Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9ff1059b by Moritz Muehlenhoff at 2026-05-29T15:46:32+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -444,6 +444,8 @@ CVE-2026-5343 (Improper Check for Unusual or Exceptional
Conditions vulnerabilit
NOT-FOR-US: Drupal core and addons
CVE-2026-49299 (In OpenStack Neutron before 28.0.1, the tagging controller
enforces pl ...)
- neutron 2:28.0.0-4 (bug #1138172)
+ [trixie] - neutron <no-dsa> (Minor issue)
+ [bookworm] - neutron <no-dsa> (Minor issue)
NOTE: https://security.openstack.org/ossa/OSSA-2026-016.html
CVE-2026-49130 (Music Player Daemon (MPD) before version 0.24.11 contains a
CRLF injec ...)
- mpd <unfixed>
@@ -804,7 +806,10 @@ CVE-2026-49237 (An issue was discovered in Canonical
Multipass for macOS before
NOT-FOR-US: Multipass
CVE-2026-48735 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.12 ...)
- pypdf <unfixed> (bug #1138192)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjqc-6w8f-h24c
NOTE: https://github.com/py-pdf/pypdf/pull/3796
CVE-2026-48526 (PyJWT is a JSON Web Token implementation in Python. Prior to
2.13.0, w ...)
@@ -824,12 +829,18 @@ CVE-2026-48522 (PyJWT is a JSON Web Token implementation
in Python. Prior to 2.1
NOTE:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4
CVE-2026-48156 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.12 ...)
- pypdf <unfixed> (bug #1138193)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6
NOTE: https://github.com/py-pdf/pypdf/pull/3791
CVE-2026-48155 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.12 ...)
- pypdf <unfixed> (bug #1138194)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-cj93-chg6-vgv8
NOTE: https://github.com/py-pdf/pypdf/pull/3790
CVE-2026-47762 (TinyMCE is an open source rich text editor. Prior to 5.11.1,
7.9.3, an ...)
@@ -19662,7 +19673,10 @@ CVE-2026-31694 (In the Linux kernel, the following
vulnerability has been resolv
NOTE:
https://git.kernel.org/linus/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed (7.1-rc1)
CVE-2026-5056 [Integer overflows and out-of-bounds access in MOV/MP4 demuxer]
- gst-plugins-good1.0 1.28.2-1
+ [bookworm] - gst-plugins-good1.0 <not-affected> (Vulnerable code not
present)
+ [bullseye] - gst-plugins-good1.0 <not-affected> (Vulnerable code not
present)
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0016.html
+ NOTE: Introduced by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/54830e7c0a61773c0d099d0c2896b6ca09b709d4
(1.25.50)
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f9567e3e26c98fd7687f806e2317a12c705a3bb4
(main)
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/bad6721ca4901123e5cb57eec9d8e84d69c08597
(1.28.2)
CVE-2026-7555 (A vulnerability was identified in itsourcecode Electronic
Judging Syst ...)
@@ -35156,6 +35170,8 @@ CVE-2026-34877 (An issue was discovered in Mbed TLS
versions from 2.19.0 up to 3
NOTE: Fixed by clarified documentation.
CVE-2026-34876 (An issue was discovered in Mbed TLS 3.x before 3.6.6. An
out-of-bounds ...)
- mbedtls 3.6.6-0.1 (bug #1132577)
+ [trixie] - mbedtls <no-dsa> (Minor issue)
+ [bookworm] - mbedtls <no-dsa> (Minor issue)
[bullseye] - mbedtls <not-affected> (Vulnerable code not present)
NOTE:
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ccm-finish-boundary-check/
CVE-2026-34835 (Rack is a modular Ruby web server interface. From versions
3.0.0.beta1 ...)
@@ -35687,9 +35703,13 @@ CVE-2026-3882
REJECTED
CVE-2026-34873 (An issue was discovered in Mbed TLS 3.5.0 through 4.0.0.
Client impers ...)
- mbedtls 3.6.6-0.1 (bug #1132577)
+ [trixie] - mbedtls <no-dsa> (Minor issue)
+ [bookworm] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/
CVE-2026-34872 (An issue was discovered in Mbed TLS 3.5.x and 3.6.x through
3.6.5 and ...)
- mbedtls 3.6.6-0.1 (bug #1132577)
+ [trixie] - mbedtls <no-dsa> (Minor issue)
+ [bookworm] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-peerkey-checks/
CVE-2026-34750 (Payload is a free and open source headless content management
system. ...)
NOT-FOR-US: Payload CMS
@@ -35923,13 +35943,19 @@ CVE-2026-34889 (Improper Neutralization of Input
During Web Page Generation ('Cr
NOT-FOR-US: WordPress plugin or theme
CVE-2026-34875 (An issue was discovered in Mbed TLS through 3.6.5 and
TF-PSA-Crypto 1. ...)
- mbedtls 3.6.6-0.1 (bug #1132577)
+ [trixie] - mbedtls <no-dsa> (Minor issue)
+ [bookworm] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-buffer-overflow/
CVE-2026-34874 (An issue was discovered in Mbed TLS through 3.6.5 and 4.x
through 4.0. ...)
- mbedtls 3.6.6-0.1 (bug #1132577)
+ [trixie] - mbedtls <no-dsa> (Minor issue)
+ [bookworm] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-null-pointer-dereference-x509/
CVE-2026-34871 (An issue was discovered in Mbed TLS before 3.6.6 and 4.x
before 4.1.0 ...)
{DLA-4551-1}
- mbedtls 3.6.6-0.1 (bug #1132577; unimportant)
+ [trixie] - mbedtls <no-dsa> (Minor issue)
+ [bookworm] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/
NOTE: Builds using Glibc or uClibc, running on a kernel where
getrandom() is available, are safe.
CVE-2026-34751 (Payload is a free and open source headless content management
system. ...)
@@ -87191,6 +87217,7 @@ CVE-2024-2104 (Due to improper BLE security
configurations on the device's GATT
CVE-2025-66003 (An External Control of File Name or Path vulnerability in
smb4k allows ...)
{DSA-6092-1}
- smb4k 4.0.5-1 (bug #1122381)
+ [bookworm] - smb4k <ignored> (Will be removed in final Bookworm point
release)
NOTE: https://www.openwall.com/lists/oss-security/2025/12/10/6
NOTE: Fixed by:
https://invent.kde.org/network/smb4k/-/commit/0dea60194ab6eb8f6e34ca2e6cb0f97b90c46f1e
NOTE: Fixed by:
https://invent.kde.org/network/smb4k/-/commit/0aeabfa9d0f041479589dd855cbfe7cdebedfdb6
(4.0.5)
@@ -87200,6 +87227,7 @@ CVE-2025-66003 (An External Control of File Name or
Path vulnerability in smb4k
CVE-2025-66002 (An Improper Neutralization of Argument Delimiters in a
Command ('Argu ...)
{DSA-6092-1}
- smb4k 4.0.5-1 (bug #1122381)
+ [bookworm] - smb4k <ignored> (Will be removed in final Bookworm point
release)
NOTE: https://www.openwall.com/lists/oss-security/2025/12/10/6
NOTE: Fixed by:
https://invent.kde.org/network/smb4k/-/commit/0dea60194ab6eb8f6e34ca2e6cb0f97b90c46f1e
NOTE: Fixed by:
https://invent.kde.org/network/smb4k/-/commit/0aeabfa9d0f041479589dd855cbfe7cdebedfdb6
(4.0.5)
=====================================
data/dsa-needed.txt
=====================================
@@ -26,7 +26,9 @@ chromium (dilinger)
--
cups
--
-dovecot
+cyborg/stable (jmm)
+--
+dovecot (jmm)
Noah Meyerhans proposing updates for review, wait for exposure in unstable
for regressions
--
expat
@@ -42,7 +44,9 @@ frr
gh/oldstable
Santiago Vila might work on preparing an update
--
-imagemagick/oldstable
+gst-plugins-good1.0 (jmm)
+--
+imagemagick/oldstable (jmm)
--
inkscape/oldstable
--
@@ -122,6 +126,8 @@ tomcat10 (apo)
--
tomcat11/stable (apo)
--
+unbound/oldstable
+--
xrdp
--
yelp
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ff1059bb8b9e873c0aa2b2c51810ca5d6186bf7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ff1059bb8b9e873c0aa2b2c51810ca5d6186bf7
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
