANSIM
CVE-2026-7179 (A security vulnerability has been detected in OSPG binwalk up
to 2.4.3 ...)
- binwalk <unfixed> (bug #1136010)
+ [trixie] - binwalk <no-dsa> (Minor issue)
+ [bookworm] - binwalk <no-dsa> (Minor issue)
NOTE:
https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/binwalk_path_traversal.md
CVE-2026-7178 (A weakness has been identified in ChatGPTNextWeb NextChat up to
2.16.1 ...)
NOT-FOR-US: ChatGPTNextWeb NextChat
@@ -8774,6 +8796,8 @@ CVE-2026-6970 (authd prior to version 0.6.4 contains a
logic error in primary gr
NOT-FOR-US: Canonical authd
CVE-2026-6357 (pip prior to version 26.1 would run self-update check
functionality af ...)
- python-pip <unfixed> (bug #1135110)
+ [trixie] - python-pip <no-dsa> (Minor issue)
+ [bookworm] - python-pip <no-dsa> (Minor issue)
NOTE: https://github.com/pypa/pip/pull/13923
CVE-2026-6337
REJECTED
@@ -14437,6 +14461,7 @@ CVE-2026-40962 (FFmpeg before 8.1 has an integer
overflow and resultant out-of-b
[bullseye] - ffmpeg <postponed> (minor issue)
NOTE: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348
NOTE: Fixed by:
https://code.ffmpeg.org/FFmpeg/FFmpeg/commit/e392fb8c9c3949d975531d2b23c645d2465a7ebc
(n8.1)
+ NOTE: Fixed by:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/78c944bdb170d8dcece166115d92b45379b040f4
(n7.1.4)
NOTE: Fixed by:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/b07fdedf940ded686ffe4e9fb221170a11ff0478
(n5.1.9)
CVE-2026-40947 (Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and
yubikey- ...)
- libfido2 <not-affected> (Only affects libfido2 on Windows)
@@ -24060,6 +24085,8 @@ CVE-2026-34054 (vcpkg is a free and open-source C/C++
package manager. Prior to
NOT-FOR-US: vcpkg
CVE-2026-34043 (Serialize JavaScript to a superset of JSON that includes
regular expre ...)
- node-serialize-javascript 7.0.5+~5.0.4-1 (bug #1132605)
+ [trixie] - node-serialize-javascript <no-dsa> (Minor issue)
+ [bookworm] - node-serialize-javascript <no-dsa> (Minor issue)
[bullseye] - node-serialize-javascript <postponed> (minor issue; DoS)
NOTE:
https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v
NOTE:
https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
(v7.0.5)
@@ -216317,6 +216344,8 @@ CVE-2024-45613 (CKEditor 5 is a JavaScript rich-text
editor. Starting in version
- ckeditor3 <not-affected> (Specific to ckeditor 5)
CVE-2024-44825 (Directory Traversal vulnerability in Centro de Tecnologia da
Informaco ...)
- invesalius <unfixed> (bug #1136204)
+ [trixie] - invesalius <no-dsa> (Minor issue)
+ [bookworm] - invesalius <no-dsa> (Minor issue)
NOTE:
https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-44825
NOTE:
https://www.partywave.site/show/research/cve-2024-44825-invesalius-arbitrary-file-write-and-directory-traversal
NOTE:
https://github.com/invesalius/invesalius3/commit/8b966260b3d9510e3ddc473aac4cc6578bab3aab
@@ -278097,8 +278126,14 @@ CVE-2024-27354 (An issue was discovered in phpseclib
1.x before 1.0.23, 2.x befo
NOTE:
https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
CVE-2026-XXXX [Bypass of CVE-2024-27355 mitigations]
- phpseclib 1.0.29-1
+ [trixie] - phpseclib <no-dsa> (Minor issue, will be fixed via point
update)
+ [bookworm] - phpseclib <no-dsa> (Minor issue, will be fixed via point
update)
- php-phpseclib 2.0.54-1
+ [trixie] - php-phpseclib <no-dsa> (Minor issue, will be fixed via point
update)
+ [bookworm] - php-phpseclib <no-dsa> (Minor issue, will be fixed via
point update)
- php-phpseclib3 3.0.52-1
+ [trixie] - php-phpseclib3 <no-dsa> (Minor issue, will be fixed via
point update)
+ [bookworm] - php-phpseclib3 <no-dsa> (Minor issue, will be fixed via
point update)
NOTE:
https://github.com/phpseclib/phpseclib/security/advisories/GHSA-3qpq-r242-jqj7
NOTE: Fixed by:
https://github.com/phpseclib/phpseclib/commit/d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc
(3.0.52, 2.0.54, 1.0.29)
CVE-2024-27355 (An issue was discovered in phpseclib 1.x before 1.0.23, 2.x
before 2.0 ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -22,6 +22,9 @@ ceph (carnil)
--
cups
--
+ffmpeg (jmm)
+ for 5.1.9 and 7.1.4
+--
firebird3.0
--
firebird4.0/stable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3a896b1c052b6a4933b8829788f0f22c251b86a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3a896b1c052b6a4933b8829788f0f22c251b86a
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
