Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
66022604 by Moritz Muehlenhoff at 2026-07-01T13:55:48+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -85,29 +85,35 @@ CVE-2026-56399 (Open WebUI before 0.6.27 contains a
server-side request forgery
NOT-FOR-US: Open WebUI
CVE-2026-56377 (ImageMagick before 7.1.2-24 contains an incorrect policy check
that al ...)
- imagemagick 8:7.1.2.24+dfsg1-1
+ [trixie] - imagemagick <no-dsa> (Minor issue)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm48-c7f2-v67p
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/3705205e1424d379c2fc46c026c8560ccea0509e
(7.1.2-24)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/a2aa44ce71f0950522a104bbd4daa7b8a0b6709c
(6.9.13-49)
CVE-2026-56369 (ImageMagick before 7.1.2-22 contains an information disclosure
vulnera ...)
- imagemagick 8:7.1.2.23+dfsg1-1
+ [trixie] - imagemagick <no-dsa> (Minor issue)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qv2q-c278-pch5
TODO: check fixing commit in 7.1.2-22
CVE-2026-56365 (ImageMagick before 7.1.2-19 contains a memory leak
vulnerability in th ...)
- imagemagick 8:7.1.2.19+dfsg1-1
+ [trixie] - imagemagick <no-dsa> (Minor issue)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x928-4434-crqj
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/ca761f220bbf0470e2e7967639bcfb5be305ad28
(7.1.2-19)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/28ed1c9993fe437a44c00bee2ee20d58f7e0204c
(6.9.13-44)
CVE-2026-56364 (ImageMagick before 7.1.2-13 contains a memory leak
vulnerability in Lo ...)
- imagemagick 8:7.1.2.13+dfsg1-1
+ [trixie] - imagemagick <no-dsa> (Minor issue)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp59-x883-77qv
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/a52c1b402be08ef8ae193f28ac5b2e120f2fa26f
(7.1.2-13)
CVE-2026-56363 (ImageMagick before 7.1.2-22 contains a division by zero
vulnerability ...)
- imagemagick 8:7.1.2.23+dfsg1-1
+ [trixie] - imagemagick <no-dsa> (Minor issue)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vf33-6r7x-66xx
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/d67eef71764cfeca07b4edf8a8ae922180f5f2e4
(7.1.2-22)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/7a48e0b3107608c7d87a172473cfd5294bc9e81f
(6.9.13-47)
CVE-2026-56361 (ImageMagick before 7.1.2-19 contains an off-by-one error in
morphology ...)
- imagemagick 8:7.1.2.19+dfsg1-1
+ [trixie] - imagemagick <no-dsa> (Minor issue)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q8h3-jv9v-57qx
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/a6bfb1bb7b4017ec52f5a957641d83ce29b63286
(7.1.2-19)
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick6/commit/cb02de6a5b527edc51982408ad719d76c6699d78
(6.9.13-44)
@@ -393,6 +399,7 @@ CVE-2025-12530 (IBM watsonx.data intelligence 5.2.2, 5.3.0,
5.3.1, 5.3.1 through
NOT-FOR-US: IBM
CVE-2026-56016
- libcgi-session-perl <unfixed> (bug #1141197)
+ [trixie] - libcgi-session-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41439279/
CVE-2026-13774 (Use after free in Extensions in Google Chrome prior to
150.0.7871.47 a ...)
- chromium <unfixed>
@@ -1617,37 +1624,44 @@ CVE-2026-58116 (LLaMA-Factory through 0.9.5 contains a
remote code execution vul
NOT-FOR-US: LLaMA-Factory
CVE-2026-58016 (A flaw was found in GLib. A state confusion issue exists in
g_dbus_nod ...)
- glib2.0 <unfixed>
+ [trixie] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/work_items/3932
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5156 (2.89.0)
CVE-2026-58015 (A flaw was found in GLib. The D-Bus client-side implementation
of the ...)
- glib2.0 2.88.1-2
+ [trixie] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/work_items/3931
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5172 (2.89.0)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5174 (2.88.1)
CVE-2026-58014 (A flaw was found in GLib. An off-by-one error can occur in the
g_key_f ...)
- glib2.0 2.88.1-2
+ [trixie] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/work_items/3930
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5171 (2.89.0)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5174 (2.88.1)
CVE-2026-58013 (A flaw was found in GLib. A buffer over-read can occur in
g_io_channel ...)
- glib2.0 2.88.1-2
+ [trixie] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/work_items/3925
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5170 (2.89.0)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5174 (2.88.1)
CVE-2026-58012 (A flaw was found in GLib. A buffer over-read can occur in the
g_regex_ ...)
- glib2.0 2.88.1-2
+ [trixie] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/work_items/3918
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5132 (2.89.0)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5134 (2.88.1)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5135 (2.86.5)
CVE-2026-58011 (A flaw was found in GLib. An out-of-bounds read of only 2
bytes can oc ...)
- glib2.0 2.88.1-2
+ [trixie] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/work_items/3917
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5131 (2.89.0)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5134 (2.88.1)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5135 (2.86.5)
CVE-2026-58010 (A flaw was found in GLib. An off-by-one error can occur in the
gvs_tup ...)
- glib2.0 2.88.1-2
+ [trixie] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/work_items/3915
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5129 (2.89.0)
NOTE:
https://gitlab.gnome.org/GNOME/glib/-/commit/8338414f6560216efe67d3cbf549e32f8630252a
(2.89.0)
@@ -3677,6 +3691,7 @@ CVE-2026-8797 (An access control deficiency vulnerability
exists in ExpressUpdat
NOT-FOR-US: ExpressUpdate Agent for Windows
CVE-2026-8720 (wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message
when t ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10447 (v5.9.2-stable)
CVE-2026-8661 (Server-Side Cross-Site Scripting and Server-Side Request
Forgery vulne ...)
NOT-FOR-US: Rapid7
@@ -3684,45 +3699,59 @@ CVE-2026-8380 (The Frontend File Manager Plugin
WordPress plugin through 23.6 do
NOT-FOR-US: WordPress plugin
CVE-2026-7532 (iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is
not defi ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10354 (v5.9.2-stable)
CVE-2026-7531 (Use-after-free in PQC hybrid key-share handling. This is an
incomplete ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10327 (v5.9.2-stable)
CVE-2026-7511 (PKCS7_verify signer confusion allows forged signatures, where
the sign ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10203 (v5.9.2-stable)
CVE-2026-6731 (X.509 name constraint bypass via the Subject Common Name when
treated ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10223 (v5.9.2-stable)
CVE-2026-6681 (The PKCS#7 decode path ignores the caller-supplied output
buffer size ...)
- wolfssl 5.9.1-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10116 (v5.9.1-stable)
CVE-2026-6679 (A heap buffer overflow could occur in the DTLS 1.3 ACK
serialization p ...)
- wolfssl 5.9.1-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10116 (v5.9.1-stable)
CVE-2026-6678 (Integer underflow in wc_PKCS7_DecryptOri when handling crafted
Other R ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10203 (v5.9.2-stable)
CVE-2026-6450 (A CRL critical extension bypass exists in ParseCRL_Extensions
where cr ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10239 (v5.9.2-stable)
CVE-2026-6412 (Certificate policy and RFC 8446 compliance concerns regarding
the cont ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10222 (v5.9.2-stable)
CVE-2026-6331 (HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a
zero-le ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10192 (v5.9.2-stable)
CVE-2026-6330 (The ML-KEM ARM64 NEON ciphertext comparison only compares half
of the ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10192 (v5.9.2-stable)
CVE-2026-6329 (PKCS#12 MAC verification uses an attacker-controlled comparison
length ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10192 (v5.9.2-stable)
CVE-2026-6325 (Out-of-bounds write in SetSuitesHashSigAlgo when processing an
oversiz ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10204 (v5.9.2-stable)
CVE-2026-6092 (When HAVE_ENCRYPT_THEN_MAC is configured, the implementation
could fal ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10167 (v5.9.2-stable)
CVE-2026-57522 (Bitwarden Server before 2026.5.0 contains a JSON injection
vulnerabili ...)
- bitwarden <itp> (bug #956836)
@@ -3734,15 +3763,19 @@ CVE-2026-56445 (The qrscp application's C-STORE handler
uses a specific instance
NOT-FOR-US: pynetdicom (different from src:pydicom)
CVE-2026-55964 (Chain intermediate CA:TRUE without keyCertSign accepted as a
signing C ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10702 (v5.9.2-stable)
CVE-2026-55962 (TLS 1.3 post-handshake authentication (PHA) issue where a
server could ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10702 (v5.9.2-stable)
CVE-2026-55960 (Un-negotiated Raw Public Key (RFC 7250) accepted in place of
an X.509 ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10702 (v5.9.2-stable)
CVE-2026-55958 (Out-of-bounds write in the Renesas TSIP TLS 1.3 transcript
buffer. In ...)
- wolfssl <unfixed> (bug #1140815)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10705 (v5.9.2-stable)
CVE-2026-54479 (The WebSocket backend uses charging station identifiers to
uniquely as ...)
NOT-FOR-US: Evoke
@@ -4088,8 +4121,11 @@ CVE-2026-56772 (NewsBlur before 14.5.0 contains a broken
access control vulnerab
CVE-2026-56771 (NewsBlur before version 14.5.0 contains a server-side request
forgery ...)
NOT-FOR-US: NewsBlur
CVE-2026-56770 (libais through 0.15 VdmStream::AddLine uses an unchecked
sentinel valu ...)
- - python-libais <unfixed>
+ - python-libais <unfixed> (unimportant)
NOTE: https://github.com/schwehr/libais/issues/263
+ NOTE: https://github.com/schwehr/libais/pull/264
+ NOTE:
https://github.com/schwehr/libais/commit/ce0fedeba55197a3d2b695bd8874a14e87e1af4e
+ NOTE: No security impact
CVE-2026-56769 (Huly Platform through 0.7.423, fixed in commit 68cbf8a
contains an aut ...)
NOT-FOR-US: Huly Platform
CVE-2026-56768 (Seahub before 13.0.23 does not enforce
SHARE_LINK_LOGIN_REQUIRED on GE ...)
@@ -4100,15 +4136,18 @@ CVE-2026-56766 (Hydra through 9.7, fixed in commit
9cc84c2, contains a stack buf
NOT-FOR-US: Hydra
CVE-2026-56130 ("Remember me" cookie age is not verified on the server. This
potential ...)
- shiro <unfixed>
+ [trixie] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/06/24/8
CVE-2026-56129 (Generic IO & Memory Access driver for PCs provided by TOSHIBA
CORPORAT ...)
NOT-FOR-US: Dynabook Inc.
CVE-2026-56123 (socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based
buffer ove ...)
- socat 1.8.1.3-1
+ [trixie] - socat <no-dsa> (Minor issue)
CVE-2026-56122 (Winstone Servlet Engine through 0.9.10 contains a path
traversal vulne ...)
NOT-FOR-US: Winstone Servlet Container
CVE-2026-56091 (When using Apache Shiro with the shiro-guice module in a web
servlet c ...)
- shiro <unfixed>
+ [trixie] - shiro <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread/onmtxmy2qonbpx7xlw3o34x8sctv47r7
CVE-2026-56071 (Unauthenticated Cross Site Scripting (XSS) in Forminator <=
1.53.1 ver ...)
NOT-FOR-US: WordPress plugin or theme
@@ -4136,9 +4175,11 @@ CVE-2026-56005 (Subscriber Cross Site Scripting (XSS) in
WP Activity Log <= 5.6.
NOT-FOR-US: WordPress plugin or theme
CVE-2026-55967 (AES-GCM encryption/decryption with extremely large cumulative
single m ...)
- wolfssl <unfixed> (bug #1140765)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10709 (v5.9.2-stable)
CVE-2026-55961 (wolfSSL_PKCS7_verify() returning success for a degenerate
(certs-only) ...)
- wolfssl <unfixed> (bug #1140765)
+ [trixie] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/10702 (v5.9.2-stable)
CVE-2026-55895 (Vim is an open source, command line text editor. Prior to
9.2.0663, a ...)
- vim <unfixed> (bug #1140775)
@@ -7331,6 +7372,7 @@ CVE-2026-55099
NOT-FOR-US: Plone
CVE-2026-57062 (CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG
through 2 ...)
- gnupg2 2.4.9-5
+ [trixie] - gnupg2 <no-dsa> (Minor issue)
NOTE: https://blog.calif.io/p/how-to-format-a-ciphertext
NOTE: Fixed by:
https://github.com/gpg/gnupg/commit/4c7e68cf3d335328821bdbb70db309a60d0e4fd4
CVE-2026-56815 (pwnlift before d7a9544, in a privileged deployment, contains a
symlink ...)
@@ -17161,6 +17203,7 @@ CVE-2026-11488 (A vulnerability has been found in
code-projects Simple Flight Ti
NOT-FOR-US: code-projects
CVE-2026-11487 (A flaw has been found in Neovim up to 0.12.2. Affected by this
issue i ...)
- neovim 0.12.3-1 (bug #1139999)
+ [trixie] - neovim <no-dsa> (Minor issue)
NOTE: https://github.com/neovim/neovim/issues/39914
NOTE: https://github.com/neovim/neovim/pull/39918
NOTE:
https://github.com/neovim/neovim/commit/f83e0dcaf8cf18de94828341b0a1a61a86c75baf
(v0.12.3)
@@ -28997,11 +29040,13 @@ CVE-2026-42626 (HP ENVY 5000 series printers
VERBASPP1N003.2237A.00 do not prope
NOT-FOR-US: HP ENVY 5000 series printers
CVE-2026-42506 (Parsing arbitrary HTML which is then rendered using Render can
result ...)
- golang-golang-x-net 1:0.55.0-1
+ [trixie] - golang-golang-x-net <no-dsa> (Minor issue)
[bullseye] - golang-golang-x-net <postponed> (Limited support, minor
issue)
NOTE: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
NOTE: https://github.com/golang/go/issues/79571
CVE-2026-42502 (Parsing arbitrary HTML which is then rendered using Render can
result ...)
- golang-golang-x-net 1:0.55.0-1
+ [trixie] - golang-golang-x-net <no-dsa> (Minor issue)
[bullseye] - golang-golang-x-net <postponed> (Limited support, minor
issue)
NOTE: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
NOTE: https://github.com/golang/go/issues/79572
=====================================
data/dsa-needed.txt
=====================================
@@ -39,6 +39,8 @@ firebird3.0
--
firebird4.0
--
+hplip
+--
jackson-databind
--
jetty9
@@ -84,6 +86,8 @@ rsync
rtpengine
Victor Seva prepared a debdiff for trixie-security for review,
bookworm-security debdiff missing
--
+ruby3.3
+--
ruby-rack
--
ruby-rack-session
@@ -106,5 +110,7 @@ vim
some of the issues seem worth fixing
Lee Garrett is interested in contributing an update for stable
--
+wpa
+--
xrdp
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660226041dfbc4c45faa9b20c7ab5102d6ee341c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/660226041dfbc4c45faa9b20c7ab5102d6ee341c
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits