Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
46afee35 by Moritz Muehlenhoff at 2026-05-17T15:34:52+02:00
trixie/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -311,6 +311,8 @@ CVE-2026-45772 (Turborepo is a high-performance build
system for JavaScript and
NOT-FOR-US: Turborepo
CVE-2026-45736 (ws is an open source WebSocket client and server for Node.js.
Prior to ...)
- node-ws 8.20.1+~cs14.19.1-1 (bug #1136804)
+ [trixie] - node-ws <no-dsa> (Minor issue)
+ [bookworm] - node-ws <no-dsa> (Minor issue)
NOTE:
https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx
NOTE: Fixed by:
https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086
(8.20.1)
CVE-2026-45622 (Vvveb is a powerful and easy to use CMS with page builder to
build web ...)
@@ -458,6 +460,8 @@ CVE-2026-8503 (Apache::Session::Generate::SHA256 versions
before 1.3.19 for Perl
NOTE:
https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/cc915cbbd266776eec3dd8bf4748b15fa827dbd0
(v1.3.19)
CVE-2026-8669 (Imager versions through 1.030 for Perl allow a heap out of
bounds (OOB ...)
- libimager-perl 1.031+dfsg-1
+ [trixie] - libimager-perl <no-dsa> (Minor issue)
+ [bookworm] - libimager-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40083214/
NOTE: Imager embbeds the Imager::File::GIF code and syncs the fix:
NOTE: Fixed by:
https://github.com/tonycoz/imager/commit/782e9c06cc75a0f7eed383f39522f51f44598b04
(v1.031)
@@ -523,12 +527,18 @@ CVE-2026-44647 (OneDev is a Git server with CI/CD,
kanban, and packages. Prior t
NOT-FOR-US: OneDev
CVE-2026-44638 (libsixel is a SIXEL encoder/decoder implementation derived
from kmiya' ...)
- libsixel 1:1.8.7-r2-1
+ [trixie] - libsixel <no-dsa> (Minor issue)
+ [bookworm] - libsixel <no-dsa> (Minor issue)
NOTE:
https://github.com/saitoha/libsixel/security/advisories/GHSA-wpx3-h5g8-qr3w
CVE-2026-44637 (libsixel is a SIXEL encoder/decoder implementation derived
from kmiya' ...)
- libsixel 1:1.8.7-r2-1
+ [trixie] - libsixel <no-dsa> (Minor issue)
+ [bookworm] - libsixel <no-dsa> (Minor issue)
NOTE:
https://github.com/saitoha/libsixel/security/advisories/GHSA-9jm7-77gr-qghv
CVE-2026-44636 (libsixel is a SIXEL encoder/decoder implementation derived
from kmiya' ...)
- libsixel 1:1.8.7-r2-1
+ [trixie] - libsixel <no-dsa> (Minor issue)
+ [bookworm] - libsixel <no-dsa> (Minor issue)
NOTE:
https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5
CVE-2026-44430 (The MCP Registry provides MCP clients with a list of MCP
servers, like ...)
NOT-FOR-US: MCP Registry
@@ -1484,7 +1494,9 @@ CVE-2026-8367 (aria2c accepts a server certificate with
incorrect Extended Key U
CVE-2026-8328 (The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4 ...)
- python3.14 <unfixed>
- python3.13 <unfixed>
+ [trixie] - python3.13 <no-dsa> (Minor issue)
- python3.11 <removed>
+ [bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
@@ -2335,6 +2347,8 @@ CVE-2026-XXXX [RUSTSEC-2026-0134]
NOTE: https://github.com/diesel-rs/diesel/pull/5042
CVE-2026-8463 (Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform
a heap ...)
- libcrypt-argon2-perl 0.031-1
+ [trixie] - libcrypt-argon2-perl <no-dsa> (Minor issue)
+ [bookworm] - libcrypt-argon2-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40006926/
NOTE:
https://github.com/Leont/crypt-argon2/commit/92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64
(v0.031)
CVE-2026-8449
@@ -2458,6 +2472,8 @@ CVE-2026-44302 (Snappier is a high performance C#
implementation of the Snappy c
NOT-FOR-US: Snappier
CVE-2026-44301 (Hugo is a static site generator. From 0.43 to before 0.161.0,
when bui ...)
- hugo 0.161.0-1
+ [trixie] - hugo <no-dsa> (Minor issue)
+ [bookworm] - hugo <no-dsa> (Minor issue)
NOTE:
https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857
CVE-2026-44296 (Deskflow is a keyboard and mouse sharing app. Prior to
1.26.0.167, a r ...)
- deskflow <unfixed>
@@ -3716,6 +3732,8 @@ CVE-2026-42188 (Geyser is a bridge between Minecraft:
Bedrock Edition and Minecr
NOT-FOR-US: Geyser
CVE-2026-42046 (libcaca is a colour ASCII art library. In 0.99.beta20 and
earlier, an ...)
- libcaca <unfixed>
+ [trixie] - libcaca <no-dsa> (Minor issue)
+ [bookworm] - libcaca <no-dsa> (Minor issue)
NOTE:
https://github.com/cacalabs/libcaca/security/advisories/GHSA-4vvg-vrqv-m56w
NOTE: https://github.com/cacalabs/libcaca/issues/86
NOTE: Fixed by:
https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23
@@ -4174,8 +4192,9 @@ CVE-2026-41018 (The Elasticsearch logging provider, when
configured with a `host
CVE-2026-40636 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale
version ...)
NOT-FOR-US: Dell / EMC
CVE-2026-40612 (jq is a command-line JSON processor. In 1.8.1 and earlier,
jv_contains ...)
- - jq 1.8.1-6 (bug #1136445)
+ - jq 1.8.1-6 (bug #1136445; unimportant)
NOTE:
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-3609 (Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege
Escalation Vu ...)
NOT-FOR-US: Wellbia XIGNCODE3 xhunter1.sys kernel driver
CVE-2026-3320 (Reflected Cross-Site Scripting (XSS) in the latest demo version
of the ...)
@@ -4381,10 +4400,11 @@ CVE-2026-8258 (A flaw has been found in Squirrel up to
3.2. Impacted is the func
- squirrel3 <unfixed>
NOTE: https://github.com/albertodemichelis/squirrel/issues/325
CVE-2026-8257 (A vulnerability was detected in WebAssembly Binaryen up to 117.
This i ...)
- - binaryen <unfixed>
+ - binaryen <unfixed> (unimportant)
NOTE: https://github.com/WebAssembly/binaryen/issues/8633
NOTE: https://github.com/WebAssembly/binaryen/pull/8635
NOTE: Fixed by:
https://github.com/WebAssembly/binaryen/commit/1251efbc1ea471c1311d2726b2bbe061ff2a291c
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-8256 (A security vulnerability has been detected in Devs Palace ERP
Online u ...)
NOT-FOR-US: Devs Palace ERP Online
CVE-2026-8255 (A weakness has been identified in Devs Palace ERP Online up to
4.0.0. ...)
@@ -28186,7 +28206,10 @@ CVE-2026-30276 (An arbitrary file overwrite
vulnerability in DeftPDF Document Tr
NOT-FOR-US: DeftPDF
CVE-2026-2950 (Impact: Lodash versions 4.17.23 and earlier are vulnerable to
prototy ...)
- node-lodash 4.18.1+dfsg-1
- TODO: check fixing commit details
+ [trixie] - node-lodash <no-dsa> (Minor issue)
+ [bookworm] - node-lodash <no-dsa> (Minor issue)
+ NOTE:
https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+ NOTE:
https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81
(4.17.23)
CVE-2026-2696 (The Export All URLs WordPress plugin before 5.1 generates CSV
filename ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2480 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for
WordPre ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46afee35bef60ab29e7f8b5e53a12c91203cdf53
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46afee35bef60ab29e7f8b5e53a12c91203cdf53
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
