Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e9e29d21 by Moritz Muehlenhoff at 2026-06-30T09:28:30+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -223,13 +223,16 @@ CVE-2026-13758 (CryptX versions before 0.088_001 for Perl 
compare AEAD authentic
        NOTE: Fixed by: 
https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642
 (v0.089)
 CVE-2026-13593 (CSS::Minifier::XS versions before 0.14 for Perl have a memory 
leak whe ...)
        - libcss-minifier-xs-perl 0.14-1
+       [trixie] - libcss-minifier-xs-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41396070/
 CVE-2026-56018 (JavaScript::Minifier::XS versions before 0.16 for Perl leak 
memory on  ...)
        - libjavascript-minifier-xs-perl 0.16-1
+       [trixie] - libjavascript-minifier-xs-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41396069/
        NOTE: https://github.com/bleargh45/JavaScript-Minifier-XS/issues/10
 CVE-2026-56017 (JavaScript::Minifier::XS versions before 0.16 for Perl crash 
with a NU ...)
        - libjavascript-minifier-xs-perl 0.16-1
+       [trixie] - libjavascript-minifier-xs-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41396063/
 CVE-2026-9267 (Eclipse tinydtls before 
commitb3efd41ad111a4920f599f51ffa4f5e9f1e72221 ...)
        TODO: check
@@ -353,9 +356,11 @@ CVE-2026-46406 (Claude Code is an agentic coding tool.  
From 2.1.59 until 2.1.12
        NOT-FOR-US: Claude Code
 CVE-2026-41992 (GNU gzip contains a global buffer overflow vulnerability in 
the LZH de ...)
        - gzip <unfixed>
+       [trixie] - gzip <no-dsa> (Minor issue)
        NOTE: 
https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=63dbf6b3b9e6e781df1a6a64e609b10e23969681
 CVE-2026-41991 (GNU gzip contains a vulnerability in the gzexe utility related 
to inse ...)
        - gzip <unfixed>
+       [trixie] - gzip <no-dsa> (Minor issue)
        NOTE: 
https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=4e6f8b24ab823146ab8776f0b7fe486ab34d4269
 CVE-2026-41052 (Improper privilege handling could be used by users withProject 
Owner r ...)
        NOT-FOR-US: Rancher
@@ -371,11 +376,13 @@ CVE-2026-36848 (Gigamon GVOS v5.16.1 and below is 
vulnerable to Directory Traver
        NOT-FOR-US: Gigamon GVOS
 CVE-2026-25707 (A relative path traversal bug problem when processing 
repository metad ...)
        - libzypp 17.38.11-1
+       [trixie] - libzypp <no-dsa> (Minor issue)
        NOTE: 
https://github.com/openSUSE/libzypp/commit/f09feda7fca03c941218aab0bb161cc82b185b6b
 (17.38.10)
 CVE-2026-22078 (Because O+ Connect's IPC service does not authenticate 
clients, extern ...)
        NOT-FOR-US: Oppo
 CVE-2026-13757 (A flaw was found in p11-kit. The RPC message attribute parsing 
functio ...)
        - p11-kit <unfixed>
+       [trixie] - p11-kit <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2494556
 CVE-2026-13752 (Improper neutralization of parameters in Snowflake CLI 
versions prior  ...)
        NOT-FOR-US: Snowflake CLI
@@ -688,9 +695,10 @@ CVE-2026-13484 (A vulnerability has been found in MLflow 
up to 4666cffc7912ea606
 CVE-2026-8095 (The Frontend File Manager Plugin plugin for WordPress is 
vulnerable to ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-58058 (Nmap through 7.99 does not keep the IPv6 extension-header walk 
within  ...)
-       - nmap <unfixed> (bug #1140916)
+       - nmap <unfixed> (bug #1140916; unimportant)
        NOTE: 
https://github.com/bikini/exploitarium/tree/main/nmap-ipv6-extlen-wrap-poc
        NOTE: 
https://github.com/nmap/nmap/commit/bb6754e76bb1686315008e1aa1c40202a513fb83
+       NOTE: Crash in CLI tool, no security impact
 CVE-2026-58057 (Flowise before 3.1.3 validates Custom MCP stdio environment 
variables  ...)
        NOT-FOR-US: Flowise
 CVE-2026-58056 (RustDesk gates incoming control messages on per-capability 
flags rathe ...)
@@ -6238,6 +6246,7 @@ CVE-2026-53571 (Vite is a frontend tooling framework for 
JavaScript. Prior to 8.
        - node-vite <itp> (bug #1053782)
 CVE-2026-53550 (js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 
and 3.1 ...)
        - node-js-yaml 4.2.0+~4.0.9-1
+       [trixie] - node-js-yaml <no-dsa> (Minor issue)
        NOTE: 
https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68
 CVE-2026-53540 (Python-Multipart is a streaming multipart parser for Python. 
Prior to  ...)
        - python-multipart <unfixed> (bug #1140628)
@@ -9537,6 +9546,7 @@ CVE-2026-12319 (Denial-of-service in the Audio/Video: 
Playback component. This v
 CVE-2026-12318 (Incorrect boundary conditions in the Libraries component in 
NSS. This  ...)
        - firefox <unfixed>
        - nss 2:3.124-1
+       [trixie] - nss <no-dsa> (Minor issue)
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2026-57/#CVE-2026-12318
        NOTE: 
https://hg-edge.mozilla.org/projects/nss/rev/bd0c42028c8eae5b9cbdb4f5b0ee59bc07cba2de
 CVE-2026-12317 (Memory safety bug fixed in Firefox 152. This vulnerability was 
fixed i ...)
@@ -23328,10 +23338,12 @@ CVE-2026-45715 (Budibase is an open-source low-code 
platform. Prior to 3.38.1, t
 CVE-2026-45571 (go-git is an extensible git implementation library written in 
pure Go. ...)
        - golang-github-go-git-go-git-v6 6.0.0~alpha4-1
        - golang-github-go-git-go-git 5.19.1-1
+       [trixie] - golang-github-go-git-go-git <no-dsa> (Minor issue)
        NOTE: 
https://github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96
 CVE-2026-45570 (go-git is an extensible git implementation library written in 
pure Go. ...)
        - golang-github-go-git-go-git-v6 6.0.0~alpha4-1
        - golang-github-go-git-go-git 5.19.1-1
+       [trixie] - golang-github-go-git-go-git <no-dsa> (Minor issue)
        NOTE: 
https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp
 CVE-2026-45548 (Budibase is an open-source low-code platform. Prior to 3.34.8, 
the pro ...)
        NOT-FOR-US: Budibase
@@ -23358,6 +23370,7 @@ CVE-2026-45027 (WeGIA is a web manager for charitable 
institutions. In versions
 CVE-2026-45022 (go-git is an extensible git implementation library written in 
pure Go. ...)
        - golang-github-go-git-go-git-v6 6.0.0~alpha4-1
        - golang-github-go-git-go-git 5.19.1-1
+       [trixie] - golang-github-go-git-go-git <no-dsa> (Minor issue)
        NOTE: 
https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp
 CVE-2026-44988 (LibVNCClient is a library for easy implementation of a VNC 
client. In  ...)
        - libvncserver 0.9.15+dfsg-5 (bug #1138174)
@@ -34852,6 +34865,7 @@ CVE-2026-41507 (math-codegen generates code from 
mathematical expressions. Prior
 CVE-2026-41506 (go-git is an extensible git implementation library written in 
pure Go. ...)
        - golang-github-go-git-go-git-v6 6.0.0~alpha4-1
        - golang-github-go-git-go-git 5.19.1-1 (bug #1136095)
+       [trixie] - golang-github-go-git-go-git <no-dsa> (Minor issue)
        NOTE: 
https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
        NOTE: Fixed by: 
https://github.com/go-git/go-git/commit/bcd20a9c525826081262a06a9ed9c3167abfcd53
 (v5.18.0)
 CVE-2026-41497 (PraisonAI is a multi-agent teams system. Prior to version 
4.6.9, the f ...)
@@ -132659,6 +132673,7 @@ CVE-2025-11233 (Starting from Rust 1.87.0 and before 
Rust 1.89.0, the tier 3 Cyg
        NOTE: 
https://groups.google.com/g/rustlang-security-announcements/c/oT9zCvLLYkw
 CVE-2025-11226 (ACE vulnerability in conditional configuration file processing 
 by QOS ...)
        - logback <unfixed> (bug #1140922)
+       [trixie] - logback <no-dsa> (Minor issue)
        NOTE: https://logback.qos.ch/news.html#1.5.19
        NOTE: Fixed by: 
https://github.com/qos-ch/logback/commit/61f6a2544f36b3016e0efd434ee21f19269f1df7
 (v_1.5.19)
 CVE-2025-10847 (DX Unified Infrastructure Management (Nimsoft/UIM) and below 
contains  ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -39,6 +39,8 @@ firebird3.0
 --
 firebird4.0
 --
+jackson-databind
+--
 jetty9
 --
 jetty12



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9e29d216a444cf64a59a4a527d49c634a1a101b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9e29d216a444cf64a59a4a527d49c634a1a101b
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to