Daniel Leidert pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
27873b9d by Daniel Leidert at 2026-07-03T02:09:04+02:00
lts: postpone CVE-2019-8943/wordpress

This situation will not likely change. Remove this issue from popping up during
CVE triage.

- - - - -
4d177bff by Daniel Leidert at 2026-07-03T02:09:05+02:00
lts: add icinga2 to dla-needed

- - - - -
3b84c140 by Daniel Leidert at 2026-07-03T02:09:05+02:00
lts: drop release restriction for hplip

LTS covers Bookworm as well.

- - - - -
759df60e by Daniel Leidert at 2026-07-03T02:09:06+02:00
lts: mark CVE-2026-11972/python3 as postponed for LTS

- - - - -
57fc1054 by Daniel Leidert at 2026-07-03T02:10:09+02:00
lts: mark CVE-2026-55510/imagemagick not affecting LTS releases

- - - - -
c9cc6fd1 by Daniel Leidert at 2026-07-03T02:19:03+02:00
lts: add imagemagick to dla-needed

- - - - -
1c3acbbe by Daniel Leidert at 2026-07-03T03:06:05+02:00
lts: mark CVE-2026-11837/ansible as postponed for LTS releases

- - - - -
d774728c by Daniel Leidert at 2026-07-03T03:09:13+02:00
lts: mark CVE-2026-11332/ansible,ansible-core as postponed in LTS releases

- - - - -
d5b0f103 by Daniel Leidert at 2026-07-03T03:32:04+02:00
lts: add missing CVE list for DLA-4663-1

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -889,6 +889,8 @@ CVE-2026-55577 (ImageMagick is free and open-source 
software used for editing an
 CVE-2026-55510 (ImageMagick is free and open-source software used for editing 
and mani ...)
        - imagemagick <unfixed>
        [trixie] - imagemagick <not-affected> (vulnerable code introduced later)
+       [bookworm] - imagemagick <not-affected> (vulnerable code introduced 
later)
+       [bullseye] - imagemagick <not-affected> (vulnerable code introduced 
later)
        NOTE: 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-ff5c-8x9r-8qcw
        NOTE: Fixed by: 
https://github.com/ImageMagick/ImageMagick/commit/3bd584ee65653b85003e00e7517a00dfc0987609
 (7.1.2-26)
        NOTE: Introduced by: 
https://github.com/ImageMagick/ImageMagick/commit/0fbd8215fe5890e8b8396dad4df61074ebd0f227
 (7.1.2-17)
@@ -8560,7 +8562,9 @@ CVE-2026-11972 (When using the "tarfile" module with a 
file opened in "streaming
        - python3.13 <unfixed>
        [trixie] - python3.13 <no-dsa> (Minor issue)
        - python3.11 <removed>
+       [bookworm] - python3.11 <postponed> (Minor issue)
        - python3.9 <removed>
+       [bullseye] - python3.9 <postponed> (Minor issue)
        - python2.7 <removed>
        - pypy3 <unfixed>
        [trixie] - pypy3 <no-dsa> (Minor issue)
@@ -16191,6 +16195,8 @@ CVE-2026-22893 (A command injection vulnerability has 
been reported to affect se
 CVE-2026-11837 (A local privilege escalation vulnerability was found in the 
ansible.po ...)
        - ansible <unfixed> (bug #1139917)
        [trixie] - ansible <no-dsa> (Minor issue)
+       [bookworm] - ansible <postponed> (Minor issue, can be fixed with next 
update)
+       [bullseye] - ansible <postponed> (Minor issue, can be fixed with next 
update)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2487424
        NOTE: https://github.com/ansible-collections/ansible.posix/issues/759
        NOTE: https://github.com/ansible-collections/ansible.posix/pull/760
@@ -19133,9 +19139,10 @@ CVE-2026-11333 (A security vulnerability has been 
detected in tittuvarghese Coll
 CVE-2026-11332 (A flaw was found in ansible-core. The ansible-galaxy role 
install comm ...)
        - ansible-core 2.21.1~rc1-1 (bug #1139175)
        [trixie] - ansible-core <no-dsa> (Minor issue)
-       [bookworm] - ansible-core <no-dsa> (Minor issue)
+       [bookworm] - ansible-core <postponed> (Minor issue)
        - ansible 5.4.0-1
        [bookworm] - ansible <postponed> (Minor issue)
+       [bullseye] - ansible <postponed> (Minor issue)
        NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in 
experimental/5.4.0-1 in sid
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2485379
        NOTE: https://github.com/ansible/ansible/pull/87070
@@ -660906,6 +660913,8 @@ CVE-2019-8944 (An Information Exposure issue in the 
Terraform deployment step in
 CVE-2019-8943 (WordPress through 5.0.3 allows Path Traversal in 
wp_crop_image(). An a ...)
        - wordpress <undetermined> (bug #923583)
        [jessie] - wordpress <postponed> (requires privileged account, not 
directly exploitable as CVE-2019-8942 is fixed, no official patch)
+       [bullseye] - wordpress <postponed> (requires privileged account, not 
directly exploitable as CVE-2019-8942 is fixed, no official patch)
+       [bookworm] - wordpress <postponed> (requires privileged account, not 
directly exploitable as CVE-2019-8942 is fixed, no official patch)
        NOTE: 
https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
        NOTE: This CVE is explicitly for the mentioned Path Traversal in 
wp_crop_image().
        NOTE: Patching CVE-2019-8942 makes CVE-2019-8943 (RCE) not directly 
exploitable


=====================================
data/DLA/list
=====================================
@@ -1,4 +1,5 @@
 [02 Jul 2026] DLA-4663-1 node-lodash - security update
+       {CVE-2025-13465 CVE-2026-2950 CVE-2026-4800}
        [bullseye] - node-lodash 4.17.21+dfsg+~cs8.31.173-1+deb11u1
 [01 Jul 2026] DLA-4662-1 jq - security update
        {CVE-2026-32316 CVE-2026-33947 CVE-2026-33948 CVE-2026-39956 
CVE-2026-39979 CVE-2026-40164 CVE-2026-41256 CVE-2026-41257 CVE-2026-43894 
CVE-2026-43895 CVE-2026-43896 CVE-2026-44777 CVE-2026-47770 CVE-2026-49839 
CVE-2026-54679}


=====================================
data/dla-needed.txt
=====================================
@@ -246,10 +246,19 @@ gst-plugins-good1.0
   NOTE: 20260520: Added by Front-Desk (Beuc)
   NOTE: 20260520: 6 CVEs piled up since December (Beuc)
 --
-hplip/bullseye (Thorsten Alteholz)
+hplip (Thorsten Alteholz)
   NOTE: 20260523: Added by maintainer (ta)
   NOTE: 20260605: HP does not publish any information; looking for patches is 
not easy
 --
+icinga2
+  NOTE: 20260702: Added by Front-Desk (dleidert)
+  NOTE: 20260702: Follow DSA and/or support security team with DSA 
(dleidert/front-desk)
+  NOTE: 20260702: also care about outstanding CVEs (dleidert/front-desk)
+--
+imagemagick
+  NOTE: 20260703: Added by Front-Desk (dleidert)
+  NOTE: 20260703: Follow upcoming DSA (dleidert/front-desk)
+--
 inkscape/bookworm
   NOTE: 20260522: Added by Security Team (jmm)
   NOTE: 20260611: bookworm LTS handover.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc4cf006e87024818d3337fcb8323f40ec41e811...d5b0f1030590194e9c8fbe9076ffac26c17efdf6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc4cf006e87024818d3337fcb8323f40ec41e811...d5b0f1030590194e9c8fbe9076ffac26c17efdf6
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to