Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0d04b7e7 by Moritz Muehlenhoff at 2026-06-08T09:53:11+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2333,6 +2333,8 @@ CVE-2026-49837
NOTE:
https://github.com/osrg/gobgp/security/advisories/GHSA-gjrg-jjr3-56cm
CVE-2026-8916 (Out-of-bounds write vulnerability in Samsung Open Source
rlottie allow ...)
- rlottie <unfixed> (bug #1138916)
+ [trixie] - rlottie <no-dsa> (Minor issue)
+ [bookworm] - rlottie <no-dsa> (Minor issue)
NOTE: https://github.com/Samsung/rlottie/pull/589
NOTE:
https://github.com/Samsung/rlottie/commit/ffe60942892c3d68b14560761ea920d360ef51bb
CVE-2026-8762
@@ -2437,17 +2439,25 @@ CVE-2026-47706 (Strawberry GraphQL is a library for
creating GraphQL APIs. In ve
NOT-FOR-US: Strawberry GraphQL
CVE-2026-47320 (Access of uninitialized pointer, Uncontrolled Recursion
vulnerability ...)
- rlottie <unfixed> (bug #1138920)
+ [trixie] - rlottie <no-dsa> (Minor issue)
+ [bookworm] - rlottie <no-dsa> (Minor issue)
NOTE: https://github.com/Samsung/rlottie/pull/593
CVE-2026-47319 (Memory allocation with excessive size value vulnerability in
Samsung O ...)
- rlottie <unfixed> (bug #1138919)
+ [trixie] - rlottie <no-dsa> (Minor issue)
+ [bookworm] - rlottie <no-dsa> (Minor issue)
NOTE: https://github.com/Samsung/rlottie/pull/588
NOTE:
https://github.com/Samsung/rlottie/commit/5def9f402b1cb5b09f52655e414f0afba4ffd959
CVE-2026-47318 (Stack-based buffer overflow vulnerability in Samsung Open
Source rlott ...)
- rlottie <unfixed> (bug #1138918)
+ [trixie] - rlottie <no-dsa> (Minor issue)
+ [bookworm] - rlottie <no-dsa> (Minor issue)
NOTE: https://github.com/Samsung/rlottie/pull/582
NOTE:
https://github.com/Samsung/rlottie/commit/9e4f354f6ebdf294738ef7abf1728f40889c2c51
CVE-2026-47306 (Uncontrolled Recursion vulnerability in Samsung Open Source
rlottie al ...)
- rlottie <unfixed> (bug #1138917)
+ [trixie] - rlottie <no-dsa> (Minor issue)
+ [bookworm] - rlottie <no-dsa> (Minor issue)
NOTE: https://github.com/Samsung/rlottie/pull/585
NOTE:
https://github.com/Samsung/rlottie/commit/1cda06022e53206c230fb0c6e38b2adaea729a5d
CVE-2026-45739 (Strawberry GraphQL is a library for creating GraphQL APIs. In
versions ...)
@@ -2460,6 +2470,8 @@ CVE-2026-45431 (This vulnerability exists in GX Earth ONT
models due to improper
NOT-FOR-US: GX Earth ONT models
CVE-2026-45287 (OpenTelemetry-Go is the Go implementation of OpenTelemetry.
Prior to v ...)
- golang-opentelemetry-otel <unfixed> (bug #1139168)
+ [trixie] - golang-opentelemetry-otel <no-dsa> (Minor issue)
+ [bookworm] - golang-opentelemetry-otel <no-dsa> (Minor issue)
NOTE:
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m
NOTE: Introduced with:
https://github.com/open-telemetry/opentelemetry-go/commit/e72a235518cb773137efd80336a179028bc34684
NOTE: Fixed by:
https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d
(v1.44.0)
@@ -2497,6 +2509,8 @@ CVE-2026-41207 (The netty incubator codec.bhttp is a java
language binary http p
NOT-FOR-US: netty-incubator-codec-ohttp
CVE-2026-41178 (OpenTelemetry-Go is the Go implementation of OpenTelemetry.
Versions 1 ...)
- golang-opentelemetry-otel <unfixed> (bug #1139167)
+ [trixie] - golang-opentelemetry-otel <no-dsa> (Minor issue)
+ [bookworm] - golang-opentelemetry-otel <no-dsa> (Minor issue)
NOTE:
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835
NOTE: https://github.com/open-telemetry/opentelemetry-go/pull/7880
CVE-2026-41065 (Tautulli is a Python based monitoring and tracking tool for
Plex Media ...)
@@ -2635,6 +2649,8 @@ CVE-2026-10597 (OMICARD EDM developed by ITPison has a
Insecure Direct Object Re
NOT-FOR-US: ITPison
CVE-2026-10305 (Out-of-bounds read vulnerability in Samsung Open Source
rlottie allows ...)
- rlottie <unfixed> (bug #1139179)
+ [trixie] - rlottie <no-dsa> (Minor issue)
+ [bookworm] - rlottie <no-dsa> (Minor issue)
NOTE: https://github.com/Samsung/rlottie/pull/587
NOTE:
https://github.com/Samsung/rlottie/commit/b4f5101a4d1a8da60cc14cfd05608551b3448c77
CVE-2025-71316 (SQLite 'sqldiff.exe' does not securely handle the way the
Microsoft Wi ...)
@@ -2801,17 +2817,25 @@ CVE-2026-47324 (ProjectsAndPrograms
school-management-system is vulnerable to St
NOT-FOR-US: ProjectsAndPrograms school-management-system
CVE-2026-47321
- mina2 <unfixed> (bug #1139162)
+ [trixie] - mina2 <no-dsa> (Minor issue)
+ [bookworm] - mina2 <no-dsa> (Minor issue)
- mina <removed>
+ [bookworm] - mina <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj
CVE-2026-47065 (ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers
Filter By ...)
- mina2 <unfixed> (bug #1139162)
+ [trixie] - mina2 <no-dsa> (Minor issue)
+ [bookworm] - mina2 <no-dsa> (Minor issue)
- mina <removed>
+ [bookworm] - mina <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj
CVE-2026-45702 (OP-TEE is a Trusted Execution Environment (TEE) designed as
companion ...)
- optee-os <unfixed> (bug #1138880)
+ [trixie] - optee-os <no-dsa> (Minor issue)
NOTE:
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-86pj-8xgw-66p5
CVE-2026-45614 (OP-TEE is a Trusted Execution Environment (TEE) designed as
companion ...)
- optee-os <unfixed> (bug #1138879)
+ [trixie] - optee-os <no-dsa> (Minor issue)
NOTE:
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-g6qf-hwf7-mg9h
CVE-2026-44546 (daphne before 4.2.2 reconstructs a raw HTTP request from
Twisted's par ...)
- python-daphne <unfixed> (bug #1138864)
@@ -2842,6 +2866,7 @@ CVE-2026-41032 (It is possible for an unauthenticated
adjacent attacker to downl
NOT-FOR-US: Phoenix Contact
CVE-2026-40290 (OP-TEE is a Trusted Execution Environment (TEE) designed as
companion ...)
- optee-os <unfixed> (bug #1138878)
+ [trixie] - optee-os <no-dsa> (Minor issue)
NOTE:
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-332c-xr93-849m
CVE-2026-39107 (A Cross Site Scripting vulnerability exists in the Kimi AI
v1.0 web in ...)
NOT-FOR-US: Kimi AI
@@ -3223,6 +3248,8 @@ CVE-2026-5073 (The ARMember Premium plugin for WordPress
is vulnerable to SQL In
NOT-FOR-US: WordPress plugin
CVE-2026-50031 (ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer
overflows on ...)
- freeipmi 1.6.18-1 (bug #1138782)
+ [trixie] - freeipmi <no-dsa> (Minor issue)
+ [bookworm] - freeipmi <no-dsa> (Minor issue)
NOTE: https://savannah.gnu.org/bugs/index.php?68363
NOTE: https://savannah.gnu.org/bugs/index.php?68364
NOTE: https://lists.gnu.org/archive/html/info-gnu/2026-06/msg00000.html
@@ -3392,7 +3419,9 @@ CVE-2026-27145 ((*x509.Certificate).VerifyHostname
previously called matchHostna
- golang-1.26 1.26.4-1
- golang-1.25 1.25.11-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, minor issue)
NOTE: https://github.com/golang/go/issues/79694
@@ -3402,7 +3431,9 @@ CVE-2026-42507 (When returning errors, functions in the
net/textproto package wo
- golang-1.26 1.26.4-1
- golang-1.25 1.25.11-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, minor issue)
NOTE: https://github.com/golang/go/issues/79346
@@ -3412,7 +3443,9 @@ CVE-2026-42504 (Decoding a maliciously-crafted MIME
header containing many inval
- golang-1.26 1.26.4-1
- golang-1.25 1.25.11-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
[bullseye] - golang-1.15 <postponed> (Limited support, minor issue)
NOTE: https://github.com/golang/go/issues/79217
@@ -4463,18 +4496,28 @@ CVE-2026-10234 (A vulnerability was detected in Mettle
sendportal up to 3.0.1. T
NOT-FOR-US: Mettle sendportal
CVE-2026-10233 (A security vulnerability has been detected in Assimp up to
6.0.4. Affe ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/assimp/assimp/issues/6619
CVE-2026-10232 (A weakness has been identified in Assimp up to 6.0.4. Affected
by this ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/assimp/assimp/issues/6617
CVE-2026-10231 (A security flaw has been discovered in Assimp up to 6.0.4.
Affected is ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/assimp/assimp/issues/6616
CVE-2026-10230 (A vulnerability was identified in Assimp up to 6.0.4. This
impacts the ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/assimp/assimp/issues/6615
CVE-2026-10229 (A vulnerability was determined in Assimp up to 6.0.4. This
affects the ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/assimp/assimp/issues/6614
CVE-2026-10228 (A vulnerability was found in raisulislamg4
student_management_system_b ...)
NOT-FOR-US: raisulislamg4 student_management_system_by_php
@@ -4530,22 +4573,33 @@ CVE-2026-10202 (A vulnerability was identified in OFCMS
1.1.3. This issue affect
NOT-FOR-US: OFCMS
CVE-2026-10201 (A vulnerability was determined in Assimp up to 6.0.4. This
vulnerabili ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/assimp/assimp/issues/6613
CVE-2026-10200 (A vulnerability was found in Assimp up to 6.0.4. This affects
the func ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/assimp/assimp/issues/6612
CVE-2026-10199 (A vulnerability has been found in Assimp up to 6.0.4. Affected
by this ...)
- assimp <unfixed>
+ [trixie] - assimp <no-dsa> (Minor issue)
+ [bookworm] - assimp <no-dsa> (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/6611
NOTE: https://github.com/assimp/assimp/pull/6646
NOTE:
https://github.com/assimp/assimp/commit/d24b85319bd70c65883a2b96613e07e23fb95981
CVE-2026-10198 (A flaw has been found in Assimp up to 6.0.4. Affected by this
vulnerab ...)
- assimp <unfixed>
+ [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/assimp/assimp/issues/6609
CVE-2026-10197 (A vulnerability was detected in Assimp up to 6.0.4. Affected
is the fu ...)
- assimp <unfixed>
+ [trixie] - assimp <no-dsa> (Minor issue)
+ [bookworm] - assimp <no-dsa> (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/6608
NOTE: https://github.com/assimp/assimp/pull/6645
+ NOTE:
https://github.com/assimp/assimp/commit/24bd7ee6f6721b34854dc232b253c71ecc66e457
CVE-2026-10118 (A flaw was found in Poppler's Splash backend. A remote
attacker could ...)
- poppler 26.01.0-4.1 (bug #1138708)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
@@ -10647,6 +10701,8 @@ CVE-2026-9497 (A flaw has been found in changmingxie
tcc-transaction up to 2.1.0
NOT-FOR-US: changmingxie tcc-transaction
CVE-2026-9496 (Versions of the package pacote from 11.2.7 are vulnerable to
Denial of ...)
- npm <unfixed> (bug #1139159)
+ [trixie] - npm <no-dsa> (Minor issue)
+ [bookworm] - npm <no-dsa> (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084
CVE-2026-9495 (Versions of the package @koa/router from 14.0.0 and before
15.0.0 are ...)
NOT-FOR-US: koa/router
@@ -10890,6 +10946,7 @@ CVE-2026-7766 (Kenik Camera management Panel is
vulnerable to Path Traversal vul
NOT-FOR-US: Kenik Camera management Panel
CVE-2026-5223 (Cargo incorrectly handled symlinks inside of crate tarballs
downloaded ...)
- cargo <removed>
+ [bookworm] - cargo <no-dsa> (Minor issue)
- rust-cargo 0.91.0-3
[trixie] - rust-cargo <no-dsa> (Minor issue)
[bookworm] - rust-cargo <no-dsa> (Minor issue)
@@ -10902,6 +10959,7 @@ CVE-2026-5223 (Cargo incorrectly handled symlinks
inside of crate tarballs downl
NOTE:
https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577
CVE-2026-5222 (Cargo between 1.68 and 1.96 incorrectly normalized the URLs of
third-p ...)
- cargo <removed>
+ [bookworm] - cargo <no-dsa> (Minor issue)
- rust-cargo 0.91.0-3
[trixie] - rust-cargo <no-dsa> (Minor issue)
[bookworm] - rust-cargo <no-dsa> (Minor issue)
@@ -15904,6 +15962,8 @@ CVE-2026-42577 (Netty is an asynchronous, event-driven
network application frame
NOTE: Fixed by:
https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d
(netty-4.2.13.Final)
CVE-2026-42561 (Python-Multipart is a streaming multipart parser for Python.
Prior to ...)
- python-multipart <unfixed> (bug #1136702)
+ [trixie] - python-multipart <no-dsa> (Minor issue)
+ [bookworm] - python-multipart <no-dsa> (Minor issue)
NOTE:
https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g
NOTE: https://github.com/Kludex/python-multipart/pull/267
NOTE:
https://github.com/Kludex/python-multipart/commit/3e64f5f8caba0e5d391b0c1ad0f1c2edf9e8f911
(0.0.27)
=====================================
data/dsa-needed.txt
=====================================
@@ -55,6 +55,8 @@ keystone
kitty/oldstable
No update yet for bookworm, might be too intrusive to backport
--
+libdbi-perl
+--
libinput (carnil)
Clarifying with CNAs with duplicate CVE assignments first
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d04b7e70437470bbebd1970ab615d3a6413384e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d04b7e70437470bbebd1970ab615d3a6413384e
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
