bookworm triage

Moritz Muehlenhoff (@jmm) Mon, 01 Jun 2026 03:34:43 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
27ac3d32 by Moritz Muehlenhoff at 2026-06-01T12:31:27+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -36,7 +36,10 @@ CVE-2026-35563
        NOTE: https://www.openwall.com/lists/oss-security/2026/06/01/2
 CVE-2026-48827
        - mina2 <unfixed>
+       [trixie] - mina2 <no-dsa> (Minor issue)
+       [bookworm] - mina2 <no-dsa> (Minor issue)
        - mina <removed>
+       [bookworm] - mina <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/30/1
 CVE-2026-44825
        - lucene-solr <not-affected> (Only affects 9.4.0 and later)
@@ -281,6 +284,8 @@ CVE-2026-46242 (In the Linux kernel, the following 
vulnerability has been resolv
        NOTE: 
https://git.kernel.org/linus/a6dc643c69311677c574a0f17a3f4d66a5f3744b (7.1-rc1)
 CVE-2026-8594 (Text::LineFold versions through 2019.001 for Perl duplicate the 
output ...)
        - libunicode-linebreak-perl <unfixed>
+       [trixie] - libunicode-linebreak-perl <no-dsa> (Minor issue)
+       [bookworm] - libunicode-linebreak-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/40542383/
        NOTE: Patch: 
https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch
 CVE-2026-48711
@@ -1292,18 +1297,26 @@ CVE-2026-49299 (In OpenStack Neutron before 28.0.1, the 
tagging controller enfor
        NOTE: https://security.openstack.org/ossa/OSSA-2026-016.html
 CVE-2026-49130 (Music Player Daemon (MPD) before version 0.24.11 contains a 
CRLF injec ...)
        - mpd <unfixed> (bug #1138215)
+       [trixie] - mpd <no-dsa> (Minor issue)
+       [bookworm] - mpd <no-dsa> (Minor issue)
        NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2483
        NOTE: Fixed by: 
https://github.com/MusicPlayerDaemon/MPD/commit/855085b35c67dddeef0652e2cb3ac8cdd4f457b7
 (v0.24.11)
 CVE-2026-49129 (Music Player Daemon (MPD) before version 0.24.11 contains a 
server-sid ...)
        - mpd <unfixed> (bug #1138215)
+       [trixie] - mpd <no-dsa> (Minor issue)
+       [bookworm] - mpd <no-dsa> (Minor issue)
        NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2487
        NOTE: Fixed by: 
https://github.com/MusicPlayerDaemon/MPD/commit/78341dd6c7b101c3feede233d4cc4f8f1fcc4bb3
 (v0.24.11)
 CVE-2026-49128 (Music Player Daemon (MPD) before version 0.24.11 contains a 
path trave ...)
        - mpd <unfixed> (bug #1138215)
+       [trixie] - mpd <no-dsa> (Minor issue)
+       [bookworm] - mpd <no-dsa> (Minor issue)
        NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2484
        NOTE: Fixed by: 
https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60
 (v0.24.11)
 CVE-2026-49127 (Music Player Daemon (MPD) before version 0.24.11 contains a 
stack buff ...)
        - mpd <unfixed> (bug #1138215)
+       [trixie] - mpd <no-dsa> (Minor issue)
+       [bookworm] - mpd <no-dsa> (Minor issue)
        NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2485
        NOTE: Fixed by: 
https://github.com/MusicPlayerDaemon/MPD/commit/59911028c020f84bc2e669da6a1ef88121301274
 (v0.24.11)
 CVE-2026-49095 (Improper Input Validation (CWE-20) in the Kibana Fleet agent 
policy ma ...)
@@ -2774,6 +2787,8 @@ CVE-2026-48095
        NOTE: https://securitylab.github.com/advisories/GHSL-2026-140_7-Zip/
 CVE-2026-48863
        - libsolv 0.7.38-1
+       [trixie] - libsolv <no-dsa> (Minor issue)
+       [bookworm] - libsolv <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460975
        NOTE: Fixed by: 
https://github.com/openSUSE/libsolv/commit/44f8c085045b1f771641091bbb2b810d12cff9e8
 (0.7.38)
 CVE-2026-9712 (When creating an export through the pretix API, API clients are 
 retur ...)
@@ -5117,15 +5132,23 @@ CVE-2026-44900 (epa4all-client is the Java Client for 
epa4all / ePA 3.0 in the T
        NOT-FOR-US: epa4all-client
 CVE-2026-44899 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed> (bug #1138260)
+       [trixie] - mistune <no-dsa> (Minor issue)
+       [bookworm] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-ccfx-mfmx-2fx9
 CVE-2026-44898 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed> (bug #1138260)
+       [trixie] - mistune <no-dsa> (Minor issue)
+       [bookworm] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv
 CVE-2026-44897 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed> (bug #1138260)
+       [trixie] - mistune <no-dsa> (Minor issue)
+       [bookworm] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-v87v-83h2-53w7
 CVE-2026-44896 (Mistune is a Python Markdown parser with renderers and 
plugins. In 3.2 ...)
        - mistune <unfixed> (bug #1138260)
+       [trixie] - mistune <no-dsa> (Minor issue)
+       [bookworm] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v
 CVE-2026-44895 (GitLab MCP Server lets an AI agent talk directly to GitLab. 
Prior to 0 ...)
        NOT-FOR-US: GitLab MCP Server
@@ -5992,14 +6015,22 @@ CVE-2026-7766 (Kenik Camera management Panel is 
vulnerable to Path Traversal vul
 CVE-2026-5223 (Cargo incorrectly handled symlinks inside of crate tarballs 
downloaded ...)
        - cargo <removed>
        - rust-cargo 0.91.0-3
+       [trixie] - rust-cargo <no-dsa> (Minor issue)
+       [bookworm] - rust-cargo <no-dsa> (Minor issue)
        - rustc 1.95.0+dfsg1-2
+       [trixie] - rustc <no-dsa> (Minor issue)
+       [bookworm] - rustc <no-dsa> (Minor issue)
        NOTE: 
https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8
        NOTE: https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
        NOTE: 
https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577
 CVE-2026-5222 (Cargo between 1.68 and 1.96 incorrectly normalized the URLs of 
third-p ...)
        - cargo <removed>
        - rust-cargo 0.91.0-3
+       [trixie] - rust-cargo <no-dsa> (Minor issue)
+       [bookworm] - rust-cargo <no-dsa> (Minor issue)
        - rustc 1.95.0+dfsg1-2
+       [trixie] - rustc <no-dsa> (Minor issue)
+       [bookworm] - rustc <no-dsa> (Minor issue)
        NOTE: 
https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
        NOTE: https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
        NOTE: 
https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27ac3d323de1d4ee263f1eee921411a105ff4f77

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27ac3d323de1d4ee263f1eee921411a105ff4f77
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Reply via email to