Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8e58ac97 by Moritz Muehlenhoff at 2026-06-27T23:42:52+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -174,6 +174,7 @@ CVE-2026-46710 (Notepad++ is a free and open-source source
code editor. From 8.9
NOT-FOR-US: Notepad++
CVE-2026-46604 (The TIFF decoder can panic when decoding an invalid image with
an out- ...)
- golang-golang-x-image <unfixed>
+ [trixie] - golang-golang-x-image <no-dsa> (Minor issue)
NOTE: https://github.com/golang/go/issues/80122
NOTE: Fixed by:
https://github.com/golang/image/commit/7c04344368b6bcc71df693702522f4f03af45250
(v0.43.0)
CVE-2026-46386 (OpenProject is open-source, web-based project management
software. Pri ...)
@@ -521,6 +522,7 @@ CVE-2026-57920 (Peplink InControl 2 through 2.14.2 before
2026-06-03 allows use
NOT-FOR-US: Peplink InControl
CVE-2026-57918 (libnfs through 6.0.2 before 935b8db has an xid integer
underflow in RE ...)
- libnfs <unfixed>
+ [trixie] - libnfs <no-dsa> (Minor issue)
NOTE:
https://github.com/sahlberg/libnfs/commit/935b8db712b3c6649bc57ddc276526c4a31680de
CVE-2026-57915 (It is possible to bypass the Kerberos pre-authentication check
in Apac ...)
NOT-FOR-US: Apache software not packaged in Debian
@@ -964,6 +966,7 @@ CVE-2026-11625 (Bytes::Random::Secure versions through 0.29
for Perl share inter
NOTE:
https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch
CVE-2026-13324
- geary <unfixed>
+ [trixie] - geary <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2492860
CVE-2026-9222 (Setracker2 Android Companion App com.tgelec.setracker versions
3.1.5 a ...)
NOT-FOR-US: Setracker2 Android Companion App com.tgelec.setracker
@@ -1062,10 +1065,12 @@ CVE-2026-50176 (The WebSocket Application Programming
Interface lacks restrictio
NOT-FOR-US: Evoke
CVE-2026-46602 (The TIFF decoder does not set a limit on the size of tiles in
tiled im ...)
- golang-golang-x-image <unfixed>
+ [trixie] - golang-golang-x-image <no-dsa> (Minor issue)
NOTE: https://github.com/golang/go/issues/79905
NOTE: Fixed by:
https://github.com/golang/image/commit/304d4cc4ee82f96f864f1a4c9a3ae30a4016c9ce
(v0.43.0)
CVE-2026-46601 (The webp decoder can panic when processing a VP8 chunk with
dimensions ...)
- golang-golang-x-image <unfixed>
+ [trixie] - golang-golang-x-image <no-dsa> (Minor issue)
NOTE: https://github.com/golang/go/issues/79869
NOTE: Fixed by:
https://github.com/golang/image/commit/c5511df3ee92e86ce3fa383fdd247080019257c7
(v0.43.0)
CVE-2026-44622 (Charging station authentication identifiers are publicly
accessible vi ...)
@@ -1251,6 +1256,7 @@ CVE-2026-XXXX [ZSA-2026-12]
NOTE: https://www.znuny.org/en/advisories/zsa-2026-12
CVE-2026-55520
- python-protego 0.6.2+dfsg-1
+ [trixie] - python-protego <no-dsa> (Minor issue)
NOTE:
https://github.com/scrapy/protego/security/advisories/GHSA-wjmf-p669-5m5p
NOTE: Fixed by:
https://github.com/scrapy/protego/commit/785940181659bf440ba82f1da148fade5087e858
(0.6.2)
CVE-2026-9800 (A flaw was found in Keycloak Policy Enforcer. This
vulnerability allow ...)
@@ -2733,6 +2739,7 @@ CVE-2026-1606 (GitLab has remediated an issue in GitLab
CE/EE affecting all vers
NOT-FOR-US: GitLab (used to be packaged in the Debian archive as
src:gitlab, but never in a stable release)
CVE-2026-13311 (shell-quote prior to 1.8.5 finalizes parsed tokens in parse()
using Ar ...)
- node-shell-quote <unfixed>
+ [trixie] - node-shell-quote <no-dsa> (Minor issue)
NOTE:
https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv
NOTE: Fixed by:
https://github.com/ljharb/shell-quote/commit/7ff5488599d01c323514f02f5efb74088dd134ec
(v1.9.0)
CVE-2026-13038 (Use after free in Autofill in Google Chrome on Windows prior
to 149.0. ...)
@@ -3060,6 +3067,7 @@ CVE-2026-50698 (A Stored Cross-Site Scripting (XSS)
vulnerability exists in Frap
NOT-FOR-US: Frappe
CVE-2026-49980 (Rclone is a command-line program to sync files and directories
to and ...)
- rclone <unfixed> (bug #1140817)
+ [trixie] - rclone <no-dsa> (Minor issue)
NOTE:
https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv
CVE-2026-49851 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
@@ -63695,6 +63703,7 @@ CVE-2026-33155 (DeepDiff is a project focused on Deep
Difference and search of a
NOTE: Fixed by:
https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb
(8.6.2)
CVE-2026-33154 (dynaconf is a configuration management tool for Python. Prior
to versi ...)
- python-dynaconf 3.2.13-1 (bug #1131476)
+ [trixie] - python-dynaconf <no-dsa> (Minor issue)
NOTE:
https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p
NOTE: Fixed by:
https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7
(3.2.13)
CVE-2026-33151 (Socket.IO is an open source, real-time, bidirectional,
event-based, co ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -17,6 +17,9 @@ amd64-microcode (carnil)
--
botan3 (aron)
--
+cacti
+ probably best to move to 1.2.31
+--
chromium (dilinger)
--
containerd
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e58ac9764636f931600a71ba253843698a3e471
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e58ac9764636f931600a71ba253843698a3e471
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits