Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7fc36e8e by Moritz Muehlenhoff at 2026-05-29T10:21:25+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -4070,6 +4070,8 @@ CVE-2026-6268 (The EventPress WordPress theme before 22.2
does not sanitize or e
NOT-FOR-US: WordPress plugin
CVE-2026-49017 (In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware
enters a ...)
- swift 2.37.1-4 (bug #1138170)
+ [bookworm] - swift <not-affected> (Support for aws-chunked introduced
in 2.35.1)
+ [bullseye] - swift <not-affected> (Support for aws-chunked introduced
in 2.35.1)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/27/9
NOTE: https://bugs.launchpad.net/swift/+bug/2152205
CVE-2026-49014 (In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the
netCDF ...)
@@ -4217,6 +4219,7 @@ CVE-2026-48962 (IO::Compress versions before 2.220 for
Perl can execute arbitrar
NOTE: Fixed by:
https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610
(v2.220)
CVE-2026-48961 (IO::Compress versions from 2.207 before 2.220 for Perl ship a
zipdetai ...)
- libio-compress-perl 2.220-1 (bug #1138052)
+ [trixie] - libio-compress-perl <no-dsa> (Minor issue)
[bookworm] - libio-compress-perl <not-affected> (Vulnerable code
introduced later)
[bullseye] - libio-compress-perl <not-affected> (Vulnerable code
introduced later)
- perl <unfixed>
@@ -4277,6 +4280,7 @@ CVE-2026-9542 (A weakness has been identified in
CodeAstro Leave Management Syst
NOT-FOR-US: CodeAstro
CVE-2026-9541 (A security flaw has been discovered in Squirrel up to 3.2.
Impacted is ...)
- squirrel3 <unfixed>
+ [trixie] - squirrel3 <ignored> (Minor issue)
[bullseye] - squirrel3 <postponed> (Minor issue)
NOTE: https://github.com/albertodemichelis/squirrel/issues/327
CVE-2026-9540 (A vulnerability was identified in vllm-project vllm 0.19.0.
This issue ...)
@@ -4829,8 +4833,9 @@ CVE-2025-62745 (Improper Neutralization of Input During
Web Page Generation ('Cr
CVE-2026-48099
- python-wsgidav <itp> (bug #1032213)
CVE-2026-48715 [Stack Buffer Overflow in radvdump Route Information Option
Parser]
- - radvd <unfixed> (bug #1138049)
+ - radvd <unfixed> (bug #1138049; unimportant)
NOTE:
https://github.com/radvd-project/radvd/security/advisories/GHSA-52px-gh9p-m379
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-9538 (Archive::Tar versions before 3.10 for Perl allow memory
exhaustion via ...)
- perl <unfixed>
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40396448/
@@ -5220,6 +5225,8 @@ CVE-2026-9366 (A vulnerability was found in NousResearch
hermes-agent 2026.4.23.
NOT-FOR-US: NousResearch hermes-agent
CVE-2026-9365 (A vulnerability has been found in Ettercap up to 0.8.3. The
affected e ...)
- ettercap <unfixed>
+ [trixie] - ettercap <no-dsa> (Minor issue)
+ [bookworm] - ettercap <no-dsa> (Minor issue)
NOTE: https://github.com/Ettercap/ettercap/issues/1306
NOTE: https://github.com/Ettercap/ettercap/pull/1307
NOTE:
https://github.com/Ettercap/ettercap/commit/feeae6fa366e01a3dd9f1857ec6aae847b2ae00c
@@ -7880,6 +7887,8 @@ CVE-2026-8724 (A security flaw has been discovered in
Dataease 2.10.20. Impacted
NOT-FOR-US: Dataease
CVE-2026-8723 (### Summary `qs.stringify` throws `TypeError` when called
with `arr ...)
- node-qs <unfixed> (bug #1137257)
+ [trixie] - node-qs <no-dsa> (Minor issue)
+ [bookworm] - node-qs <no-dsa> (Minor issue)
[bullseye] - node-qs <postponed> (Minor issue, DoS)
NOTE:
https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
NOTE: Fixed by:
https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41
(v6.15.2)
@@ -22101,6 +22110,7 @@ CVE-2026-XXXX [RUSTSEC-2026-0104]
NOTE: https://github.com/advisories/GHSA-82j2-j2ch-gfr8
CVE-2026-42254 (Hickory DNS hickory-recursor 0.1 through 0.25.2 allows
cross-zone pois ...)
- rust-hickory-recursor <unfixed> (bug #1134954)
+ [trixie] - rust-hickory-recursor <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0106.html
NOTE:
https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-83hf-93m4-rgwq
CVE-2026-XXXX [RUSTSEC-2026-0109]
=====================================
data/dsa-needed.txt
=====================================
@@ -22,6 +22,8 @@ botan3/stable
ceph (carnil)
for CVE-2024-47866, rest harmless
--
+chromium (dilinger)
+--
cups
--
dovecot
@@ -109,6 +111,8 @@ runc
rust-wasmtime
for CVE-2026-34987 CVE-2026-34971, rest would also be fine to ignore
--
+swift/stable (jmm)
+--
symfony (jmm)
Maintainer is preparing updates
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc36e8ed8d09a325c83b830598394db82678869
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc36e8ed8d09a325c83b830598394db82678869
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
