Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
cb492a6d by Moritz Muehlenhoff at 2026-07-08T20:10:49+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -30,6 +30,7 @@ CVE-2026-58388
NOTE: https://gitlab.gnome.org/GNOME/gimp/-/work_items/16231
CVE-2026-14454
- libimager-perl <unfixed>
+ [trixie] - libimager-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41637674/
NOTE: Fixed by:
https://github.com/tonycoz/imager/commit/06f01a5d0fd591259aeba589370d6888384a6b6d
(v1.033)
CVE-2026-9842 (The Backstage - Customizer Demo Access plugin for WordPress is
vulnera ...)
@@ -220,6 +221,7 @@ CVE-2026-51937 (An issue in Oneblog V2.3.9 allows a remote
attacker to obtain se
NOT-FOR-US: Oneblog
CVE-2026-50811 (An out-of-bounds read vulnerability exists in FreeType 2.14.3
and vers ...)
- freetype <unfixed>
+ [trixie] - freetype <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1436
NOTE: Fixed by:
https://gitlab.freedesktop.org/freetype/freetype/-/commit/5a280ecde6f324de0d226261036e736e0cb49a71
CVE-2026-50810 (A NULL pointer dereference in smooth_parse_stream_index() in
src/media ...)
@@ -415,6 +417,7 @@ CVE-2026-39822
- golang-1.26 1.26.5-1
- golang-1.25 1.25.12-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
- golang-1.15 <removed>
NOTE: https://groups.google.com/g/golang-announce/c/OrmQE_Yp5Sc
@@ -426,6 +429,7 @@ CVE-2026-42505
- golang-1.26 1.26.5-1
- golang-1.25 1.25.12-1
- golang-1.24 <removed>
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
- golang-1.15 <removed>
NOTE: https://groups.google.com/g/golang-announce/c/OrmQE_Yp5Sc
@@ -476,42 +480,52 @@ CVE-2026-55645
NOTE:
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-3m4m-h22g-c7xx
CVE-2026-57158
- freerdp3 3.28.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mp3f-59pg-c5pp
CVE-2026-57157
- freerdp3 3.28.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47fr-jw86-c3fj
CVE-2026-57156
- freerdp3 3.28.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-v5wf-j8j4-77h7
CVE-2026-55827
- freerdp3 3.27.1+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c495-h83v-3prp
CVE-2026-55564
- freerdp3 3.27.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6xmj-pr98-cx4c
CVE-2026-55648
- freerdp3 3.27.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5c5v-f78v-h2f6
CVE-2026-55194
- freerdp3 3.27.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9gxm-3mf5-f5cx
CVE-2026-55193
- freerdp3 3.27.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rp4-66mc-j9vx
CVE-2026-55192
- freerdp3 3.27.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3mmf-qh4f-frm6
CVE-2026-55191
- freerdp3 3.27.0+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vx73-w5q6-7jqr
CVE-2011-10043 (Module::Load versions before 0.22 for Perl allow arbitrary
modules out ...)
@@ -542,6 +556,7 @@ CVE-2026-48588 (An issue was discovered in Django 6.0
before 6.0.7 and 5.2 befor
NOTE: Fixed by:
https://github.com/django/django/commit/721685aa7799cc9327bd202cd1f70bd012ca95a7
(5.2.16)
CVE-2026-XXXX [InspIRCd Security Advisory 2026-01]
- inspircd <unfixed> (bug #1141625)
+ [trixie] - inspircd <no-dsa> (Minor issue)
NOTE: https://docs.inspircd.org/security/2026-01/
NOTE:
https://github.com/inspircd/inspircd/commit/b7e5357b144c2e20c72431e22f0f2b13e5be82ce
(v4.11.0)
NOTE:
https://github.com/inspircd/inspircd/commit/6319ae4fb8c10dabc9464ad49faec532096fbcb5
(v4.11.0)
@@ -1107,10 +1122,12 @@ CVE-2026-XXXX [RUSTSEC-2026-0194]
NOTE:
https://github.com/tafia/quick-xml/commit/07f3db8343cf152f5bc3483ef5b3164582489bea
(v0.41.0)
CVE-2026-13708 (Imager::File::JPEG versions before 1.003 for Perl leak heap
memory whe ...)
- libimager-perl 1.032+dfsg-1 (bug #1141587)
+ [trixie] - libimager-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41572486/
NOTE: Fixed by:
https://github.com/tonycoz/imager/commit/9f1c485ca3ee15dc261549e11afb356866552c3a
(v1.032)
CVE-2026-13705 (Imager versions before 1.032 for Perl have a heap
out-of-bounds read i ...)
- libimager-perl 1.032+dfsg-1 (bug #1141587)
+ [trixie] - libimager-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41572386/
NOTE: Fixed by:
https://github.com/tonycoz/imager/commit/f28de02770dfc26ffbdc32048970ed84babbf730
(v1.032)
CVE-2026-XXXX [RUSTSEC-2026-0195]
@@ -1144,6 +1161,7 @@ CVE-2026-59511 (Insertion of Sensitive Information Into
Sent Data vulnerability
NOT-FOR-US: WordPress plugin or theme
CVE-2026-14803 (Mojo::JSON versions before 9.47 for Perl allow memory
exhaustion via u ...)
- libmojolicious-perl 9.47+dfsg-1 (bug #1141586)
+ [trixie] - libmojolicious-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41564627/
NOTE: Fixed by:
https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1
(v9.47)
CVE-2026-14799 (A security flaw has been discovered in CodeAstro Ecommerce
Website 1.0 ...)
@@ -1536,6 +1554,7 @@ CVE-2026-49297 (Apache Airflow's Google provider
operators `GCSToSFTPOperator` a
NOT-FOR-US: Airflow provider
CVE-2026-54161
- nut <unfixed>
+ [trixie] - nut <no-dsa> (Minor issue)
NOTE:
https://github.com/networkupstools/nut/security/advisories/GHSA-mjgp-j4gm-6qg5
NOTE: Fixed by: https://github.com/networkupstools/nut/pull/3499
CVE-2026-58597 (Insufficient ui warning of dangerous operations in Microsoft
Edge (Chr ...)
@@ -2048,10 +2067,11 @@ CVE-2026-38970 (pdfcpu through v0.11.1 contains an
uncontrolled-recursion denial
NOT-FOR-US: pdfcpu
CVE-2026-38969 (ruby webrick through v1.9.2 WEBrick reparses trailer
Content-Length in ...)
- ruby-webrick 1.9.2-2 (bug #1141497)
+ [trixie] - ruby-webrick <no-dsa> (Minor issue)
NOTE: https://github.com/ruby/webrick/issues/198
NOTE: https://github.com/ruby/webrick/pull/199
CVE-2026-38968 (ntopng through 6.6 is vulnerable to Predictable Session
Identifier whi ...)
- - ntopng <unfixed>
+ - ntopng <removed>
NOTE:
https://github.com/ntop/ntopng/commit/179a346ceb6239fd36128ccca3efa8f9ea61eeb5
NOTE:
https://github.com/ntop/ntopng/commit/14e22497233dc7d31d19dccb74b13bb073d16c2c
CVE-2026-26145 (Improper access control in Azure Synapse allows an authorized
attacker ...)
@@ -3613,6 +3633,7 @@ CVE-2026-57585 (MessagePack is the serializer
implementation for Python msgpack.
NOTE: Fixed by:
https://github.com/msgpack/msgpack-python/commit/2c56ddb5d0025ed481d962c0f5d62d19dec7476d
(v1.2.1)
CVE-2026-57204 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.13 ...)
- pypdf <unfixed> (bug #1141339)
+ [trixie] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-jm82-fx9c-mx94
NOTE: https://github.com/py-pdf/pypdf/pull/3871
@@ -12121,11 +12142,13 @@ CVE-2026-49468 (LiteLLM is a proxy server (AI
Gateway) to call LLM APIs in OpenA
NOT-FOR-US: LiteLLM
CVE-2026-49461 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.12 ...)
- pypdf <unfixed> (bug #1140629)
+ [trixie] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-j543-4vmf-qm7v
NOTE: https://github.com/py-pdf/pypdf/pull/3805
CVE-2026-49460 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.12 ...)
- pypdf <unfixed> (bug #1140629)
+ [trixie] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-5hgr-hg42-57jg
NOTE: https://github.com/py-pdf/pypdf/pull/3806
@@ -13931,17 +13954,21 @@ CVE-2024-24769 (vantage6 is an open-source
infrastructure for privacy preserving
NOT-FOR-US: vantage6
CVE-2026-9697 (Impact: undici's ProxyAgent silently drops the requestTls
option when ...)
- node-undici 8.5.0+dfsg+~cs3.2.0-1 (bug #1140363)
+ [trixie] - node-undici <no-dsa> (Minor issue)
NOTE:
https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g
CVE-2026-9690 (Unauthenticated Arbitrary File Download in WP Media folder
Addon <= 4. ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-9679 (Impact: undici's cookie parser in parseSetCookie
percent-decodes cooki ...)
- node-undici 8.5.0+dfsg+~cs3.2.0-1 (bug #1140363)
+ [trixie] - node-undici <no-dsa> (Minor issue)
NOTE:
https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv
CVE-2026-9678 (Impact: Undici's cache interceptor incorrectly classifies some
respons ...)
- node-undici 8.5.0+dfsg+~cs3.2.0-1 (bug #1140363)
+ [trixie] - node-undici <no-dsa> (Minor issue)
NOTE:
https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6
CVE-2026-9675 (Impact: The undici WebSocket client enforces maxPayloadSize
per-frame ...)
- node-undici <not-affected> (Vulnerable code not present)
+ [trixie] - node-undici <no-dsa> (Minor issue)
NOTE:
https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq
CVE-2026-9591 (Cross-site request forgery (CSRF) in NewsItemApiController in
SimplCom ...)
NOT-FOR-US: SimplCommerce
@@ -54674,10 +54701,12 @@ CVE-2025-11249
REJECTED
CVE-2026-5367 (A flaw was found in OVN (Open Virtual Network). A remote
attacker, by ...)
- ovn 26.03.0-4 (bug #1134486)
+ [trixie] - ovn <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/04/20/3
NOTE: Fixed by:
https://github.com/ovn-org/ovn/commit/78f6ce612403d6343f1e3782cbfff691d411dee4
(v26.03.1)
CVE-2026-5265 (When generating an ICMP Destination Unreachable or Packet Too
Big resp ...)
- ovn 26.03.0-4 (bug #1134486)
+ [trixie] - ovn <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/04/20/2
NOTE: Introduced with:
https://github.com/ovn-org/ovn/commit/c2339d87268d748da9a44aaefbb6d1ecc490b99d
(v20.03.0)
NOTE: Fixed by:
https://github.com/ovn-org/ovn/commit/9d674c684a56aef12c53b1e4596b6eded23a0402
(v26.03.1)
@@ -105530,41 +105559,65 @@ CVE-2025-15356 (A vulnerability has been found in
Tenda AC20 up to 16.03.08.12.
CVE-2025-15354 (A flaw has been found in itsourcecode Society Management
System 1.0. T ...)
NOT-FOR-US: itsourcecode System
CVE-2025-15280 (FontForge SFD File Parsing Use-After-Free Remote Code
Execution Vulner ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1188/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15279 (FontForge GUtils BMP File Parsing Heap-based Buffer Overflow
Remote Co ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1184/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15278 (FontForge GUtils XBM File Parsing Integer Overflow Remote Code
Executi ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1185/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15277 (FontForge GUtils SGI File Parsing Heap-based Buffer Overflow
Remote Co ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1186/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15276 (FontForge SFD File Parsing Deserialization of Untrusted Data
Remote Co ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1187/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15275 (FontForge SFD File Parsing Heap-based Buffer Overflow Remote
Code Exec ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1189/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15274 (FontForge SFD File Parsing Heap-based Buffer Overflow Remote
Code Exec ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1190/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15273 (FontForge PFB File Parsing Stack-based Buffer Overflow Remote
Code Exe ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1191/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15272 (FontForge SFD File Parsing Heap-based Buffer Overflow Remote
Code Exec ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1192/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15271 (FontForge SFD File Parsing Improper Validation of Array Index
Remote C ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1193/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15270 (FontForge SFD File Parsing Improper Validation of Array Index
Remote C ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1194/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15269 (FontForge SFD File Parsing Use-After-Free Remote Code
Execution Vulner ...)
- - fontforge <unfixed> (bug #1124487)
+ - fontforge <unfixed> (bug #1124487; unimportant)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1195/
+ NOTE: Editing font files from untrusted sources is not supported:
+ NOTE:
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
CVE-2025-15223 (A vulnerability was found in Philipinho Simple-PHP-Blog up to
94b5d3e5 ...)
NOT-FOR-US: Philipinho Simple-PHP-Blog
CVE-2025-15114 (Ksenia Security lares (legacy model) Home Automation version
1.6 conta ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ botan3 (aron)
cacti
probably best to move to 1.2.31
--
+cockpit
+--
containerd
--
cups
@@ -80,6 +82,8 @@ pdfminer (carnil)
perl (carnil)
Comment from maintainer: I'd prefer to wait until upstream gets the point
releases out
--
+podman
+--
prometheus
--
python-msgpack
@@ -96,6 +100,8 @@ roundcube
--
ruby3.3
--
+ruby-oj
+--
ruby-rack
--
ruby-rack-session
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb492a6dc1d28af23404e41d6690860ae6a7943d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb492a6dc1d28af23404e41d6690860ae6a7943d
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits