Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d8499b4d by Moritz Muehlenhoff at 2026-05-26T12:37:20+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -70,16 +70,22 @@ CVE-2026-4795 (A missing authorization vulnerability in
Zyxel GS1200-5v3 firmwar
NOT-FOR-US: Zyxel
CVE-2026-48852 (PuTTY 0.71 before 0.84 has an assertion failure in ECDSA
signature ver ...)
- putty 0.84-1
+ [trixie] - putty <no-dsa> (Minor issue)
+ [bookworm] - putty <no-dsa> (Minor issue)
NOTE:
https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
NOTE:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ecdsa-remotely-triggerable-assertion.html
NOTE: Fixed by:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=65b8f37c34cd80680693e813e0081cdafaf58324
(0.84)
CVE-2026-48851 (PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a
trust indica ...)
- putty 0.84-1
+ [trixie] - putty <no-dsa> (Minor issue)
+ [bookworm] - putty <no-dsa> (Minor issue)
NOTE:
https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
NOTE:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/telnet-trust-sigil.html
NOTE: Fixed by:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=64712be3cbc4a02bda4a92ca97e8d4f294abbe9a
(0.84)
CVE-2026-48850 (PuTTY 0.72 before 0.84 has a double free in RSA KEX.)
- putty 0.84-1
+ [trixie] - putty <no-dsa> (Minor issue)
+ [bookworm] - putty <no-dsa> (Minor issue)
NOTE:
https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
NOTE:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rsakex-double-free.html
NOTE: Fixed by:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=ba3ed53e0bf6682f89940bc2c3e83da6b1524024
(0.84)
@@ -1798,10 +1804,14 @@ CVE-2026-45753
NOTE:
https://symfony.com/blog/cve-2026-45753-htmlsanitizer-urlattributesanitizer-omits-action-formaction-poster-cite-javascript-uri-survives-sanitization-xss
CVE-2026-47373 (Crypt::SaltedHash versions through 0.09 for Perl is
susceptible to tim ...)
- libcrypt-saltedhash-perl 0.11-1 (bug #1137253)
+ [trixie] - libcrypt-saltedhash-perl <no-dsa> (Minor issue)
+ [bookworm] - libcrypt-saltedhash-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40249915/
NOTE: Fixed by:
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a
(0.10)
CVE-2026-47372 (Crypt::SaltedHash versions through 0.09 for Perl generate
insecure ran ...)
- libcrypt-saltedhash-perl 0.11-1 (bug #1137253)
+ [trixie] - libcrypt-saltedhash-perl <no-dsa> (Minor issue)
+ [bookworm] - libcrypt-saltedhash-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40252126/
NOTE: Fixed by:
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5
(0.10)
CVE-2026-9101 (Prototype pollution in csv parsing logic during import can lead
to unt ...)
@@ -2734,6 +2744,8 @@ CVE-2026-8945 (Sandbox escape in Firefox and Firefox
Focus for Android. This vul
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-46/#CVE-2026-8945
CVE-2026-XXXX [VSV00019]
- varnish <unfixed>
+ [bookworm] - varnish <not-affected> (Vulnerable code not present,
introduced in 7.6)
+ [bullseye] - varnish <not-affected> (Vulnerable code not present,
introduced in 7.6)
NOTE: https://vinyl-cache.org/security/VSV00019.html
NOTE:
https://code.vinyl-cache.org/vinyl-cache/vinyl-cache/commit/dfc27fb4e7bf110945f5c145ce95b8de14ead77f
(master)
NOTE:
https://code.vinyl-cache.org/vinyl-cache/vinyl-cache/commit/037031d429e3d309ae66ebabff33aa591402f20e
(6.0)
@@ -4441,6 +4453,7 @@ CVE-2026-44586 (SiYuan is an open-source personal
knowledge management system. F
NOT-FOR-US: SiYuan
CVE-2026-44544 (gittuf is a platform-agnostic Git security system. Prior to
0.14.0, an ...)
- gittuf <unfixed> (bug #1136704)
+ [trixie] - gittuf <no-dsa> (Minor issue)
NOTE:
https://github.com/gittuf/gittuf/security/advisories/GHSA-vxvc-cg7j-rwqj
NOTE: Fixed by (merge):
https://github.com/gittuf/gittuf/commit/dd76efa505f9137a4a9a625c5ac67b333365a1b8
(v0.14.0)
CVE-2026-44542 (FileBrowser Quantum is a free, self-hosted, web-based file
manager. Pr ...)
@@ -9861,7 +9874,9 @@ CVE-2026-39826 (If a trusted template author were to
write a <script> tag contai
- golang-1.25 1.25.10-1
- golang-1.26 1.26.3-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm
DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/771180
@@ -9871,7 +9886,9 @@ CVE-2026-39825 (ReverseProxy can forward queries
containing parameters not visib
- golang-1.25 1.25.10-1
- golang-1.26 1.26.3-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm
DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/770541
@@ -9881,7 +9898,9 @@ CVE-2026-39823 (CVE-2026-27142 fixed a vulnerability in
which URLs were not corr
- golang-1.25 1.25.10-1
- golang-1.26 1.26.3-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm
DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/769920
@@ -9891,7 +9910,9 @@ CVE-2026-39820 (Well-crafted inputs reaching
ParseAddress, ParseAddressList, and
- golang-1.25 1.25.10-1
- golang-1.26 1.26.3-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm
DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/759940
@@ -9901,7 +9922,9 @@ CVE-2026-39819 (The "go bug" command writes to two files
with predictable names
- golang-1.25 1.25.10-1
- golang-1.26 1.26.3-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm
DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/763882
@@ -9911,7 +9934,9 @@ CVE-2026-39817 (The "go tool pack" subcommand (usually
used only by the compiler
- golang-1.25 1.25.10-1
- golang-1.26 1.26.3-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm
DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/767520
@@ -25164,6 +25189,8 @@ CVE-2026-34727 (Vikunja is an open-source self-hosted
task management platform.
NOT-FOR-US: Vikunja
CVE-2026-34481 (Apache Log4j's JsonTemplateLayout
https://logging.apache.org/log4j/2. ...)
- apache-log4j2 <unfixed> (bug #1133846)
+ [trixie] - apache-log4j2 <no-dsa> (Minor issue)
+ [bookworm] - apache-log4j2 <no-dsa> (Minor issue)
- apache-log4j1.2 <not-affected> (Vulnerable code not present)
NOTE: https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv
NOTE: https://logging.apache.org/security.html#CVE-2026-34481
@@ -25171,13 +25198,19 @@ CVE-2026-34481 (Apache Log4j's JsonTemplateLayout
https://logging.apache.org/lo
NOTE: Fixed by:
https://github.com/apache/logging-log4j2/commit/2c4dd1db372c59ad73aca88e281635fe30072268
(rel/2.25.4)
CVE-2026-34480 (Apache Log4j Core's XmlLayout
https://logging.apache.org/log4j/2.x/ma ...)
- apache-log4j2 <unfixed> (bug #1133847)
+ [trixie] - apache-log4j2 <no-dsa> (Minor issue)
+ [bookworm] - apache-log4j2 <no-dsa> (Minor issue)
- apache-log4j1.2 <unfixed> (bug #1136032)
+ [trixie] - apache-log4j1.2 <no-dsa> (Minor issue)
+ [bookworm] - apache-log4j1.2 <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
NOTE: https://logging.apache.org/security.html#CVE-2026-34480
NOTE: https://github.com/apache/logging-log4j2/pull/4077
NOTE: Fixed by:
https://github.com/apache/logging-log4j2/commit/4f5014229825d8be977662e0743205bb8a67f989
(rel/2.25.4)
CVE-2026-34479 (The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge
fails to ...)
- apache-log4j2 <unfixed> (bug #1133848)
+ [trixie] - apache-log4j2 <no-dsa> (Minor issue)
+ [bookworm] - apache-log4j2 <no-dsa> (Minor issue)
- apache-log4j1.2 <not-affected> (Vulnerable code not present)
NOTE: https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
NOTE: https://logging.apache.org/security.html#CVE-2026-34479
=====================================
data/dsa-needed.txt
=====================================
@@ -52,7 +52,7 @@ jetty12/stable
--
kamailio
--
-kdenlive
+kdenlive (jmm)
Maintainer preparing updates
--
kitty
@@ -105,7 +105,7 @@ runc
rust-wasmtime
for CVE-2026-34987 CVE-2026-34971, rest would also be fine to ignore
--
-symfony
+symfony (jmm)
Maintainer is preparing updates
--
sympa/oldstable
@@ -117,6 +117,8 @@ tomcat11/stable (apo)
unbound
Maintiner proposed debdiff for trixie-security for review
--
+varnish (jmm)
+--
xrdp
--
yelp
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8499b4d5cec490f14e801a3e560338def01f691
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8499b4d5cec490f14e801a3e560338def01f691
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
