bookworm triage

Moritz Muehlenhoff (@jmm) Fri, 22 May 2026 08:18:02 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
db92ea74 by Moritz Muehlenhoff at 2026-05-22T17:17:40+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -164,6 +164,8 @@ CVE-2026-22678 (Webmin before 2.641 contains a stored 
cross-site scripting vulne
        TODO: check
 CVE-2026-5091 (Catalyst::Plugin::Authentication versions through 0.10024 for 
Perl  is ...)
        - libcatalyst-plugin-authentication-perl <unfixed> (bug #1137325)
+       [trixie] - libcatalyst-plugin-authentication-perl <no-dsa> (Minor issue)
+       [bookworm] - libcatalyst-plugin-authentication-perl <no-dsa> (Minor 
issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/40281889/
        NOTE: 
https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e
 (v0.10_025)
 CVE-2026-8376 [Buffer overflow in Perl_study_chunk]
@@ -963,6 +965,7 @@ CVE-2026-XXXX [RUSTSEC-2026-0145]
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0145.html
 CVE-2026-41999 (Incorrect Behaviour of Views with TCP PROXY Requests)
        - pdns 5.0.5-1
+       [trixie] - pdns <not-affected> (Vulnerable code not present, only 
affects 5.0.x)
        [bookworm] - pdns <end-of-life> (See #1119290)
        [bullseye] - pdns <end-of-life> (see DLA 4471)
        NOTE: 
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html#incorrect-behaviour-of-views-with-tcp-proxy-requests
@@ -1857,6 +1860,8 @@ CVE-2026-8843 (Creating a "2dsphere_bucket" index on a 
non-timeseries bucket col
        NOTE: https://jira.mongodb.org/browse/SERVER-116327
 CVE-2026-8836 (A vulnerability was found in lwIP up to 2.2.1. Affected is the 
functio ...)
        - lwip <unfixed>
+       [trixie] - lwip <no-dsa> (Minor issue)
+       [bookworm] - lwip <no-dsa> (Minor issue)
        NOTE: https://savannah.nongnu.org/bugs/?68194
        NOTE: 
https://cgit.git.savannah.gnu.org/cgit/lwip.git/commit/?id=0c957ec03054eb6c8205e9c9d1d05d90ada3898c
 CVE-2026-8803 (A flaw has been found in opensourcepos Open Source Point of 
Sale up to ...)
@@ -2703,6 +2708,8 @@ CVE-2026-44666 (HRConvert2 is a self-hosted, 
drag-and-drop & nosql file conversi
        NOT-FOR-US: HRConvert2
 CVE-2026-44662 (rust-openssl provides OpenSSL bindings for the Rust 
programming langua ...)
        - rust-openssl 0.10.79-1 (bug #1136788)
+       [trixie] - rust-openssl <no-dsa> (Minor issue)
+       [bookworm] - rust-openssl <no-dsa> (Minor issue)
        NOTE: 
https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xv59-967r-8726
 CVE-2026-44661 (python-utcp is the python implementation of UTCP. Prior to 
1.1.3, the  ...)
        NOT-FOR-US: python-utcp
@@ -2766,6 +2773,8 @@ CVE-2026-42847 (ClipBucket v5 is an open source video 
sharing platform. Prior to
        NOT-FOR-US: ClipBucket
 CVE-2026-42327 (rust-openssl provides OpenSSL bindings for the Rust 
programming langua ...)
        - rust-openssl 0.10.79-1 (bug #1136787)
+       [trixie] - rust-openssl <no-dsa> (Minor issue)
+       [bookworm] - rust-openssl <no-dsa> (Minor issue)
        NOTE: 
https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr
 CVE-2026-41702 (VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) 
vulnerabil ...)
        NOT-FOR-US: VMware
@@ -7242,11 +7251,15 @@ CVE-2026-5127 (The User Frontend: AI Powered Frontend 
Posting, User Directory, P
        NOT-FOR-US: WordPress plugin
 CVE-2026-44928 (In uriparser before 1.0.2, the function family EqualsUri can 
misclassi ...)
        - uriparser <unfixed> (bug #1136088)
+       [trixie] - uriparser <no-dsa> (Minor issue)
+       [bookworm] - uriparser <no-dsa> (Minor issue)
        NOTE: https://github.com/uriparser/uriparser/pull/305
        NOTE: Fixed by: 
https://github.com/uriparser/uriparser/commit/723717c713a01c08efed6b3ded9583d7819e3386
        NOTE: Test: 
https://github.com/uriparser/uriparser/commit/bd7f2e6c0c17dd78853f85107535391b4635a86d
 CVE-2026-44927 (In uriparser before 1.0.2, there is pointer difference 
truncation to i ...)
        - uriparser <unfixed> (bug #1136088)
+       [trixie] - uriparser <no-dsa> (Minor issue)
+       [bookworm] - uriparser <no-dsa> (Minor issue)
        NOTE: https://github.com/uriparser/uriparser/pull/304
        NOTE: Fixed by (merge): 
https://github.com/uriparser/uriparser/commit/dd98b0fa4ea69084ede319174ef107a5260d1334
 CVE-2026-44500 (ZEBRA is a Zcash node written entirely in Rust. Prior to 
zebrad versio ...)
@@ -10060,12 +10073,18 @@ CVE-2026-29080 (A SQL injection vulnerability in 
`FilterEngine.create_sqla_query
        NOT-FOR-US: Rucio
 CVE-2026-23928 (The Item history widget (in Zabbix 7.0+) or the Plain text 
widget (in  ...)
        - zabbix <unfixed> (bug #1137209)
+       [trixie] - zabbix <ignored> (The WEB UI is only supported for access by 
trusted users, no security updates issued for it, #1124558)
+       [bookworm] - zabbix <ignored> (The WEB UI is only supported for access 
by trusted users, no security updates issued for it, #1124558)
        NOTE: https://support.zabbix.com/browse/ZBX-27760
 CVE-2026-23927 (A user able to connect to Agent 2 can inject an Oracle TNS 
connection  ...)
        - zabbix <unfixed> (bug #1137209)
+       [trixie] - zabbix <no-dsa> (Minor issue)
+       [bookworm] - zabbix <no-dsa> (Minor issue)
        NOTE: https://support.zabbix.com/browse/ZBX-27759
 CVE-2026-23926 (An authenticated (non-super) administrator can create a 
maintenance pe ...)
        - zabbix <unfixed> (bug #1137209)
+       [trixie] - zabbix <ignored> (The WEB UI is only supported for access by 
trusted users, no security updates issued for it, #1124558)
+       [bookworm] - zabbix <ignored> (The WEB UI is only supported for access 
by trusted users, no security updates issued for it, #1124558)
        NOTE: https://support.zabbix.com/browse/ZBX-27758
 CVE-2026-23870 (A denial of service vulnerability could be triggered by 
sending specia ...)
        TODO: check


=====================================
data/dsa-needed.txt
=====================================
@@ -94,6 +94,8 @@ php-laravel-framework/oldstable
 php-twig
   Maintainer will prepare updates
 --
+prometheus
+--
 python-aiohttp/oldstable
 --
 rtpengine
@@ -124,5 +126,9 @@ tomcat10 (apo)
 --
 tomcat11/stable (apo)
 --
+unbound
+--
 xrdp
 --
+yelp
+--



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db92ea742091621c04782439f33bac56aaddea99

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db92ea742091621c04782439f33bac56aaddea99
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Reply via email to