bookworm triage

Moritz Muehlenhoff (@jmm) Mon, 08 Jun 2026 04:26:23 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
eca927c9 by Moritz Muehlenhoff at 2026-06-08T13:25:45+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -280,6 +280,8 @@ CVE-2026-45758 (Guardrails AI is a Python framework that 
helps build AI applicat
        NOT-FOR-US: Guardrails AI
 CVE-2026-45409 (Internationalized Domain Names in Applications (IDNA) for 
Python provi ...)
        - python-idna <unfixed> (bug #1139164)
+       [trixie] - python-idna <no-dsa> (Minor issue)
+       [bookworm] - python-idna <no-dsa> (Minor issue)
        NOTE: 
https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx
        NOTE: Fixed by: 
https://github.com/kjd/idna/commit/628fef84d3eda59321c21127e73dcd873db23ead 
(v3.14)
        NOTE: Fixed by: 
https://github.com/kjd/idna/commit/e1cb465b6376f33306a26f467d197edbcd01c4b9 
(v3.15)
@@ -2633,7 +2635,10 @@ CVE-2026-10806 (A vulnerability was found in mjperpinosa 
stumasy. The affected e
        NOT-FOR-US: mjperpinosa stumasy
 CVE-2026-10805 (A flaw was found in NetworkManager. This local privilege 
escalation vu ...)
        - network-manager <unfixed> (bug #1139285)
+       [trixie] - network-manager <no-dsa> (Minor issue)
+       [bookworm] - network-manager <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2484613
+       NOTE: Network-manager defaults to the internal DHCP client
 CVE-2026-10804 (A vulnerability has been found in Streamlit up to 1.53.0. 
Impacted is  ...)
        NOT-FOR-US: Streamlit
 CVE-2026-10803 (A flaw has been found in MLflow up to 3.10.0. This issue 
affects the f ...)
@@ -2854,9 +2859,13 @@ CVE-2026-45614 (OP-TEE is a Trusted Execution 
Environment (TEE) designed as comp
        NOTE: 
https://github.com/OP-TEE/optee_os/security/advisories/GHSA-g6qf-hwf7-mg9h
 CVE-2026-44546 (daphne before 4.2.2 reconstructs a raw HTTP request from 
Twisted's par ...)
        - python-daphne <unfixed> (bug #1138864)
+       [trixie] - python-daphne <no-dsa> (Minor issue)
+       [bookworm] - python-daphne <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/django/daphne/commit/2628b7b2e6a196afff58defee3d77671a28de631
 (4.2.2)
 CVE-2026-44545 (daphne before 4.2.2 did not pass maxFramePayloadSize or 
maxMessagePayl ...)
        - python-daphne <unfixed> (bug #1138864)
+       [trixie] - python-daphne <no-dsa> (Minor issue)
+       [bookworm] - python-daphne <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/django/daphne/commit/32f8be0fb0bf2a441085cb45e0e8f45455f0793e
 (4.2.2)
 CVE-2026-44281 (GLPI is a free asset and IT management software package. 
Starting in v ...)
        - glpi <removed>
@@ -3406,6 +3415,8 @@ CVE-2026-10661 (A vulnerability has been found in 
ahujasid blender-mcp up to 763
        NOT-FOR-US: ahujasid blender-mcp
 CVE-2026-10650 (A flaw has been found in warmcat libwebsockets up to 4.5.8. 
This issue ...)
        - libwebsockets 4.3.5-5 (bug #1139178)
+       [trixie] - libwebsockets <no-dsa> (Minor issue)
+       [bookworm] - libwebsockets <no-dsa> (Minor issue)
        NOTE: 
https://github.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-alloc
        NOTE: 
https://libwebsockets.org/git/libwebsockets/commit?id=3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498
 CVE-2026-10624 (A vulnerability has been found in SourceCodester Human 
Resource Manage ...)
@@ -3486,6 +3497,8 @@ CVE-2026-42504 (Decoding a maliciously-crafted MIME 
header containing many inval
        NOTE: 
https://github.com/golang/go/commit/b79e0339290e14b3b2de1dc4942b8a88701ddb02 
(go1.25.11)
 CVE-2026-10725 (Protocol::HTTP2 versions through 1.12 for Perl is vulnerable 
to a HTTP ...)
        - libprotocol-http2-perl 1.12-2
+       [trixie] - libprotocol-http2-perl <no-dsa> (Minor issue)
+       [bookworm] - libprotocol-http2-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/40751319/
        NOTE: 
https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch
 CVE-2026-47774
@@ -39308,9 +39321,13 @@ CVE-2026-21413 (A heap-based buffer overflow 
vulnerability exists in the lossles
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/75ed2c12a35b765b3b6ad695cc1f044f19efe644
 (0.22.1)
 CVE-2026-20911 (A heap-based buffer overflow vulnerability exists in the 
HuffTable::in ...)
        - libraw 0.22.1-1 (bug #1133845)
+       [trixie] - libraw <not-affected> (Vulnerable code not present)
+       [bookworm] - libraw <not-affected> (Vulnerable code not present)
+       [bullseye] - libraw <not-affected> (Vulnerable code not present)
        NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/a6734e867b19d75367c05f872ac26322464e3995
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/5357bb5fc67ac616838fb84de67260d45987489b
 (0.22.1)
+       NOTE: Introduced by: 
https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8
 (0.22.0)
 CVE-2026-20889 (A heap-based buffer overflow vulnerability exists in the 
x3f_thumb_loa ...)
        - libraw 0.22.1-1 (bug #1133845)
        NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358
@@ -41934,9 +41951,13 @@ CVE-2026-5319 (A security vulnerability has been 
detected in itsourcecode Payrol
        NOT-FOR-US: itsourcecode System
 CVE-2026-5318 (A weakness has been identified in LibRaw up to 0.22.0. This 
impacts th ...)
        - libraw 0.22.1-1 (bug #1132655)
+       [trixie] - libraw <not-affected> (Vulnerable code not present)
+       [bookworm] - libraw <not-affected> (Vulnerable code not present)
+       [bullseye] - libraw <not-affected> (Vulnerable code not present)
        NOTE: https://github.com/LibRaw/LibRaw/issues/794
        NOTE: Fixed by: 
https://github.com/LibRaw/LibRaw/commit/a6734e867b19d75367c05f872ac26322464e3995
        NOTE: Fixed by: 
https://github.com/LibRaw/LibRaw/commit/5357bb5fc67ac616838fb84de67260d45987489b
 (0.22.1)
+       NOTE: Introduced by: 
https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8
 (0.22.0)
 CVE-2026-5317 (A security flaw has been discovered in Nothings stb up to 1.22. 
This a ...)
        - libstb <unfixed> (bug #1134888)
        [trixie] - libstb <no-dsa> (Minor issue)


=====================================
data/dsa-needed.txt
=====================================
@@ -93,6 +93,9 @@ prometheus
 python-aiohttp/oldstable
   Daniel Leidert is proposing to work on the update and provide debdiffs for 
bookworm and trixie
 --
+rsync
+  for regression fixes
+--
 rtpengine
   Victor Seva prepared a debdiff for trixie-security for review, 
bookworm-security debdiff missing
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca927c953ec30951de6464e106d1a61d32335a6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca927c953ec30951de6464e106d1a61d32335a6
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Reply via email to