Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d7ec8b51 by Moritz Muehlenhoff at 2026-05-20T09:23:45+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2257,6 +2257,8 @@ CVE-2026-45371 (SiYuan is an open-source personal
knowledge management system. P
NOT-FOR-US: SiYuan
CVE-2026-45205 (Uncontrolled Recursion vulnerability in Apache Commons. When
processi ...)
- commons-configuration2 <unfixed> (bug #1136705)
+ [trixie] - commons-configuration2 <no-dsa> (Minor issue)
+ [bookworm] - commons-configuration2 <no-dsa> (Minor issue)
- commons-configuration <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/14/5
NOTE: https://github.com/apache/commons-configuration/pull/634
@@ -5311,9 +5313,13 @@ CVE-2026-41431 (Zen is a firefox-based browser. Prior to
1.19.9b, Zen Browser sh
NOT-FOR-US: Zen
CVE-2026-41257 (jq is a command-line JSON processor. In 1.8.1 and earlier, the
jq byte ...)
- jq 1.8.1-6 (bug #1136445)
+ [trixie] - jq <no-dsa> (Minor issue)
+ [bookworm] - jq <no-dsa> (Minor issue)
NOTE:
https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539
CVE-2026-41256 (jq is a command-line JSON processor. In 1.8.1 and earlier,
Top-level j ...)
- jq 1.8.1-6 (bug #1136445)
+ [trixie] - jq <no-dsa> (Minor issue)
+ [bookworm] - jq <no-dsa> (Minor issue)
NOTE:
https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg
CVE-2026-41250 (Taiga is a project management platform for startups and agile
develope ...)
NOT-FOR-US: Taiga
@@ -7928,10 +7934,15 @@ CVE-2026-41643 (GoBGP is an open source Border Gateway
Protocol (BGP) implementa
- gobgp 4.3.0-1
[bullseye] - gobgp <postponed> (Limited support, follow bookworm
security updates)
NOTE:
https://github.com/osrg/gobgp/security/advisories/GHSA-8rxh-r2p6-7f2q
+ NOTE: https://github.com/osrg/gobgp/issues/3308
+ NOTE:
https://github.com/osrg/gobgp/commit/9fe96a9b92918e782c2d054e305fc96b48f3e8e4
(v4.3.0)
CVE-2026-41642 (GoBGP is an open source Border Gateway Protocol (BGP)
implementation i ...)
- gobgp 4.4.0-1
- [bullseye] - gobgp <postponed> (Limited support, follow bookworm
security updates)
+ [trixie] - gobgp <not-affected> (Vulnerable code not present,
introduced in 4.3.0)
+ [bookworm] - gobgp <not-affected> (Vulnerable code not present,
introduced in 4.3.0)
+ [bullseye] - gobgp <not-affected> (Vulnerable code not present,
introduced in 4.3.0)
NOTE:
https://github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4px
+ NOTE:
https://github.com/osrg/gobgp/commit/215aee08db47e55f4f8a7741e516951f76a959b4
(v4.4.0)
CVE-2026-41589 (Wish is an SSH server with defaults and a collection of
middlewares. F ...)
NOT-FOR-US: Wish SSH
CVE-2026-41554 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -75,7 +75,7 @@ nss (jmm)
opennds/oldstable
pinged maintainer, but no reply yet. should most probably be bumped to 10.x
--
-openvpn
+openvpn (jmm)
Maintainer already prepared debdiff for trixie, bookworm is harder, needs
discussion
--
pdfminer (carnil)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7ec8b51890367b5aa11c9f88716c50fece8feb5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7ec8b51890367b5aa11c9f88716c50fece8feb5
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
