Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2d27b062 by Moritz Muehlenhoff at 2026-07-02T20:35:44+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -669,6 +669,7 @@ CVE-2026-14324 (RAOP module accepts unbounded
Content-Length values and does not
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2495903
CVE-2026-14258 (A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router
Advertisem ...)
- dhcpcd 1:10.2.4-3
+ [trixie] - dhcpcd <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2462305
NOTE: https://github.com/NetworkConfiguration/dhcpcd/issues/415
NOTE: https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca
(v10.2.0)
@@ -963,9 +964,11 @@ CVE-2026-57995 (phpMyFAQ before 4.1.5 contains a privilege
escalation vulnerabil
NOT-FOR-US: phpMyFAQ
CVE-2026-57963 (An attacker who can send HTML chat messages (via Matrix or
XMPP) can i ...)
- thunderbird <unfixed>
+ [trixie] - thunderbird <postponed> (Minor issue, wait for next security
round)
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-64/#CVE-2026-57963
CVE-2026-57962 (A malicious LDAP server, which a Thunderbird user is
configured to que ...)
- thunderbird <unfixed>
+ [trixie] - thunderbird <postponed> (Minor issue, wait for next security
round)
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-64/#CVE-2026-57962
CVE-2026-57585 (MessagePack is the serializer implementation for Python
msgpack.org. P ...)
- python-msgpack <unfixed>
@@ -2611,11 +2614,13 @@ CVE-2026-53691 (An Unrestricted File Upload
vulnerability in Redeight CMS versio
CVE-2026-53690 (An SQL Injection vulnerability exists in Redeight CMS version
1.0 via ...)
NOT-FOR-US: Redeight CMS
CVE-2026-53433 (fzf is vulnerable to a Denial of Service (DoS) due to
inefficient HTTP ...)
- - fzf 0.73.1-1
+ - fzf 0.73.1-1 (unimportant)
NOTE: Fixed by:
https://github.com/junegunn/fzf/commit/7963a2c6586c0b9eaa89b8995de8f0e08cf8a4ce
(v0.73.1)
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-53432 (fzf is vulnerable toInteger Overflow leading to crash in
FuzzyMatchV2 ...)
- - fzf 0.73.1-1
+ - fzf 0.73.1-1 (unimportant)
NOTE: Fixed by:
https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91
(v0.73.0)
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-52760 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- activemq <unfixed>
NOTE: https://lists.apache.org/thread/d3mhyo2116nomz2lwxppyy4pclvdxq3n
@@ -3499,19 +3504,19 @@ CVE-2026-49048 (The Joomla extension JoomCCK exposes a
front-end controller task
CVE-2026-13504 (A vulnerability has been found in code-projects Project
Management Sys ...)
NOT-FOR-US: code-projects
CVE-2026-13503 (A vulnerability was detected in antlr ANTLR4 up to 4.13.2.
Affected by ...)
- - antlr4 <unfixed>
+ - antlr4 <undetermined>
NOTE: https://github.com/wooyun123/wooyun/issues/8
TODO: check upstream reporting and status
CVE-2026-13502 (A flaw has been found in antlr ANTLR4 up to 4.13.2. This
affects the f ...)
- - antlr4 <unfixed>
+ - antlr4 <undetermined>
NOTE: https://github.com/wooyun123/wooyun/issues/7
TODO: check upstream reporting and status
CVE-2026-13501 (A security vulnerability has been detected in antlr ANTLR4 up
to 4.13. ...)
- - antlr4 <unfixed>
+ - antlr4 <undetermined>
NOTE: https://github.com/wooyun123/wooyun/issues/6
TODO: check upstream reporting and status
CVE-2026-13500 (A weakness has been identified in antlr ANTLR4 up to 4.13.2.
Affected ...)
- - antlr4 <unfixed>
+ - antlr4 <undetermined>
NOTE: https://github.com/wooyun123/wooyun/issues/4
TODO: check upstream reporting and status
CVE-2026-13499 (A security flaw has been discovered in yashpokharna2555
restaurent-man ...)
@@ -3587,26 +3592,32 @@ CVE-2026-10593 (The Zephyr Bluetooth LE Audio Basic
Audio Profile (BAP) unicast
NOT-FOR-US: Zephyr, different from src:zephyr
CVE-2026-48002
- qemu 1:11.0.2+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/00589953cc263ed8098fa9c0a007a9b04d470f85
(v11.0.2)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/52155a6affd077f7e50fd0aca99a391d6e9e7066
(v11.0.2)
CVE-2026-48003
- qemu 1:11.0.2+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/5228799f15b28c0780375701236098d7c07261d4
(v11.0.2)
CVE-2026-48004
- qemu 1:11.0.2+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/c394949ff2ec8db218e2a1a2b592d7f8efde68c7
(v11.0.2)
CVE-2026-48915
- qemu 1:11.0.2+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
[bullseye] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/12058948abdf7eed8364aee79add66b40002fd5b
(v10.0.0-rc0)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/41d5a45d24ed3e18605d3f6569d9446dad3ebf65
(v11.0.2)
CVE-2026-6425
- qemu 1:11.0.2+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/92d7bb038e011e76b631a6213807469c6b5edd51
(v11.0.2)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/cb326591b3da050fa676cf06a6d5346a976d3844
(v11.0.2)
CVE-2026-8343
- qemu 1:11.0.2+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/bccd2c7d602d17d6786872a8aa0706855c07e684
(v11.0.2)
CVE-2026-XXXX [TROVE-2026-020]
- tor 0.4.9.9-1
@@ -6493,6 +6504,7 @@ CVE-2026-12635 (GitLab has remediated an issue in GitLab
CE/EE affecting all ver
NOT-FOR-US: GitLab (used to be packaged in the Debian archive as
src:gitlab, but never in a stable release)
CVE-2026-12490 (When a provide-xfr is given with a tls-auth-name, a secondary
requesti ...)
- nsd 4.14.3-1
+ [trixie] - nsd <no-dsa> (Minor issue)
NOTE: https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt
CVE-2026-12246 (NSD version 4.14.0 introduced a bug where a specially crafted
APL RR, ...)
- nsd 4.14.3-1
=====================================
data/dsa-needed.txt
=====================================
@@ -75,6 +75,8 @@ nodejs
--
node-dompurify
--
+openvpn (jmm)
+--
pacemaker
--
pdfminer (carnil)
@@ -85,6 +87,8 @@ perl (carnil)
--
prometheus
--
+redis
+--
rsync
for regression fixes
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d27b0622eea7cd4d0663a16ac9e147a8801775a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d27b0622eea7cd4d0663a16ac9e147a8801775a
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits