Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
36d15cc1 by Moritz Muehlenhoff at 2026-06-11T11:00:02+02:00
trixie/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2348,6 +2348,8 @@ CVE-2026-49232 (Routinator exits on any error when
accepting incoming HTTP or RT
- routinator <itp> (bug #929024)
CVE-2026-48913 (Use After Free vulnerability in Apache HTTP Server module
mod_http2 wh ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-48913
NOTE: fixed by jumbo patch:
https://github.com/apache/httpd/commit/dbf1cc4dd62b681a0066271720994a047a3329ca
(2.4.68-rc1-candidate)
NOTE: fixed by:
https://github.com/icing/mod_h2/commit/e6a28242f23084f6dbae32090121148e99fdda78
@@ -2392,18 +2394,26 @@ CVE-2026-45581 (fabric-chaincode-java is a Java based
implementation of Hyperled
NOT-FOR-US: fabric-chaincode-java
CVE-2026-44631 (Buffer Underwrite vulnerability in Apache HTTP Server on
crafted regul ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-44631
NOTE:
https://github.com/apache/httpd/commit/7d9f3cfb10b0fe70df7358d26d7b1f374ea1a0cb
(2.4.68-rc1-candidate)
CVE-2026-44186 (Loop with Unreachable Exit Condition ('Infinite Loop')
vulnerability i ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-44186
NOTE: Fixed by
https://github.com/apache/httpd/commit/414de374a06549b2c6710cbcff81c3821379f75c
(2.4.68-rc1-candidate)
CVE-2026-44185 (Buffer Over-read vulnerability in Apache HTTP Server via
outbound OCSP ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-44185
NOTE: Fixed by:
https://github.com/apache/httpd/commit/32b7e2e66477020ba75b78ab43fb8890ec292ad2
(2.4.68-rc1-candidate)
CVE-2026-44119 (Improper Privilege Management vulnerability in Apache HTTP
Server 2.4. ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-44119
NOTE: Fixed by:
https://github.com/apache/httpd/commit/f63f26aff6aa747357b84b5bd09c45325fa7f9ba
(2.4.68-rc1-candidate)
CVE-2026-43974 (Unexpected Status Code or Return Value vulnerability in
ninenines gun ...)
@@ -2416,6 +2426,8 @@ CVE-2026-43966 (Improper Neutralization of CRLF Sequences
in HTTP Headers ('HTTP
TODO: check
CVE-2026-43951 (Out-of-bounds Read vulnerability in Apache HTTP Server with
mod_header ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-43951
NOTE: Fixed by:
https://github.com/apache/httpd/commit/6ff9dc2fdbe7ffd2f8a6c9ffe9ec801d53c760ba
(2.4.68-rc1-candidate)
CVE-2026-42863 (Flowise is a drag & drop user interface to build a customized
large la ...)
@@ -2426,11 +2438,15 @@ CVE-2026-42861 (Flowise is a drag & drop user interface
to build a customized la
NOT-FOR-US: Flowise
CVE-2026-42536 (Heap-based Buffer Overflow vulnerability in Apache HTTP Server
withmod ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-42536
NOTE: Fixed by:
https://github.com/apache/httpd/commit/fa5d85bbc832a587c3c5bca7c19fb21df96b5df0
(trunk)
NOTE: Fixed by:
https://github.com/apache/httpd/commit/cb1f79c0ce66393c48657b19df754f16b79af543
(2.4.68-rc1-candidate)
CVE-2026-42535 (A path handling issue in mod_dav_fs in Apache 2.4.67 and
earlierallows ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-42535
NOTE: Fixed by:
https://github.com/apache/httpd/commit/56bfb128432a38e2e6bc5448122914bb271b1252
(2.4.68-rc1-candidate)
NOTE: Fixed by:
https://github.com/apache/httpd/commit/7e871beec56d41fe098f48f5a5bcb1525c448d77
(trunk)
@@ -2454,22 +2470,30 @@ CVE-2026-36786 (Shenzhen Tenda Technology Co., Ltd
Tenda FH451 V1.0.0.9 was disc
NOT-FOR-US: Tenda
CVE-2026-34356 (Heap-based Buffer Overflow vulnerability in Apache HTTP Server
with ma ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-34356
NOTE: Fixed by:
https://github.com/apache/httpd/commit/403269396d24404e2576a9b20f96cd0b10574048
(2.4.68-rc1-candidate)
NOTE: Fixed by:
https://github.com/apache/httpd/commit/a70753d294292e8c9f68758cfe3550d83f812129
(trunk)
CVE-2026-34355 (A buffer overflow in mod_proxy_html in Apache HTTP Server
2.4.67 and e ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-34355
NOTE: Fixed by:
https://github.com/apache/httpd/commit/d62fc375281486c6036b007ac349b25d4e6edb4a
(2.4.68-rc1-candidate)
CVE-2026-34194 (Software installed and run as a non-privileged user may
conduct improp ...)
NOT-FOR-US: Imagination Technologies
CVE-2026-29170 (A cross-site scripting vulnerability exists in mod_proxy_ftp's
HTML di ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-29170
NOTE: Fixed by:
https://github.com/apache/httpd/commit/e86bf540f166b3a322f7e7f9cd4aad4cd44deee6
(trunk)
NOTE: Fixed by:
https://github.com/apache/httpd/commit/04641bce75a2734ad8150f9a6bc84fc5205e852b
(2.4.68-rc1-candidate)
CVE-2026-29167 (Use After Free vulnerability in Apache HTTP Server with
mod_ldap in pe ...)
- apache2 <unfixed> (bug #1139340)
+ [trixie] - apache2 <no-dsa> (Minor issue)
+ [bookworm] - apache2 <no-dsa> (Minor issue)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-29167
NOTE: Fixed by:
https://github.com/apache/httpd/commit/354a94ee7fd4bd34bfe3e776e3b32d3344f435c7
(trunk)
NOTE: Fixed by:
https://github.com/apache/httpd/commit/2cf9b3f393633f43746047e779fdf265a1ad8016
(2.4.68-rc1-candidate)
@@ -29150,6 +29174,8 @@ CVE-2025-51846 (CryptPad 2025.3.1 allows unbounded
WebSocket frame flood. A remo
NOT-FOR-US: CryptPad
CVE-2025-14576 (Insufficient validation of node IDs in Qt SVG module allows
arbitrary ...)
- qt6-declarative 6.10.2+dfsg-4
+ [trixie] - qt6-declarative <no-dsa> (Minor issue)
+ [bookworm] - qt6-declarative <no-dsa> (Minor issue)
NOTE: https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273
NOTE:
https://github.com/qt/qtdeclarative/commit/1f35339b03fcb8787028e1301012a559328815fb
(v6.10.2)
CVE-2025-14543 (Improper Restriction of XML External Entity Reference
vulnerability in ...)
@@ -49074,6 +49100,8 @@ CVE-2026-1001 (Domoticz versions prior to 2026.1
contain a stored cross-site scr
- domoticz <itp> (bug #899058)
CVE-2025-70952 (pf4j before 20c2f80 has a path traversal vulnerability in the
extract( ...)
- libpf4j-java <unfixed> (bug #1132032)
+ [trixie] - libpf4j-java <no-dsa> (Minor issue)
+ [bookworm] - libpf4j-java <no-dsa> (Minor issue)
NOTE: https://github.com/pf4j/pf4j/issues/618
NOTE: https://github.com/pf4j/pf4j/issues/623
NOTE: Fixed by:
https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14
(release-3.14.1)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36d15cc110a10b0042139a964ef2f1a25dc7e1e2
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36d15cc110a10b0042139a964ef2f1a25dc7e1e2
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
