Daniel Leidert pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
27873b9d by Daniel Leidert at 2026-07-03T02:09:04+02:00
lts: postpone CVE-2019-8943/wordpress
This situation will not likely change. Remove this issue from popping up during
CVE triage.
- - - - -
4d177bff by Daniel Leidert at 2026-07-03T02:09:05+02:00
lts: add icinga2 to dla-needed
- - - - -
3b84c140 by Daniel Leidert at 2026-07-03T02:09:05+02:00
lts: drop release restriction for hplip
LTS covers Bookworm as well.
- - - - -
759df60e by Daniel Leidert at 2026-07-03T02:09:06+02:00
lts: mark CVE-2026-11972/python3 as postponed for LTS
- - - - -
57fc1054 by Daniel Leidert at 2026-07-03T02:10:09+02:00
lts: mark CVE-2026-55510/imagemagick not affecting LTS releases
- - - - -
c9cc6fd1 by Daniel Leidert at 2026-07-03T02:19:03+02:00
lts: add imagemagick to dla-needed
- - - - -
1c3acbbe by Daniel Leidert at 2026-07-03T03:06:05+02:00
lts: mark CVE-2026-11837/ansible as postponed for LTS releases
- - - - -
d774728c by Daniel Leidert at 2026-07-03T03:09:13+02:00
lts: mark CVE-2026-11332/ansible,ansible-core as postponed in LTS releases
- - - - -
d5b0f103 by Daniel Leidert at 2026-07-03T03:32:04+02:00
lts: add missing CVE list for DLA-4663-1
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -889,6 +889,8 @@ CVE-2026-55577 (ImageMagick is free and open-source
software used for editing an
CVE-2026-55510 (ImageMagick is free and open-source software used for editing
and mani ...)
- imagemagick <unfixed>
[trixie] - imagemagick <not-affected> (vulnerable code introduced later)
+ [bookworm] - imagemagick <not-affected> (vulnerable code introduced
later)
+ [bullseye] - imagemagick <not-affected> (vulnerable code introduced
later)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-ff5c-8x9r-8qcw
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/3bd584ee65653b85003e00e7517a00dfc0987609
(7.1.2-26)
NOTE: Introduced by:
https://github.com/ImageMagick/ImageMagick/commit/0fbd8215fe5890e8b8396dad4df61074ebd0f227
(7.1.2-17)
@@ -8560,7 +8562,9 @@ CVE-2026-11972 (When using the "tarfile" module with a
file opened in "streaming
- python3.13 <unfixed>
[trixie] - python3.13 <no-dsa> (Minor issue)
- python3.11 <removed>
+ [bookworm] - python3.11 <postponed> (Minor issue)
- python3.9 <removed>
+ [bullseye] - python3.9 <postponed> (Minor issue)
- python2.7 <removed>
- pypy3 <unfixed>
[trixie] - pypy3 <no-dsa> (Minor issue)
@@ -16191,6 +16195,8 @@ CVE-2026-22893 (A command injection vulnerability has
been reported to affect se
CVE-2026-11837 (A local privilege escalation vulnerability was found in the
ansible.po ...)
- ansible <unfixed> (bug #1139917)
[trixie] - ansible <no-dsa> (Minor issue)
+ [bookworm] - ansible <postponed> (Minor issue, can be fixed with next
update)
+ [bullseye] - ansible <postponed> (Minor issue, can be fixed with next
update)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2487424
NOTE: https://github.com/ansible-collections/ansible.posix/issues/759
NOTE: https://github.com/ansible-collections/ansible.posix/pull/760
@@ -19133,9 +19139,10 @@ CVE-2026-11333 (A security vulnerability has been
detected in tittuvarghese Coll
CVE-2026-11332 (A flaw was found in ansible-core. The ansible-galaxy role
install comm ...)
- ansible-core 2.21.1~rc1-1 (bug #1139175)
[trixie] - ansible-core <no-dsa> (Minor issue)
- [bookworm] - ansible-core <no-dsa> (Minor issue)
+ [bookworm] - ansible-core <postponed> (Minor issue)
- ansible 5.4.0-1
[bookworm] - ansible <postponed> (Minor issue)
+ [bullseye] - ansible <postponed> (Minor issue)
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in
experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2485379
NOTE: https://github.com/ansible/ansible/pull/87070
@@ -660906,6 +660913,8 @@ CVE-2019-8944 (An Information Exposure issue in the
Terraform deployment step in
CVE-2019-8943 (WordPress through 5.0.3 allows Path Traversal in
wp_crop_image(). An a ...)
- wordpress <undetermined> (bug #923583)
[jessie] - wordpress <postponed> (requires privileged account, not
directly exploitable as CVE-2019-8942 is fixed, no official patch)
+ [bullseye] - wordpress <postponed> (requires privileged account, not
directly exploitable as CVE-2019-8942 is fixed, no official patch)
+ [bookworm] - wordpress <postponed> (requires privileged account, not
directly exploitable as CVE-2019-8942 is fixed, no official patch)
NOTE:
https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
NOTE: This CVE is explicitly for the mentioned Path Traversal in
wp_crop_image().
NOTE: Patching CVE-2019-8942 makes CVE-2019-8943 (RCE) not directly
exploitable
=====================================
data/DLA/list
=====================================
@@ -1,4 +1,5 @@
[02 Jul 2026] DLA-4663-1 node-lodash - security update
+ {CVE-2025-13465 CVE-2026-2950 CVE-2026-4800}
[bullseye] - node-lodash 4.17.21+dfsg+~cs8.31.173-1+deb11u1
[01 Jul 2026] DLA-4662-1 jq - security update
{CVE-2026-32316 CVE-2026-33947 CVE-2026-33948 CVE-2026-39956
CVE-2026-39979 CVE-2026-40164 CVE-2026-41256 CVE-2026-41257 CVE-2026-43894
CVE-2026-43895 CVE-2026-43896 CVE-2026-44777 CVE-2026-47770 CVE-2026-49839
CVE-2026-54679}
=====================================
data/dla-needed.txt
=====================================
@@ -246,10 +246,19 @@ gst-plugins-good1.0
NOTE: 20260520: Added by Front-Desk (Beuc)
NOTE: 20260520: 6 CVEs piled up since December (Beuc)
--
-hplip/bullseye (Thorsten Alteholz)
+hplip (Thorsten Alteholz)
NOTE: 20260523: Added by maintainer (ta)
NOTE: 20260605: HP does not publish any information; looking for patches is
not easy
--
+icinga2
+ NOTE: 20260702: Added by Front-Desk (dleidert)
+ NOTE: 20260702: Follow DSA and/or support security team with DSA
(dleidert/front-desk)
+ NOTE: 20260702: also care about outstanding CVEs (dleidert/front-desk)
+--
+imagemagick
+ NOTE: 20260703: Added by Front-Desk (dleidert)
+ NOTE: 20260703: Follow upcoming DSA (dleidert/front-desk)
+--
inkscape/bookworm
NOTE: 20260522: Added by Security Team (jmm)
NOTE: 20260611: bookworm LTS handover.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc4cf006e87024818d3337fcb8323f40ec41e811...d5b0f1030590194e9c8fbe9076ffac26c17efdf6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc4cf006e87024818d3337fcb8323f40ec41e811...d5b0f1030590194e9c8fbe9076ffac26c17efdf6
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits