Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c4b6f9ff by Moritz Muehlenhoff at 2026-06-23T22:25:09+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3780,6 +3780,7 @@ CVE-2026-53612 [Local Privilege Escalation via TOCTOU in
mount(8) hook_owner.c c
NOTE: Fixed by:
https://github.com/util-linux/util-linux/commit/d0c5adaeb3a3d823aba1377794de8f009b8152cc
(v2.42.2)
CVE-2026-36849 [Denial of Service via large SamplesPerPixel tag]
- tiff 4.7.1-3 (bug #1140300)
+ [trixie] - tiff <ignored> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/06/17/1
NOTE: https://gitlab.com/libtiff/libtiff/-/work_items/781
NOTE: Fixed by:
https://gitlab.com/libtiff/libtiff/-/commit/eedba405d3695b52faae65994c5904f228eca0bf
@@ -5159,6 +5160,7 @@ CVE-2026-XXXX [SSLMate go-pkcs12: Authentication bypass
in Decode functions]
NOTE: Fixed by:
https://github.com/SSLMate/go-pkcs12/commit/03c441f6b0267f695ca02464133c0b373bf4dd55
(v0.7.2)
CVE-2026-49452
- weasyprint 69.0-1
+ [trixie] - weasyprint <no-dsa> (Minor issue)
NOTE: https://www.courtbouillon.org/blog/00067-weasyprint-69/
NOTE:
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-jhhc-3hcp-qhm5
CVE-2026-54413 (driftregion iso14229 through 0.9.0 contains an integer
underflow and d ...)
@@ -9219,6 +9221,7 @@ CVE-2026-43972 (Origin Validation Error vulnerability in
ninenines gun (gun_http
NOT-FOR-US: gun
CVE-2026-43966 (Improper Neutralization of CRLF Sequences in HTTP Headers
('HTTP Reque ...)
- rabbitmq-server <unfixed>
+ [trixie] - rabbitmq-server <no-dsa> (Minor issue)
NOTE: Appears to be bundled in rabbitmq-server
NOTE: https://cna.erlef.org/cves/CVE-2026-43966.html
NOTE:
https://github.com/ninenines/cowboy/commit/f77cb9b5e730e300fffb551db1ba5d1c4ed878ef
@@ -17792,6 +17795,7 @@ CVE-2026-44902 (opentelemetry-js is the OpenTelemetry
JavaScript Client. Prior t
NOT-FOR-US: opentelemetry-js
CVE-2026-44839 (RabbitMQ is a messaging and streaming broker. From 3.7.0 to
before 4.1 ...)
- rabbitmq-server 4.3.0-2
+ [trixie] - rabbitmq-server <no-dsa> (Minor issue)
NOTE:
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-fh5r-jpm3-fjwp
CVE-2026-44838 (RabbitMQ is a messaging and streaming broker. From 4.2.0 to
before 4.2 ...)
- rabbitmq-server <not-affected> (Vulnerable code never in Debian
released version)
@@ -83780,6 +83784,7 @@ CVE-2026-24055 (Langfuse is an open source large
language model engineering plat
NOT-FOR-US: Langfuse
CVE-2026-24049 (wheel is a command line tool for manipulating Python wheel
files, as d ...)
- wheel 0.46.3-1 (bug #1126274)
+ [trixie] - wheel <no-dsa> (Minor issue)
[bookworm] - wheel <not-affected> (Vulnerable code introduced later)
[bullseye] - wheel <not-affected> (Vulnerable code introduced later)
NOTE:
https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx
=====================================
data/dsa-needed.txt
=====================================
@@ -44,6 +44,7 @@ kitty
Maintainer proposed debdiff for review in https://bugs.debian.org/1139898#15
--
libheif
+ possibly best to move to 1.23.0
--
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4b6f9ff1b2f7e46c15bab71ec5d0317bc99eb7e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4b6f9ff1b2f7e46c15bab71ec5d0317bc99eb7e
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits