Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a0f6b1a6 by Moritz Muehlenhoff at 2026-07-07T09:40:08+02:00
trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -330,10 +330,12 @@ CVE-2026-55798 (Pillow is a Python imaging library. Prior 
to 12.3.0, WindowsView
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-4x4j-2g7c-83w6
 CVE-2026-55380 (Pillow is a Python imaging library. Prior to 12.3.0, 
PIL/GdImageFile.p ...)
        - pillow <unfixed>
+       [trixie] - pillow <no-dsa> (Minor issue)
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-phj9-mv4w-65pm
        NOTE: Fixed by: 
https://github.com/python-pillow/Pillow/commit/f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675
 (12.3.0)
 CVE-2026-55379 (Pillow is a Python imaging library. Prior to 12.3.0, 
PIL/BdfFontFile.p ...)
        - pillow <unfixed>
+       [trixie] - pillow <no-dsa> (Minor issue)
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-45hq-cxwh-f6vc
        NOTE: Fixed by: 
https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
 (12.3.0)
 CVE-2026-54893 (URL path injection in the Microsoft Graph adapter of Swoosh. 
Swoosh.Ad ...)
@@ -344,10 +346,12 @@ CVE-2026-54291 (pgjdbc is an open source postgresql JDBC 
Driver. In releases 42.
        NOTE: Fixed by: 
https://github.com/pgjdbc/pgjdbc/commit/77df98e4e66c12936ded3478a0954f6f580bad99
 (REL42.7.12)
 CVE-2026-54060 (Pillow is a Python imaging library. Prior to 12.3.0, 
PIL/FontFile.py F ...)
        - pillow <unfixed>
+       [trixie] - pillow <no-dsa> (Minor issue)
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-5x94-69rx-g8h2
        NOTE: Fixed by: 
https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
 (12.3.0)
 CVE-2026-54059 (Pillow is a Python imaging library. Prior to 12.3.0, 
PIL/PcfFontFile.p ...)
        - pillow <unfixed>
+       [trixie] - pillow <no-dsa> (Minor issue)
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-8v84-f9pq-wr9x
        NOTE: Fixed by: 
https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
 (12.3.0)
 CVE-2026-53913 (Improper Authentication, Missing Authentication for Critical 
Function, ...)
@@ -1129,6 +1133,7 @@ CVE-2026-12481 (A vulnerability in keras-team/keras 
version 3.14.0 allows for ar
        [bullseye] - keras <end-of-life> (EOL in bullseye LTS)
 CVE-2026-12252 (In nltk/nltk versions 3.9.3 and earlier, five Stanford 
interface class ...)
        - nltk <unfixed>
+       [trixie] - nltk <no-dsa> (Minor issue)
        NOTE: https://huntr.com/bounties/f5c93982-0cc9-4e2e-bb85-1b6ab29a2efb
 CVE-2025-71380 (The Execute Command node in n8n allows authenticated users to 
execute  ...)
        NOT-FOR-US: n8n
@@ -1311,6 +1316,7 @@ CVE-2026-14612 (Two off-by-one errors in the FreeIPA 
ipa-otpd daemon's OAuth2 de
        NOTE: FreeIPA in Debian only builds the client packages, not the server
 CVE-2026-14604 (A vulnerability was determined in Open Asset Import Library 
Assimp up  ...)
        - assimp <unfixed> (bug #1141494)
+       [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
        NOTE: https://github.com/assimp/assimp/issues/6620
 CVE-2026-14544 (A flaw was found in HPLIP (HP Linux Imaging and Printing 
Software). Th ...)
        - hplip <unfixed>
@@ -5436,6 +5442,7 @@ CVE-2026-12349 (The Premium Addons for KingComposer 
plugin for WordPress is vuln
        NOT-FOR-US: WordPress plugin
 CVE-2026-12243 (NLTK version 3.9.4 is vulnerable to a path traversal attack 
due to an  ...)
        - nltk <unfixed>
+       [trixie] - nltk <no-dsa> (Minor issue)
        NOTE: https://huntr.com/bounties/39aa9354-54ca-4e77-96da-580eb1fe6ed1
 CVE-2026-12240 (The Export User Data plugin for WordPress is vulnerable to 
arbitrary f ...)
        NOT-FOR-US: WordPress plugin
@@ -6010,6 +6017,7 @@ CVE-2026-58056 (RustDesk gates incoming control messages 
on per-capability flags
        NOT-FOR-US: RustDesk
 CVE-2026-58055 (nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 
Upgrade re ...)
        - nghttp2 <unfixed> (bug #1140917)
+       [trixie] - nghttp2 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/bikini/exploitarium/tree/main/nghttp2-nghttpx-upgrade-queue-poison-poc
        NOTE: 
https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e
 CVE-2026-58054 (MyBB 1.8.40 does not restrict which usergroup a limited Admin 
Control  ...)
@@ -45340,6 +45348,7 @@ CVE-2026-4362 (The ElementsKit Elementor Addons plugin 
for WordPress is vulnerab
        NOT-FOR-US: WordPress plugin
 CVE-2026-44029 (An issue was discovered in Nix before 2.34.7. Writing to 
arbitrary fil ...)
        - nix <unfixed> (bug #1135777)
+       [trixie] - nix <no-dsa> (Minor issue)
        [bookworm] - nix <not-affected> (Vulnerable code introduced later)
        [bullseye] - nix <not-affected> (Vulnerable code introduced later)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/04/33
@@ -45347,6 +45356,7 @@ CVE-2026-44029 (An issue was discovered in Nix before 
2.34.7. Writing to arbitra
        NOTE: 
https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
 CVE-2026-44028 (An issue was discovered in Nix before 2.34.7 and Lix before 
2.95.2. Un ...)
        - nix <unfixed> (bug #1135777)
+       [trixie] - nix <no-dsa> (Minor issue)
        [bookworm] - nix <not-affected> (Vulnerable code introduced later)
        [bullseye] - nix <not-affected> (Vulnerable code introduced later)
        NOTE: 
https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
@@ -60211,6 +60221,7 @@ CVE-2025-14732 (The Elementor Website Builder \u2013 
More Than Just a Page Build
        NOT-FOR-US: WordPress plugin
 CVE-2026-39860 (Nix is a package manager for Linux and other Unix systems. A 
bug in th ...)
        - nix 2.34.6+dfsg-1 (bug #1133004)
+       [trixie] - nix <no-dsa> (Minor issue)
        [bullseye] - nix <postponed> (regresssion of postponed CVE-2024-27297; 
revisit when fixing CVE-2024-27297)
        NOTE: 
https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj
        NOTE: Introduced with: 
https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a 
(2.21.0)
@@ -87682,6 +87693,7 @@ CVE-2020-37183 (Allok RM RMVB to AVI MPEG DVD Converter 
3.6.1217 contains a stac
        NOT-FOR-US: Allok RM RMVB to AVI MPEG DVD Converter
 CVE-2020-37182 (Redir 3.3 contains a stack overflow vulnerability in the 
doproxyconnec ...)
        - redir <unfixed>
+       [trixie] - redir <no-dsa> (Minor issue)
        NOTE: https://www.exploit-db.com/exploits/47919
        NOTE: Fixed by: 
https://github.com/troglobit/redir/commit/372c792e9d320012490d8eca170f0462a92013fa
 (master)
 CVE-2020-37181 (Torrent FLV Converter 1.51 Build 117 contains a stack overflow 
vulnera ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0f6b1a6129bfc541d6acdae4ddb751b1ac56c0a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0f6b1a6129bfc541d6acdae4ddb751b1ac56c0a
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to