Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
337325e3 by Moritz Muehlenhoff at 2026-05-19T11:33:10+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3849,6 +3849,7 @@ CVE-2026-31237 (The Ludwig framework thru 0.10.4 is
vulnerable to insecure deser
NOT-FOR-US: Ludwig framework
CVE-2026-31236 (The llm CLI tool thru 0.27.1 contains a critical code
injection vulner ...)
- llm <unfixed>
+ [trixie] - llm <no-dsa> (Minor issue)
NOTE:
https://www.notion.so/CVE-2026-31236-35d1e139318881a4a0f1fffcf671f7e3
CVE-2026-31235 (The imgaug library thru 0.4.0 contains an insecure
deserialization vul ...)
NOT-FOR-US: imgaug
@@ -8183,7 +8184,11 @@ CVE-2026-6344 (The Fluent Forms plugin for WordPress is
vulnerable to Arbitrary
NOT-FOR-US: WordPress plugin
CVE-2026-6210 (A type confusion vulnerability in Qt SVG allows an attacker to
cause a ...)
- qt6-svg 6.10.2-6 (bug #1136089)
+ [trixie] - qt6-svg <no-dsa> (Minor issue)
+ [bookworm] - qt6-svg <no-dsa> (Minor issue)
- qtsvg-opensource-src <unfixed>
+ [trixie] - qtsvg-opensource-src <no-dsa> (Minor issue)
+ [bookworm] - qtsvg-opensource-src <no-dsa> (Minor issue)
NOTE: https://codereview.qt-project.org/c/qt/qtsvg/+/724887
CVE-2026-43975 (FolderUploadsFileManager in Apache Wicket does not validate or
sanitiz ...)
NOT-FOR-US: Apache software not packaged in Debian
@@ -27984,9 +27989,9 @@ CVE-2025-66484 (IBM Aspera Shares 1.9.9 through 1.11.0
is vulnerable to stored c
CVE-2025-66483 (IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate
session aft ...)
NOT-FOR-US: IBM
CVE-2025-66442 (In Mbed TLS through 4.0.0, there is a compiler-induced timing
side cha ...)
- - mbedtls <unfixed>
+ - mbedtls <unfixed> (unimportant)
NOTE:
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/
- TODO: No fix is available for this issue, check if it will be
considered upstream
+ NOTE: mbedtls not built with clang in Debian
CVE-2025-36375 (IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM
DataPow ...)
NOT-FOR-US: IBM
CVE-2025-36373 (IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM
DataPow ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -60,6 +60,8 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more 6.1.y versions
--
+lxd/oldstable
+--
mbedtls/oldstable
--
mimetex/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337325e3f0b765c3e69bbf3e4f95448a06ad610e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337325e3f0b765c3e69bbf3e4f95448a06ad610e
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
