Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
15fc6876 by Moritz Muehlenhoff at 2026-05-17T18:44:30+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1502,6 +1502,8 @@ CVE-2026-8328 (The ftpcp() function in Lib/ftplib.py was
not updated when CVE-2
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/
NOTE: https://github.com/python/cpython/pull/149648
NOTE:
https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9
@@ -1907,6 +1909,8 @@ CVE-2026-41132 (CKAN is an open-source DMS (data
management system) for powering
NOT-FOR-US: CKAN
CVE-2026-41051 (csync2 uses insecure temporary directories when compiled with
C99 or l ...)
- csync2 <unfixed>
+ [trixie] - csync2 <no-dsa> (Minor issue)
+ [bookworm] - csync2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1262472
TODO: check details for upstream
CVE-2026-41050 (Fleet's Helm deployer did not fully apply ServiceAccount
impersonation ...)
@@ -2479,6 +2483,7 @@ CVE-2026-44301 (Hugo is a static site generator. From
0.43 to before 0.161.0, wh
NOTE:
https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857
CVE-2026-44296 (Deskflow is a keyboard and mouse sharing app. Prior to
1.26.0.167, a r ...)
- deskflow <unfixed>
+ [trixie] - deskflow <no-dsa> (Minor issue)
NOTE:
https://github.com/deskflow/deskflow/security/advisories/GHSA-3mxm-cgh2-6448
NOTE:
https://github.com/deskflow/deskflow/commit/329783490bd16774ba903b84212467d20d76bfba
CVE-2026-44262 (Scramble generates API documentation for Laravel project. From
0.13.2 ...)
@@ -2747,6 +2752,8 @@ CVE-2026-8388 (Incorrect boundary conditions in the
JavaScript Engine: JIT compo
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-45/#CVE-2026-8388
CVE-2026-8368 (LWP::UserAgent versions before 6.83 for Perl leak Authorization
and Pr ...)
- libwww-perl 6.83-1 (bug #1136449)
+ [trixie] - libwww-perl <no-dsa> (Minor issue)
+ [bookworm] - libwww-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/39974665/
NOTE: https://github.com/libwww-perl/libwww-perl/pull/512
NOTE: https://github.com/libwww-perl/libwww-perl/pull/284
@@ -2755,12 +2762,18 @@ CVE-2026-8278
REJECTED
CVE-2026-8162 ([email protected] and lower versions are vulnerable to denial of
servic ...)
- node-multiparty 4.3.0-1 (bug #1136447)
+ [trixie] - node-multiparty <no-dsa> (Minor issue)
+ [bookworm] - node-multiparty <no-dsa> (Minor issue)
NOTE:
https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv
CVE-2026-8161 ([email protected] and lower versions are vulnerable to denial of
servic ...)
- node-multiparty 4.3.0-1 (bug #1136447)
+ [trixie] - node-multiparty <no-dsa> (Minor issue)
+ [bookworm] - node-multiparty <no-dsa> (Minor issue)
NOTE:
https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956
CVE-2026-8159 ([email protected] and lower versions are vulnerable to denial of
servic ...)
- node-multiparty 4.3.0-1 (bug #1136447)
+ [trixie] - node-multiparty <no-dsa> (Minor issue)
+ [bookworm] - node-multiparty <no-dsa> (Minor issue)
NOTE:
https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94
CVE-2026-8111 (SQL injection in the web consoleof Ivanti Endpoint
Managerbefore versi ...)
NOT-FOR-US: Ivanti
@@ -4010,6 +4023,8 @@ CVE-2026-7210 (`xml.parsers.expat` and
`xml.etree.ElementTree` use insufficient
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
NOTE: https://github.com/python/cpython/issues/149018
NOTE: https://github.com/python/cpython/pull/149023
@@ -8956,6 +8971,9 @@ CVE-2026-5753 (The All-in-One WP Migration Unlimited
Extension plugin for WordPr
NOT-FOR-US: WordPress plugin
CVE-2026-44405 (In Paramiko through 4.0.0 before a448945, rsakey.py allows the
SHA-1 a ...)
- paramiko <unfixed> (bug #1135907)
+ [trixie] - paramiko <ignored> (Deprecation of SHA-1 only for forky)
+ [bookworm] - paramiko <ignored> (Deprecation of SHA-1 only for forky)
+ [bullseye] - paramiko <ignored> (Deprecation of SHA-1 only for forky)
NOTE:
https://github.com/paramiko/paramiko/commit/a4489456b6f65281e172380cc4826cee5e851dbb
CVE-2026-44331 (In ProFTPD through 1.3.9a before 7666224, a SQL injection
vulnerabilit ...)
- proftpd-dfsg 1.3.9a~dfsg-1 (bug #1135840)
@@ -26004,10 +26022,12 @@ CVE-2026-27655 (Zohocorp ManageEngine Exchange
Reporter Plus versions before 580
CVE-2026-27124 (FastMCP is the standard framework for building MCP
applications. Prior ...)
NOT-FOR-US: FastMCP
CVE-2026-26477 (An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a
remote ...)
- - dokuwiki 2025-05-14.b+dfsg-6
+ - dokuwiki 2025-05-14.b+dfsg-6 (unimportant)
NOTE: https://github.com/Hebing123/cve/issues/94
NOTE: https://github.com/dokuwiki/dokuwiki/issues/4613
NOTE: Fixed by:
https://github.com/dokuwiki/dokuwiki/commit/bfc167db63967f8c872b3d797ca81138b9011ef4
+ NOTE: Negligible security impact per upstream assessment:
+ NOTE:
https://github.com/dokuwiki/dokuwiki/issues/4613#issuecomment-4230046078
CVE-2026-25773 (** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails
to saniti ...)
NOT-FOR-US: Focalboard
CVE-2026-25118 (immich is a high performance self-hosted photo and video
management so ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -62,6 +62,8 @@ netatalk
--
netty
--
+nss (jmm)
+--
opennds/oldstable
pinged maintainer, but no reply yet. should most probably be bumped to 10.x
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15fc68764926b7fc450869192aa4680562dd851a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15fc68764926b7fc450869192aa4680562dd851a
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
