Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b14481fa by Moritz Muehlenhoff at 2026-06-02T12:01:14+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -671,6 +671,8 @@ CVE-2026-10276 (A vulnerability has been found in hekmon8
Jenkins-server-mcp 0.1
NOT-FOR-US: Jenkins-server-mcp
CVE-2026-10275 (A flaw has been found in OpenSC up to 0.26.1. This affects the
functio ...)
- opensc <unfixed>
+ [trixie] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc <no-dsa> (Minor issue)
NOTE: https://github.com/OpenSC/OpenSC/issues/3682
NOTE: https://github.com/OpenSC/OpenSC/pull/3684
NOTE:
https://github.com/OpenSC/OpenSC/commit/814f745b3b6d100295f65f1935edd33d520d33ab
@@ -889,42 +891,49 @@ CVE-2026-47191
NOTE:
https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5
(5.3)
CVE-2026-8341
- qemu 1:11.0.1+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
[bullseye] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/f1488fac0584cc095865e4d4d987f01f4e97fbe5
(v10.0.0-rc0)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/6a15005290ee1187f8ae9aa44e99b40cae07be45
(v11.0.1)
CVE-2026-41435
- qemu 1:11.0.1+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
[bullseye] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/db1ecfb473ac58f2bd065ca6f2a50c6294ff9169
(v10.0.0-rc0)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/4c6e8882e4915ee9afe4116e4eaa7857912f18cb
(v11.0.1)
CVE-2026-41436
- qemu 1:11.0.1+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
[bullseye] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/90ca4e03c27dc8ac821a2e1686e705ae9a93d301
(v10.0.0-rc0)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/023f87ab68cea5c08c73bd79545149fe77dc3f0c
(v11.0.1)
CVE-2026-41437
- qemu 1:11.0.1+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
[bullseye] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/1ebc319c8ca7ad8af350026662ae18fdcb8b0dac
(v10.0.0-rc0)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/5c358eabe637699c9b1bf852931b58a78c681ff0
(v11.0.1)
CVE-2026-41438
- qemu 1:11.0.1+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
[bullseye] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/db1ecfb473ac58f2bd065ca6f2a50c6294ff9169
(v10.0.0-rc0)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/2c4c582f3f179b2508ca259fda9e722adc973b40
(v11.0.1)
CVE-2026-41439
- qemu 1:11.0.1+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
[bullseye] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/02b593d4dccbb4a9684720d9ef07f0ac8d6da716
(v10.0.0-rc0)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/02b593d4dccbb4a9684720d9ef07f0ac8d6da716
(v11.0.1)
CVE-2026-41440
- qemu 1:11.0.1+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
[bullseye] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/f1488fac0584cc095865e4d4d987f01f4e97fbe5
(v10.0.0-rc0)
@@ -1270,6 +1279,8 @@ CVE-2026-45151 (NanoMQ MQTT Broker (NanoMQ) is an
all-around Edge Messaging Plat
NOT-FOR-US: NanoMQ MQTT Broker (NanoMQ)
CVE-2026-45149 (The brace-expansion library generates arbitrary strings
containing a c ...)
- node-brace-expansion <unfixed> (bug #1138576)
+ [trixie] - node-brace-expansion <no-dsa> (Minor issue)
+ [bookworm] - node-brace-expansion <no-dsa> (Minor issue)
NOTE:
https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
NOTE: Fixed by:
https://github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5
(v5.0.6)
CVE-2026-44640 (NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging
Platform. ...)
@@ -3823,46 +3834,54 @@ CVE-2026-21785 (A misconfigured Content Security Policy
(CSP) in HCL BigFix Remo
NOT-FOR-US: HCL
CVE-2026-48112
- 7zip 26.01+dfsg-1
+ [trixie] - 7zip <no-dsa> (Minor issue)
+ [bookworm] - 7zip <no-dsa> (Minor issue)
- p7zip 16.02+transitional.1
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE:
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
-CVE-2026-48111
- - 7zip 26.01+dfsg-1
- - p7zip 16.02+transitional.1
+CVE-2026-48111 [UEFI DEPEX OOB Read]
+ - 7zip 26.01+dfsg-1 (unimportant)
+ - p7zip 16.02+transitional.1 (unimportant)
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE:
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
-CVE-2026-48104
- - 7zip 26.01+dfsg-1
- - p7zip 16.02+transitional.1
+ NOTE: Crash in CLI tool, no security impact
+CVE-2026-48104 [SquashFS BlockToNode uninitialized heap read]
+ - 7zip 26.01+dfsg-1 (unimportant)
+ - p7zip 16.02+transitional.1 (unimportant)
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE:
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
-CVE-2026-48103
- - 7zip 26.01+dfsg-1
- - p7zip 16.02+transitional.1
+ NOTE: Crash in CLI tool, no security impact
+CVE-2026-48103 [WIM SecurityId OOB read]
+ - 7zip 26.01+dfsg-1 (unimportant)
+ - p7zip 16.02+transitional.1 (unimportant)
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE:
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
-CVE-2026-48102
- - 7zip 26.01+dfsg-1
- - p7zip 16.02+transitional.1
+ NOTE: Crash in CLI tool, no security impact
+CVE-2026-48102 [UDF Field OOB Read]
+ - 7zip 26.01+dfsg-1 (unimportant)
+ - p7zip 16.02+transitional.1 (unimportant)
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE:
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
-CVE-2026-48101
- - 7zip 26.01+dfsg-1
- - p7zip 16.02+transitional.1
+ NOTE: Crash in CLI tool, no security impact
+CVE-2026-48101 [UEFI Capsule uninitialized heap memory disclosure]
+ - 7zip 26.01+dfsg-1 (unimportant)
+ - p7zip 16.02+transitional.1 (unimportant)
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE:
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
-CVE-2026-48092
- - 7zip 26.01+dfsg-1
- - p7zip 16.02+transitional.1
+ NOTE: Crash in CLI tool, no security impact
+CVE-2026-48092 [SquashFS Fragment Offset Overflow]
+ - 7zip 26.01+dfsg-1 (unimportant)
+ - p7zip 16.02+transitional.1 (unimportant)
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE:
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-48095
- 7zip 26.01+dfsg-1
- p7zip 16.02+transitional.1
@@ -6665,7 +6684,9 @@ CVE-2026-41917 (OpenKM 6.3.12 contains a local file
inclusion vulnerability in t
NOT-FOR-US: OpenKM
CVE-2026-41401 (libyang before 5.2.6 contains a heap use-after-free write
vulnerabilit ...)
- libyang <unfixed>
+ [trixie] - libyang <no-dsa> (Minor issue)
- libyang2 <removed>
+ [bookworm] - libyang2 <no-dsa> (Minor issue)
NOTE:
https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc
NOTE: Fixed by:
https://github.com/CESNET/libyang/commit/54c3276d871023da266d4ed3ceaee7e8d71d0b04
(v5.4.9)
CVE-2026-41164 (nuts-node is the reference implementation of the Nuts
specification. P ...)
@@ -10464,6 +10485,8 @@ CVE-2026-46359 (phpMyFAQ before 4.1.2 contains a sql
injection vulnerability in
NOT-FOR-US: phpMyFAQ
CVE-2026-45803 (`gh` is GitHub\u2019s official command line tool. From 1.6.0
to before ...)
- gh <unfixed> (bug #1136953)
+ [trixie] - gh <no-dsa> (Minor issue)
+ [bookworm] - gh <no-dsa> (Minor issue)
NOTE: https://github.com/cli/cli/security/advisories/GHSA-crc3-h8v6-qh57
CVE-2026-45800 (Vvveb is a powerful and easy to use CMS with page builder to
build web ...)
NOT-FOR-US: Vvveb
@@ -16875,6 +16898,8 @@ CVE-2026-42203 (LiteLLM is a proxy server (AI Gateway)
to call LLM APIs in OpenA
NOT-FOR-US: LiteLLM
CVE-2026-42150 (wlc is a Weblate command-line client using Weblate's REST API.
Prior t ...)
- wlc 2.0.0-1 (bug #1136000)
+ [trixie] - wlc <no-dsa> (Minor issue)
+ [bookworm] - wlc <no-dsa> (Minor issue)
NOTE:
https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3
NOTE: https://github.com/WeblateOrg/wlc/pull/1327
NOTE:
https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469
(2.0.0)
@@ -38351,6 +38376,8 @@ CVE-2026-27101 (Dell Secure Connect Gateway (SCG) 5.0
Appliance and Application
NOT-FOR-US: Dell / EMC
CVE-2026-25835 (Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse
seeds in a ...)
- mbedtls 3.6.6-0.1 (bug #1133841)
+ [trixie] - mbedtls <no-dsa> (Minor issue)
+ [bookworm] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-rng-cloning/
CVE-2026-25834 (Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm
Downgrade.)
- mbedtls 3.6.6-0.1 (bug #1133841)
=====================================
data/dsa-needed.txt
=====================================
@@ -87,6 +87,8 @@ php-laravel-framework/oldstable
--
php-twig/oldstable (jmm)
--
+poppler
+--
prometheus
--
python-aiohttp/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b14481fa50fb18c973cad230db060d13e4c6c14f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b14481fa50fb18c973cad230db060d13e4c6c14f
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
