bookworm triage

Moritz Muehlenhoff (@jmm) Wed, 27 May 2026 00:35:26 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
23e0ef2d by Moritz Muehlenhoff at 2026-05-27T09:26:47+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1478,6 +1478,7 @@ CVE-2026-9277 (shell-quote's `quote()` function did not 
validate object-token in
        {DSA-6300-1}
        - node-shell-quote 1.8.4+~1.7.5-1 (bug #1137372)
        NOTE: 
https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
+       NOTE: 
https://github.com/ljharb/shell-quote/commit/4378a6e613db5948168684864e49b42b83134d2d
 (v1.8.4)
 CVE-2026-9256 (NGINX Plus and NGINX Open Source have a vulnerability in the 
ngx_http_ ...)
        - nginx 1.30.1-3 (bug #1137339)
        NOTE: https://my.f5.com/manage/s/article/K000161377
@@ -2253,12 +2254,16 @@ CVE-2026-9152 (A missing authentication vulnerability 
exists in the Altium 365 S
        NOT-FOR-US: Altium
 CVE-2026-9150 (A flaw was found in libsolv. This stack-based buffer overflow 
vulnerab ...)
        - libsolv 0.7.37-1
+       [trixie] - libsolv <no-dsa> (Minor issue)
+       [bookworm] - libsolv <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460379
        NOTE: https://github.com/openSUSE/libsolv/pull/616
        NOTE: Introduced with: 
https://github.com/openSUSE/libsolv/commit/c8164bfecf2ba8bcf4c24329534d3104f19da73c
 (0.6.4)
        NOTE: Fixed by: 
https://github.com/openSUSE/libsolv/commit/c5b5db52aebde00bdeacecf4d0569c217ab3187d
 (0.7.37)
 CVE-2026-9149 (A flaw was found in libsolv. This heap buffer overflow 
vulnerability o ...)
        - libsolv <unfixed> (bug #1137373)
+       [trixie] - libsolv <no-dsa> (Minor issue)
+       [bookworm] - libsolv <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460380
        NOTE: https://github.com/openSUSE/libsolv/pull/617
        NOTE: 
https://github.com/openSUSE/libsolv/commit/210386037c892a720972ad35a3d8f7073b4d763b
@@ -5759,6 +5764,8 @@ CVE-2026-43997 (vm2 is an open source vm/sandbox for 
Node.js. Prior to 3.11.0, i
        NOT-FOR-US: Node.js vm2
 CVE-2026-43970 (Improper Handling of Highly Compressed Data (Data 
Amplification) vulne ...)
        - erlang-cowlib <unfixed> (bug #1136649)
+       [trixie] - erlang-cowlib <no-dsa> (Minor issue)
+       [bookworm] - erlang-cowlib <no-dsa> (Minor issue)
        NOTE: https://cna.erlef.org/cves/CVE-2026-43970.html
        NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-43970
        NOTE: 
https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282
 (2.16.1)
@@ -8034,6 +8041,8 @@ CVE-2026-7813 (Authorization vulnerability in pgAdmin 4 
server mode affecting Se
        - pgadmin4 <itp> (bug #834129)
 CVE-2026-7790 (Uncontrolled Resource Consumption vulnerability in ninenines 
cowlib (c ...)
        - erlang-cowlib <unfixed> (bug #1136446)
+       [trixie] - erlang-cowlib <no-dsa> (Minor issue)
+       [bookworm] - erlang-cowlib <no-dsa> (Minor issue)
        NOTE: https://cna.erlef.org/cves/CVE-2026-7790.html
        NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-7790
        NOTE: 
https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369
@@ -13708,6 +13717,8 @@ CVE-2026-42796 (Arelle before 2.39.10 contains an 
unauthenticated remote code ex
        NOT-FOR-US: Arelle
 CVE-2026-42440 (OOM Denial of Service via Unbounded Array Allocation in Apache 
OpenNLP ...)
        - apache-opennlp 2.5.9-1 (bug #1135782)
+       [trixie] - apache-opennlp <no-dsa> (Minor issue)
+       [bookworm] - apache-opennlp <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/01/21
        NOTE: https://issues.apache.org/jira/browse/OPENNLP-1821
        NOTE: https://github.com/apache/opennlp/pull/1022
@@ -13825,6 +13836,8 @@ CVE-2026-42052 (Beets is the media library management 
system. Prior to version 2
        NOTE: 
https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
 CVE-2026-42027 (Arbitrary Class Instantiation via Model Manifest in Apache 
OpenNLP Ext ...)
        - apache-opennlp 2.5.9-1 (bug #1135782)
+       [trixie] - apache-opennlp <no-dsa> (Minor issue)
+       [bookworm] - apache-opennlp <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/01/20
        NOTE: https://issues.apache.org/jira/browse/OPENNLP-1820
        NOTE: https://github.com/apache/opennlp/pull/1021
@@ -13854,6 +13867,8 @@ CVE-2026-40797 (Improper Neutralization of Special 
Elements used in an SQL Comma
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-40682 (XML External Entity (XXE) via Unsanitized Dictionary Parsing 
in Apache ...)
        - apache-opennlp 2.5.9-1 (bug #1135782)
+       [trixie] - apache-opennlp <no-dsa> (Minor issue)
+       [bookworm] - apache-opennlp <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/01/19
        NOTE: https://issues.apache.org/jira/browse/OPENNLP-1819
        NOTE: https://github.com/apache/opennlp/pull/1019
@@ -31639,6 +31654,8 @@ CVE-2026-34519 (AIOHTTP is an asynchronous HTTP 
client/server framework for asyn
        NOTE: Fixed by: 
https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b
 (v3.13.4)
 CVE-2026-34518 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
        - python-aiohttp 3.13.5-1 (bug #1132582)
+       [trixie] - python-aiohttp <no-dsa> (Minor issue)
+       [bookworm] - python-aiohttp <no-dsa> (Minor issue)
        NOTE: 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9
        NOTE: Fixed by: 
https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6
 (v3.13.4)
 CVE-2026-34517 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -88,7 +88,7 @@ prometheus
 --
 python-aiohttp/oldstable
 --
-roundcube
+roundcube (jmm)
   Maintainer working on updates
 --
 rtpengine



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23e0ef2d44eafc7a582da8ad217f83b25c0ab925

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23e0ef2d44eafc7a582da8ad217f83b25c0ab925
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Reply via email to