Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2d27b062 by Moritz Muehlenhoff at 2026-07-02T20:35:44+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -669,6 +669,7 @@ CVE-2026-14324 (RAOP module accepts unbounded 
Content-Length values and does not
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2495903
 CVE-2026-14258 (A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router 
Advertisem ...)
        - dhcpcd 1:10.2.4-3
+       [trixie] - dhcpcd <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2462305
        NOTE: https://github.com/NetworkConfiguration/dhcpcd/issues/415
        NOTE: https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca 
(v10.2.0)
@@ -963,9 +964,11 @@ CVE-2026-57995 (phpMyFAQ before 4.1.5 contains a privilege 
escalation vulnerabil
        NOT-FOR-US: phpMyFAQ
 CVE-2026-57963 (An attacker who can send HTML chat messages (via Matrix or 
XMPP) can i ...)
        - thunderbird <unfixed>
+       [trixie] - thunderbird <postponed> (Minor issue, wait for next security 
round)
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2026-64/#CVE-2026-57963
 CVE-2026-57962 (A malicious LDAP server, which a Thunderbird user is 
configured to que ...)
        - thunderbird <unfixed>
+       [trixie] - thunderbird <postponed> (Minor issue, wait for next security 
round)
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2026-64/#CVE-2026-57962
 CVE-2026-57585 (MessagePack is the serializer implementation for Python 
msgpack.org. P ...)
        - python-msgpack <unfixed>
@@ -2611,11 +2614,13 @@ CVE-2026-53691 (An Unrestricted File Upload 
vulnerability in Redeight CMS versio
 CVE-2026-53690 (An SQL Injection vulnerability exists in Redeight CMS version 
1.0 via  ...)
        NOT-FOR-US: Redeight CMS
 CVE-2026-53433 (fzf is vulnerable to a Denial of Service (DoS) due to 
inefficient HTTP ...)
-       - fzf 0.73.1-1
+       - fzf 0.73.1-1 (unimportant)
        NOTE: Fixed by: 
https://github.com/junegunn/fzf/commit/7963a2c6586c0b9eaa89b8995de8f0e08cf8a4ce 
(v0.73.1)
+       NOTE: Crash in CLI tool, no security impact
 CVE-2026-53432 (fzf is vulnerable toInteger Overflow leading to crash in 
FuzzyMatchV2  ...)
-       - fzf 0.73.1-1
+       - fzf 0.73.1-1 (unimportant)
        NOTE: Fixed by: 
https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91 
(v0.73.0)
+       NOTE: Crash in CLI tool, no security impact
 CVE-2026-52760 (Improper Neutralization of Input During Web Page Generation 
('Cross-si ...)
        - activemq <unfixed>
        NOTE: https://lists.apache.org/thread/d3mhyo2116nomz2lwxppyy4pclvdxq3n
@@ -3499,19 +3504,19 @@ CVE-2026-49048 (The Joomla extension JoomCCK exposes a 
front-end controller task
 CVE-2026-13504 (A vulnerability has been found in code-projects Project 
Management Sys ...)
        NOT-FOR-US: code-projects
 CVE-2026-13503 (A vulnerability was detected in antlr ANTLR4 up to 4.13.2. 
Affected by ...)
-       - antlr4 <unfixed>
+       - antlr4 <undetermined>
        NOTE: https://github.com/wooyun123/wooyun/issues/8
        TODO: check upstream reporting and status
 CVE-2026-13502 (A flaw has been found in antlr ANTLR4 up to 4.13.2. This 
affects the f ...)
-       - antlr4 <unfixed>
+       - antlr4 <undetermined>
        NOTE: https://github.com/wooyun123/wooyun/issues/7
        TODO: check upstream reporting and status
 CVE-2026-13501 (A security vulnerability has been detected in antlr ANTLR4 up 
to 4.13. ...)
-       - antlr4 <unfixed>
+       - antlr4 <undetermined>
        NOTE: https://github.com/wooyun123/wooyun/issues/6
        TODO: check upstream reporting and status
 CVE-2026-13500 (A weakness has been identified in antlr ANTLR4 up to 4.13.2. 
Affected  ...)
-       - antlr4 <unfixed>
+       - antlr4 <undetermined>
        NOTE: https://github.com/wooyun123/wooyun/issues/4
        TODO: check upstream reporting and status
 CVE-2026-13499 (A security flaw has been discovered in yashpokharna2555 
restaurent-man ...)
@@ -3587,26 +3592,32 @@ CVE-2026-10593 (The Zephyr Bluetooth LE Audio Basic 
Audio Profile (BAP) unicast
        NOT-FOR-US: Zephyr, different from src:zephyr
 CVE-2026-48002
        - qemu 1:11.0.2+ds-1
+       [trixie] - qemu <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/00589953cc263ed8098fa9c0a007a9b04d470f85
 (v11.0.2)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/52155a6affd077f7e50fd0aca99a391d6e9e7066
 (v11.0.2)
 CVE-2026-48003
        - qemu 1:11.0.2+ds-1
+       [trixie] - qemu <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/5228799f15b28c0780375701236098d7c07261d4
 (v11.0.2)
 CVE-2026-48004
        - qemu 1:11.0.2+ds-1
+       [trixie] - qemu <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/c394949ff2ec8db218e2a1a2b592d7f8efde68c7
 (v11.0.2)
 CVE-2026-48915
        - qemu 1:11.0.2+ds-1
+       [trixie] - qemu <no-dsa> (Minor issue)
        [bookworm] - qemu <not-affected> (Vulnerable code not present)
        [bullseye] - qemu <not-affected> (Vulnerable code not present)
        NOTE: Introduced with: 
https://gitlab.com/qemu-project/qemu/-/commit/12058948abdf7eed8364aee79add66b40002fd5b
 (v10.0.0-rc0)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/41d5a45d24ed3e18605d3f6569d9446dad3ebf65
 (v11.0.2)
 CVE-2026-6425
        - qemu 1:11.0.2+ds-1
+       [trixie] - qemu <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/92d7bb038e011e76b631a6213807469c6b5edd51
 (v11.0.2)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/cb326591b3da050fa676cf06a6d5346a976d3844
 (v11.0.2)
 CVE-2026-8343
        - qemu 1:11.0.2+ds-1
+       [trixie] - qemu <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/bccd2c7d602d17d6786872a8aa0706855c07e684
 (v11.0.2)
 CVE-2026-XXXX [TROVE-2026-020]
        - tor 0.4.9.9-1
@@ -6493,6 +6504,7 @@ CVE-2026-12635 (GitLab has remediated an issue in GitLab 
CE/EE affecting all ver
        NOT-FOR-US: GitLab (used to be packaged in the Debian archive as 
src:gitlab, but never in a stable release)
 CVE-2026-12490 (When a provide-xfr is given with a tls-auth-name, a secondary 
requesti ...)
        - nsd 4.14.3-1
+       [trixie] - nsd <no-dsa> (Minor issue)
        NOTE: https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt
 CVE-2026-12246 (NSD version 4.14.0 introduced a bug where a specially crafted 
APL RR,  ...)
        - nsd 4.14.3-1


=====================================
data/dsa-needed.txt
=====================================
@@ -75,6 +75,8 @@ nodejs
 --
 node-dompurify
 --
+openvpn (jmm)
+--
 pacemaker
 --
 pdfminer (carnil)
@@ -85,6 +87,8 @@ perl (carnil)
 --
 prometheus
 --
+redis
+--
 rsync
   for regression fixes
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d27b0622eea7cd4d0663a16ac9e147a8801775a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d27b0622eea7cd4d0663a16ac9e147a8801775a
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to