Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2a5263c7 by Moritz Muehlenhoff at 2026-05-18T10:48:07+02:00
trixie/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -396,6 +396,8 @@ CVE-2025-67031 (ORSEE (Online Recruitment System for
Economic Experiments) 3.1.0
NOT-FOR-US: ORSEE (Online Recruitment System for Economic Experiments)
CVE-2026-8704 (Crypt::DSA versions through 1.19 for Perl use 2-args open,
allowing ex ...)
- libcrypt-dsa-perl 1.20-1 (bug #1136809)
+ [trixie] - libcrypt-dsa-perl <no-dsa> (Minor issue)
+ [bookworm] - libcrypt-dsa-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40104289/
NOTE: Fixed by:
https://github.com/perl-Crypt-OpenPGP/Crypt-DSA/commit/e7dc7836594908d6e9abf74b0a66f12a78569d1c
(1.20)
CVE-2026-8700 (Crypt::DSA versions before 1.20 for Perl generate seeds using
rand. S ...)
@@ -454,6 +456,8 @@ CVE-2026-46508 (Turborepo is a high-performance build
system for JavaScript and
NOT-FOR-US: Turborepo
CVE-2026-46483 (Vim is an open source, command line text editor. Prior to
9.2.0479, a ...)
- vim <unfixed> (bug #1136803)
+ [trixie] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim <no-dsa> (Minor issue)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
NOTE:
https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1
(v9.2.0479)
CVE-2026-46474 (Trog::TOTP versions before 1.006 for Perl generate secrets
using rand. ...)
@@ -1677,6 +1681,8 @@ CVE-2026-8369 (Improper Input Validation in the NAT64
translator in The OpenThre
NOT-FOR-US: OpenThread
CVE-2026-8367 (aria2c accepts a server certificate with incorrect Extended Key
Usage ...)
- aria2 <unfixed>
+ [trixie] - aria2 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - aria2 <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/aria2/aria2/issues/2355
CVE-2026-8328 (The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4 ...)
- python3.14 <unfixed>
@@ -2698,6 +2704,7 @@ CVE-2026-44241 (Micronaut Framework is a JVM-based full
stack Java framework des
NOT-FOR-US: Micronaut Framework
CVE-2026-44240 (basic-ftp is an FTP client for Node.js. Prior to 5.3.1,
basic-ftp is v ...)
- node-proxy-agents 0~2025070717+~cs15.3.8-1 (bug #1136650)
+ [trixie] - node-proxy-agents <no-dsa> (Minor issue)
NOTE:
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89
CVE-2026-44232 (DSSRF is a Node.js library that provides a wide range of
utilities and ...)
NOT-FOR-US: DSSRF
@@ -4212,7 +4219,9 @@ CVE-2026-7308 (An authenticated user with upload
permission to a hosted reposito
CVE-2026-7210 (`xml.parsers.expat` and `xml.etree.ElementTree` use
insufficient entro ...)
- python3.14 <unfixed>
- python3.13 <unfixed>
+ [trixie] - python3.13 <no-dsa> (Minor issue)
- python3.11 <removed>
+ [bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
@@ -4569,10 +4578,14 @@ CVE-2026-5084 (WebDyne::Session versions through 2.075
for Perl generates the se
NOT-FOR-US: WebDyne::Session Perl module
CVE-2026-8276 (A flaw has been found in bettercap up to 2.41.5. Affected by
this issu ...)
- bettercap <unfixed> (bug #1136448)
+ [trixie] - bettercap <no-dsa> (Minor issue)
+ [bookworm] - bettercap <no-dsa> (Minor issue)
NOTE: https://github.com/bettercap/bettercap/issues/1265
NOTE:
https://github.com/bettercap/bettercap/commit/0eaa375c5e5446bfba94a290eff92967a5deac9e
(v2.41.7)
CVE-2026-8275 (A vulnerability was detected in bettercap up to 2.41.5.
Affected by th ...)
- bettercap <unfixed> (bug #1136448)
+ [trixie] - bettercap <no-dsa> (Minor issue)
+ [bookworm] - bettercap <no-dsa> (Minor issue)
NOTE: https://github.com/bettercap/bettercap/issues/1263
NOTE:
https://github.com/bettercap/bettercap/commit/3731d5576cffae9eefe3721cd46a40933304129f
(v2.41.7)
CVE-2026-8274 (A security vulnerability has been detected in npitre
cramfs-tools up t ...)
@@ -27558,6 +27571,8 @@ CVE-2026-34528 (File Browser is a file managing
interface for uploading, deletin
NOT-FOR-US: File Browser
CVE-2026-34525 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.13.5-1 (bug #1132582)
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
+ [bookworm] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67
NOTE: Fixed by:
https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349
(v3.13.4)
NOTE: Fixed by:
https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000
(v3.13.5)
@@ -36701,6 +36716,7 @@ CVE-2025-14031 (IBM Sterling B2B Integrator andand IBM
Sterling File Gateway6.1.
NOT-FOR-US: IBM
CVE-2026-3312
- pagure <unfixed> (bug #1132033)
+ [trixie] - pagure <no-dsa> (Minor issue)
[bullseye] - pagure <postponed> (Minor issue, infoleak)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2443259
CVE-2025-71276 (SOGo before 5.12.5 is prone to a XSS vulnerability with
events, tasks, ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a5263c798b59f34540d8866849e503da73f8adf
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a5263c798b59f34540d8866849e503da73f8adf
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
