Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b668b4ce by Moritz Muehlenhoff at 2026-06-01T15:02:19+02:00
trixie/bookworm triage
- - - - -
98fd0238 by Moritz Muehlenhoff at 2026-06-01T15:02:21+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -67,6 +67,8 @@ CVE-2026-44825
NOTE: https://issues.apache.org/jira/browse/SOLR-18233
CVE-2026-8796
- libsereal-decoder-perl <unfixed>
+ [trixie] - libsereal-decoder-perl <no-dsa> (Minor issue)
+ [bookworm] - libsereal-decoder-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40571630/
NOTE: Fixed by:
https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3
(Sereal-5.005)
CVE-2026-8382 (The Advanced Custom Fields (ACF\xae) plugin for WordPress is
vulnerabl ...)
@@ -389,15 +391,21 @@ CVE-2026-44640 (NanoMQ MQTT Broker (NanoMQ) is an
all-around Edge Messaging Plat
NOT-FOR-US: NanoMQ MQTT Broker (NanoMQ)
CVE-2026-44422 (FreeRDP is a free implementation of the Remote Desktop
Protocol. Prior ...)
- freerdp3 3.26.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v
CVE-2026-44421 (FreeRDP is a free implementation of the Remote Desktop
Protocol. Prior ...)
- freerdp3 3.26.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff
CVE-2026-44420 (FreeRDP is a free implementation of the Remote Desktop
Protocol. Prior ...)
- freerdp3 3.26.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvpx-xj7r-3p3r
CVE-2026-44287 (FastGPT is an AI Agent building platform. Prior to
4.15.0-beta1, the J ...)
NOT-FOR-US: FastGPT
@@ -1598,6 +1606,8 @@ CVE-2026-42305
NOTE:
https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj
CVE-2026-9828 (Deserialization of untrusted data vulnerability in QOS.CH Sarl
logback ...)
- logback <unfixed>
+ [trixie] - logback <no-dsa> (Minor issue)
+ [bookworm] - logback <no-dsa> (Minor issue)
NOTE: https://logback.qos.ch/news.html#1.5.33
CVE-2026-9818
REJECTED
@@ -1747,29 +1757,29 @@ CVE-2026-47674 (Hono is a Web application framework
that provides support for an
CVE-2026-47673 (Hono is a Web application framework that provides support for
any Java ...)
NOT-FOR-US: Hono
CVE-2026-47337 (Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a
possible N ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47336 (Ubuntu Linux 6.8 contains SAUCE patches with a possible use of
an unin ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47335 (Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL
pointer d ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47334 (Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches
which in ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47333 (Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches
which ca ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47332 (Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches
which in ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47331 (Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to
acquire ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47330 (Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches
which ca ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47329 (Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which
fail to val ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47328 (Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches
which in ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47327 (Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a
possible N ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47326 (Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a
memory lea ...)
- TODO: check
+ - linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
CVE-2026-47136 (RustFS is a distributed object storage system built in Rust.
Prior to ...)
NOT-FOR-US: RustFS
CVE-2026-47074 (Improper Certificate Validation vulnerability in ex-aws
ex_aws_sns (Ex ...)
@@ -1846,6 +1856,8 @@ CVE-2026-44672 (mapfish-print is a component of MapFish
for printing templated c
NOT-FOR-US: mapfish-print
CVE-2026-44604 (A command injection vulnerability was discovered in the
`rpmuncompress ...)
- rpm <unfixed> (bug #1138234)
+ [trixie] - rpm <no-dsa> (Minor issue)
+ [bookworm] - rpm <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460967
CVE-2026-44594 (esm.sh is a no-build content delivery network (CDN) for web
developmen ...)
NOT-FOR-US: esm.sh
@@ -1889,6 +1901,8 @@ CVE-2026-42998 (An issue was discovered in OpenStack
Keystone before 29.0.2. The
NOTE: https://security.openstack.org/ossa/OSSA-2026-015.html
CVE-2026-42250 (bzip2 contains an off\u2011by\u2011one error in the
bzip2recover utili ...)
- bzip2 <unfixed> (bug #1138255)
+ [trixie] - bzip2 <no-dsa> (Minor issue)
+ [bookworm] - bzip2 <no-dsa> (Minor issue)
NOTE:
https://inbox.sourceware.org/bzip2-devel/[email protected]/
NOTE: Fixed by:
https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67
CVE-2026-41565 (CryptX versions before 0.088_001 for Perl have a stack buffer
overflow ...)
@@ -5115,6 +5129,8 @@ CVE-2026-49017 (In OpenStack Swift before 2.36.2 and
2.37.2, s3api middleware en
NOTE: https://bugs.launchpad.net/swift/+bug/2152205
CVE-2026-49014 (In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the
netCDF ...)
- gdal <unfixed>
+ [trixie] - gdal <no-dsa> (Minor issue)
+ [bookworm] - gdal <no-dsa> (Minor issue)
NOTE: https://github.com/OSGeo/gdal/issues/14594
NOTE: https://github.com/OSGeo/gdal/pull/14598
NOTE:
https://github.com/OSGeo/gdal/commit/c49254dc6380af2f02ff43ca79e3cf7c1bc82f01
@@ -5614,7 +5630,9 @@ CVE-2026-40034 (gix-submodule before 0.29.0 (gitoxide
before 0.5.21, gix before
TODO: check
CVE-2026-40033 (FreeRDP before 3.26.0 contains a heap-buffer-overflow
vulnerability in ...)
- freerdp3 3.26.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff
TODO: unclear fixing commit references, incorrect reference in CVE
entry?
CVE-2026-3660 (IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0
could all ...)
@@ -15925,7 +15943,9 @@ CVE-2026-33811 (When using LookupCNAME with the cgo DNS
resolver, a very long CN
- golang-1.25 1.25.10-1
- golang-1.26 1.26.3-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm
DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/767860
=====================================
data/dsa-needed.txt
=====================================
@@ -53,6 +53,8 @@ jetty12/stable
--
kamailio
--
+keystone
+--
kitty/oldstable
No update yet or bookworm, might be too intrusive
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/12e4791584e488ab4f225164dee04db23ada58a7...98fd02388f5802fb77e2cd848dc15482948988a9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/12e4791584e488ab4f225164dee04db23ada58a7...98fd02388f5802fb77e2cd848dc15482948988a9
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
