Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a0f6b1a6 by Moritz Muehlenhoff at 2026-07-07T09:40:08+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -330,10 +330,12 @@ CVE-2026-55798 (Pillow is a Python imaging library. Prior
to 12.3.0, WindowsView
NOTE:
https://github.com/python-pillow/Pillow/security/advisories/GHSA-4x4j-2g7c-83w6
CVE-2026-55380 (Pillow is a Python imaging library. Prior to 12.3.0,
PIL/GdImageFile.p ...)
- pillow <unfixed>
+ [trixie] - pillow <no-dsa> (Minor issue)
NOTE:
https://github.com/python-pillow/Pillow/security/advisories/GHSA-phj9-mv4w-65pm
NOTE: Fixed by:
https://github.com/python-pillow/Pillow/commit/f39b0ae6624eb2d7c5c5d651d9bb5fdbd96a8675
(12.3.0)
CVE-2026-55379 (Pillow is a Python imaging library. Prior to 12.3.0,
PIL/BdfFontFile.p ...)
- pillow <unfixed>
+ [trixie] - pillow <no-dsa> (Minor issue)
NOTE:
https://github.com/python-pillow/Pillow/security/advisories/GHSA-45hq-cxwh-f6vc
NOTE: Fixed by:
https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
(12.3.0)
CVE-2026-54893 (URL path injection in the Microsoft Graph adapter of Swoosh.
Swoosh.Ad ...)
@@ -344,10 +346,12 @@ CVE-2026-54291 (pgjdbc is an open source postgresql JDBC
Driver. In releases 42.
NOTE: Fixed by:
https://github.com/pgjdbc/pgjdbc/commit/77df98e4e66c12936ded3478a0954f6f580bad99
(REL42.7.12)
CVE-2026-54060 (Pillow is a Python imaging library. Prior to 12.3.0,
PIL/FontFile.py F ...)
- pillow <unfixed>
+ [trixie] - pillow <no-dsa> (Minor issue)
NOTE:
https://github.com/python-pillow/Pillow/security/advisories/GHSA-5x94-69rx-g8h2
NOTE: Fixed by:
https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
(12.3.0)
CVE-2026-54059 (Pillow is a Python imaging library. Prior to 12.3.0,
PIL/PcfFontFile.p ...)
- pillow <unfixed>
+ [trixie] - pillow <no-dsa> (Minor issue)
NOTE:
https://github.com/python-pillow/Pillow/security/advisories/GHSA-8v84-f9pq-wr9x
NOTE: Fixed by:
https://github.com/python-pillow/Pillow/commit/0a263e6264aa5399988d9acd3bbfbca2ca3ec77d
(12.3.0)
CVE-2026-53913 (Improper Authentication, Missing Authentication for Critical
Function, ...)
@@ -1129,6 +1133,7 @@ CVE-2026-12481 (A vulnerability in keras-team/keras
version 3.14.0 allows for ar
[bullseye] - keras <end-of-life> (EOL in bullseye LTS)
CVE-2026-12252 (In nltk/nltk versions 3.9.3 and earlier, five Stanford
interface class ...)
- nltk <unfixed>
+ [trixie] - nltk <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/f5c93982-0cc9-4e2e-bb85-1b6ab29a2efb
CVE-2025-71380 (The Execute Command node in n8n allows authenticated users to
execute ...)
NOT-FOR-US: n8n
@@ -1311,6 +1316,7 @@ CVE-2026-14612 (Two off-by-one errors in the FreeIPA
ipa-otpd daemon's OAuth2 de
NOTE: FreeIPA in Debian only builds the client packages, not the server
CVE-2026-14604 (A vulnerability was determined in Open Asset Import Library
Assimp up ...)
- assimp <unfixed> (bug #1141494)
+ [trixie] - assimp <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/assimp/assimp/issues/6620
CVE-2026-14544 (A flaw was found in HPLIP (HP Linux Imaging and Printing
Software). Th ...)
- hplip <unfixed>
@@ -5436,6 +5442,7 @@ CVE-2026-12349 (The Premium Addons for KingComposer
plugin for WordPress is vuln
NOT-FOR-US: WordPress plugin
CVE-2026-12243 (NLTK version 3.9.4 is vulnerable to a path traversal attack
due to an ...)
- nltk <unfixed>
+ [trixie] - nltk <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/39aa9354-54ca-4e77-96da-580eb1fe6ed1
CVE-2026-12240 (The Export User Data plugin for WordPress is vulnerable to
arbitrary f ...)
NOT-FOR-US: WordPress plugin
@@ -6010,6 +6017,7 @@ CVE-2026-58056 (RustDesk gates incoming control messages
on per-capability flags
NOT-FOR-US: RustDesk
CVE-2026-58055 (nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1
Upgrade re ...)
- nghttp2 <unfixed> (bug #1140917)
+ [trixie] - nghttp2 <no-dsa> (Minor issue)
NOTE:
https://github.com/bikini/exploitarium/tree/main/nghttp2-nghttpx-upgrade-queue-poison-poc
NOTE:
https://github.com/nghttp2/nghttp2/commit/ab28105c4a0197da24f8bfc414bc116055249e1e
CVE-2026-58054 (MyBB 1.8.40 does not restrict which usergroup a limited Admin
Control ...)
@@ -45340,6 +45348,7 @@ CVE-2026-4362 (The ElementsKit Elementor Addons plugin
for WordPress is vulnerab
NOT-FOR-US: WordPress plugin
CVE-2026-44029 (An issue was discovered in Nix before 2.34.7. Writing to
arbitrary fil ...)
- nix <unfixed> (bug #1135777)
+ [trixie] - nix <no-dsa> (Minor issue)
[bookworm] - nix <not-affected> (Vulnerable code introduced later)
[bullseye] - nix <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/04/33
@@ -45347,6 +45356,7 @@ CVE-2026-44029 (An issue was discovered in Nix before
2.34.7. Writing to arbitra
NOTE:
https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
CVE-2026-44028 (An issue was discovered in Nix before 2.34.7 and Lix before
2.95.2. Un ...)
- nix <unfixed> (bug #1135777)
+ [trixie] - nix <no-dsa> (Minor issue)
[bookworm] - nix <not-affected> (Vulnerable code introduced later)
[bullseye] - nix <not-affected> (Vulnerable code introduced later)
NOTE:
https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
@@ -60211,6 +60221,7 @@ CVE-2025-14732 (The Elementor Website Builder \u2013
More Than Just a Page Build
NOT-FOR-US: WordPress plugin
CVE-2026-39860 (Nix is a package manager for Linux and other Unix systems. A
bug in th ...)
- nix 2.34.6+dfsg-1 (bug #1133004)
+ [trixie] - nix <no-dsa> (Minor issue)
[bullseye] - nix <postponed> (regresssion of postponed CVE-2024-27297;
revisit when fixing CVE-2024-27297)
NOTE:
https://github.com/NixOS/nix/security/advisories/GHSA-g3g9-5vj6-r3gj
NOTE: Introduced with:
https://github.com/NixOS/nix/commit/a3163b9eabb952b4aa96e376dea95ebcca97b31a
(2.21.0)
@@ -87682,6 +87693,7 @@ CVE-2020-37183 (Allok RM RMVB to AVI MPEG DVD Converter
3.6.1217 contains a stac
NOT-FOR-US: Allok RM RMVB to AVI MPEG DVD Converter
CVE-2020-37182 (Redir 3.3 contains a stack overflow vulnerability in the
doproxyconnec ...)
- redir <unfixed>
+ [trixie] - redir <no-dsa> (Minor issue)
NOTE: https://www.exploit-db.com/exploits/47919
NOTE: Fixed by:
https://github.com/troglobit/redir/commit/372c792e9d320012490d8eca170f0462a92013fa
(master)
CVE-2020-37181 (Torrent FLV Converter 1.51 Build 117 contains a stack overflow
vulnera ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0f6b1a6129bfc541d6acdae4ddb751b1ac56c0a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0f6b1a6129bfc541d6acdae4ddb751b1ac56c0a
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits