Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cb492a6d by Moritz Muehlenhoff at 2026-07-08T20:10:49+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -30,6 +30,7 @@ CVE-2026-58388
        NOTE: https://gitlab.gnome.org/GNOME/gimp/-/work_items/16231
 CVE-2026-14454
        - libimager-perl <unfixed>
+       [trixie] - libimager-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41637674/
        NOTE: Fixed by: 
https://github.com/tonycoz/imager/commit/06f01a5d0fd591259aeba589370d6888384a6b6d
 (v1.033)
 CVE-2026-9842 (The Backstage - Customizer Demo Access plugin for WordPress is 
vulnera ...)
@@ -220,6 +221,7 @@ CVE-2026-51937 (An issue in Oneblog V2.3.9 allows a remote 
attacker to obtain se
        NOT-FOR-US: Oneblog
 CVE-2026-50811 (An out-of-bounds read vulnerability exists in FreeType 2.14.3 
and vers ...)
        - freetype <unfixed>
+       [trixie] - freetype <no-dsa> (Minor issue)
        NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1436
        NOTE: Fixed by: 
https://gitlab.freedesktop.org/freetype/freetype/-/commit/5a280ecde6f324de0d226261036e736e0cb49a71
 CVE-2026-50810 (A NULL pointer dereference in smooth_parse_stream_index() in 
src/media ...)
@@ -415,6 +417,7 @@ CVE-2026-39822
        - golang-1.26 1.26.5-1
        - golang-1.25 1.25.12-1
        - golang-1.24 <removed>
+       [trixie] - golang-1.24 <no-dsa> (Minor issue)
        - golang-1.19 <removed>
        - golang-1.15 <removed>
        NOTE: https://groups.google.com/g/golang-announce/c/OrmQE_Yp5Sc
@@ -426,6 +429,7 @@ CVE-2026-42505
        - golang-1.26 1.26.5-1
        - golang-1.25 1.25.12-1
        - golang-1.24 <removed>
+       [trixie] - golang-1.24 <no-dsa> (Minor issue)
        - golang-1.19 <removed>
        - golang-1.15 <removed>
        NOTE: https://groups.google.com/g/golang-announce/c/OrmQE_Yp5Sc
@@ -476,42 +480,52 @@ CVE-2026-55645
        NOTE: 
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-3m4m-h22g-c7xx
 CVE-2026-57158
        - freerdp3 3.28.0+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mp3f-59pg-c5pp
 CVE-2026-57157
        - freerdp3 3.28.0+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47fr-jw86-c3fj
 CVE-2026-57156
        - freerdp3 3.28.0+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-v5wf-j8j4-77h7
 CVE-2026-55827
        - freerdp3 3.27.1+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c495-h83v-3prp
 CVE-2026-55564
        - freerdp3 3.27.0+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6xmj-pr98-cx4c
 CVE-2026-55648
        - freerdp3 3.27.0+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5c5v-f78v-h2f6
 CVE-2026-55194
        - freerdp3 3.27.0+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9gxm-3mf5-f5cx
 CVE-2026-55193
        - freerdp3 3.27.0+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rp4-66mc-j9vx
 CVE-2026-55192
        - freerdp3 3.27.0+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3mmf-qh4f-frm6
 CVE-2026-55191
        - freerdp3 3.27.0+dfsg-1
+       [trixie] - freerdp3 <no-dsa> (Minor issue)
        - freerdp2 <removed>
        NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vx73-w5q6-7jqr
 CVE-2011-10043 (Module::Load versions before 0.22 for Perl allow arbitrary 
modules out ...)
@@ -542,6 +556,7 @@ CVE-2026-48588 (An issue was discovered in Django 6.0 
before 6.0.7 and 5.2 befor
        NOTE: Fixed by: 
https://github.com/django/django/commit/721685aa7799cc9327bd202cd1f70bd012ca95a7
 (5.2.16)
 CVE-2026-XXXX [InspIRCd Security Advisory 2026-01]
        - inspircd <unfixed> (bug #1141625)
+       [trixie] - inspircd <no-dsa> (Minor issue)
        NOTE: https://docs.inspircd.org/security/2026-01/
        NOTE: 
https://github.com/inspircd/inspircd/commit/b7e5357b144c2e20c72431e22f0f2b13e5be82ce
 (v4.11.0)
        NOTE: 
https://github.com/inspircd/inspircd/commit/6319ae4fb8c10dabc9464ad49faec532096fbcb5
 (v4.11.0)
@@ -1107,10 +1122,12 @@ CVE-2026-XXXX [RUSTSEC-2026-0194]
        NOTE: 
https://github.com/tafia/quick-xml/commit/07f3db8343cf152f5bc3483ef5b3164582489bea
 (v0.41.0)
 CVE-2026-13708 (Imager::File::JPEG versions before 1.003 for Perl leak heap 
memory whe ...)
        - libimager-perl 1.032+dfsg-1 (bug #1141587)
+       [trixie] - libimager-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41572486/
        NOTE: Fixed by: 
https://github.com/tonycoz/imager/commit/9f1c485ca3ee15dc261549e11afb356866552c3a
 (v1.032)
 CVE-2026-13705 (Imager versions before 1.032 for Perl have a heap 
out-of-bounds read i ...)
        - libimager-perl 1.032+dfsg-1 (bug #1141587)
+       [trixie] - libimager-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41572386/
        NOTE: Fixed by: 
https://github.com/tonycoz/imager/commit/f28de02770dfc26ffbdc32048970ed84babbf730
 (v1.032)
 CVE-2026-XXXX [RUSTSEC-2026-0195]
@@ -1144,6 +1161,7 @@ CVE-2026-59511 (Insertion of Sensitive Information Into 
Sent Data vulnerability
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-14803 (Mojo::JSON versions before 9.47 for Perl allow memory 
exhaustion via u ...)
        - libmojolicious-perl 9.47+dfsg-1 (bug #1141586)
+       [trixie] - libmojolicious-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41564627/
        NOTE: Fixed by: 
https://github.com/mojolicious/mojo/commit/cc38b0554275c4d84f6b8b49bcbbc1bec2068fe1
 (v9.47)
 CVE-2026-14799 (A security flaw has been discovered in CodeAstro Ecommerce 
Website 1.0 ...)
@@ -1536,6 +1554,7 @@ CVE-2026-49297 (Apache Airflow's Google provider 
operators `GCSToSFTPOperator` a
        NOT-FOR-US: Airflow provider
 CVE-2026-54161
        - nut <unfixed>
+       [trixie] - nut <no-dsa> (Minor issue)
        NOTE: 
https://github.com/networkupstools/nut/security/advisories/GHSA-mjgp-j4gm-6qg5
        NOTE: Fixed by: https://github.com/networkupstools/nut/pull/3499
 CVE-2026-58597 (Insufficient ui warning of dangerous operations in Microsoft 
Edge (Chr ...)
@@ -2048,10 +2067,11 @@ CVE-2026-38970 (pdfcpu through v0.11.1 contains an 
uncontrolled-recursion denial
        NOT-FOR-US: pdfcpu
 CVE-2026-38969 (ruby webrick through v1.9.2 WEBrick reparses trailer 
Content-Length in ...)
        - ruby-webrick 1.9.2-2 (bug #1141497)
+       [trixie] - ruby-webrick <no-dsa> (Minor issue)
        NOTE: https://github.com/ruby/webrick/issues/198
        NOTE: https://github.com/ruby/webrick/pull/199
 CVE-2026-38968 (ntopng through 6.6 is vulnerable to Predictable Session 
Identifier whi ...)
-       - ntopng <unfixed>
+       - ntopng <removed>
        NOTE: 
https://github.com/ntop/ntopng/commit/179a346ceb6239fd36128ccca3efa8f9ea61eeb5
        NOTE: 
https://github.com/ntop/ntopng/commit/14e22497233dc7d31d19dccb74b13bb073d16c2c
 CVE-2026-26145 (Improper access control in Azure Synapse allows an authorized 
attacker ...)
@@ -3613,6 +3633,7 @@ CVE-2026-57585 (MessagePack is the serializer 
implementation for Python msgpack.
        NOTE: Fixed by: 
https://github.com/msgpack/msgpack-python/commit/2c56ddb5d0025ed481d962c0f5d62d19dec7476d
 (v1.2.1)
 CVE-2026-57204 (pypdf is a free and open-source pure-python PDF library. Prior 
to 6.13 ...)
        - pypdf <unfixed> (bug #1141339)
+       [trixie] - pypdf <no-dsa> (Minor issue)
        - pypdf2 <removed>
        NOTE: 
https://github.com/py-pdf/pypdf/security/advisories/GHSA-jm82-fx9c-mx94
        NOTE: https://github.com/py-pdf/pypdf/pull/3871
@@ -12121,11 +12142,13 @@ CVE-2026-49468 (LiteLLM is a proxy server (AI 
Gateway) to call LLM APIs in OpenA
        NOT-FOR-US: LiteLLM
 CVE-2026-49461 (pypdf is a free and open-source pure-python PDF library. Prior 
to 6.12 ...)
        - pypdf <unfixed> (bug #1140629)
+       [trixie] - pypdf <no-dsa> (Minor issue)
        - pypdf2 <removed>
        NOTE: 
https://github.com/py-pdf/pypdf/security/advisories/GHSA-j543-4vmf-qm7v
        NOTE: https://github.com/py-pdf/pypdf/pull/3805
 CVE-2026-49460 (pypdf is a free and open-source pure-python PDF library. Prior 
to 6.12 ...)
        - pypdf <unfixed> (bug #1140629)
+       [trixie] - pypdf <no-dsa> (Minor issue)
        - pypdf2 <removed>
        NOTE: 
https://github.com/py-pdf/pypdf/security/advisories/GHSA-5hgr-hg42-57jg
        NOTE: https://github.com/py-pdf/pypdf/pull/3806
@@ -13931,17 +13954,21 @@ CVE-2024-24769 (vantage6 is an open-source 
infrastructure for privacy preserving
        NOT-FOR-US: vantage6
 CVE-2026-9697 (Impact: undici's ProxyAgent silently drops the requestTls 
option when  ...)
        - node-undici 8.5.0+dfsg+~cs3.2.0-1 (bug #1140363)
+       [trixie] - node-undici <no-dsa> (Minor issue)
        NOTE: 
https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g
 CVE-2026-9690 (Unauthenticated Arbitrary File Download in WP Media folder 
Addon <= 4. ...)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-9679 (Impact: undici's cookie parser in parseSetCookie 
percent-decodes cooki ...)
        - node-undici 8.5.0+dfsg+~cs3.2.0-1 (bug #1140363)
+       [trixie] - node-undici <no-dsa> (Minor issue)
        NOTE: 
https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv
 CVE-2026-9678 (Impact: Undici's cache interceptor incorrectly classifies some 
respons ...)
        - node-undici 8.5.0+dfsg+~cs3.2.0-1 (bug #1140363)
+       [trixie] - node-undici <no-dsa> (Minor issue)
        NOTE: 
https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6
 CVE-2026-9675 (Impact: The undici WebSocket client enforces maxPayloadSize 
per-frame  ...)
        - node-undici <not-affected> (Vulnerable code not present)
+       [trixie] - node-undici <no-dsa> (Minor issue)
        NOTE: 
https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq
 CVE-2026-9591 (Cross-site request forgery (CSRF) in NewsItemApiController in 
SimplCom ...)
        NOT-FOR-US: SimplCommerce
@@ -54674,10 +54701,12 @@ CVE-2025-11249
        REJECTED
 CVE-2026-5367 (A flaw was found in OVN (Open Virtual Network). A remote 
attacker, by  ...)
        - ovn 26.03.0-4 (bug #1134486)
+       [trixie] - ovn <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2026/04/20/3
        NOTE: Fixed by: 
https://github.com/ovn-org/ovn/commit/78f6ce612403d6343f1e3782cbfff691d411dee4 
(v26.03.1)
 CVE-2026-5265 (When generating an ICMP Destination Unreachable or Packet Too 
Big resp ...)
        - ovn 26.03.0-4 (bug #1134486)
+       [trixie] - ovn <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2026/04/20/2
        NOTE: Introduced with: 
https://github.com/ovn-org/ovn/commit/c2339d87268d748da9a44aaefbb6d1ecc490b99d 
(v20.03.0)
        NOTE: Fixed by: 
https://github.com/ovn-org/ovn/commit/9d674c684a56aef12c53b1e4596b6eded23a0402 
(v26.03.1)
@@ -105530,41 +105559,65 @@ CVE-2025-15356 (A vulnerability has been found in 
Tenda AC20 up to 16.03.08.12.
 CVE-2025-15354 (A flaw has been found in itsourcecode Society Management 
System 1.0. T ...)
        NOT-FOR-US: itsourcecode System
 CVE-2025-15280 (FontForge SFD File Parsing Use-After-Free Remote Code 
Execution Vulner ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1188/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15279 (FontForge GUtils BMP File Parsing Heap-based Buffer Overflow 
Remote Co ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1184/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15278 (FontForge GUtils XBM File Parsing Integer Overflow Remote Code 
Executi ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1185/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15277 (FontForge GUtils SGI File Parsing Heap-based Buffer Overflow 
Remote Co ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1186/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15276 (FontForge SFD File Parsing Deserialization of Untrusted Data 
Remote Co ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1187/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15275 (FontForge SFD File Parsing Heap-based Buffer Overflow Remote 
Code Exec ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1189/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15274 (FontForge SFD File Parsing Heap-based Buffer Overflow Remote 
Code Exec ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1190/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15273 (FontForge PFB File Parsing Stack-based Buffer Overflow Remote 
Code Exe ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1191/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15272 (FontForge SFD File Parsing Heap-based Buffer Overflow Remote 
Code Exec ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1192/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15271 (FontForge SFD File Parsing Improper Validation of Array Index 
Remote C ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1193/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15270 (FontForge SFD File Parsing Improper Validation of Array Index 
Remote C ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1194/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15269 (FontForge SFD File Parsing Use-After-Free Remote Code 
Execution Vulner ...)
-       - fontforge <unfixed> (bug #1124487)
+       - fontforge <unfixed> (bug #1124487; unimportant)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1195/
+       NOTE: Editing font files from untrusted sources is not supported:
+       NOTE: 
https://github.com/fontforge/fontforge/wiki/Community-guidelines#D1
 CVE-2025-15223 (A vulnerability was found in Philipinho Simple-PHP-Blog up to 
94b5d3e5 ...)
        NOT-FOR-US: Philipinho Simple-PHP-Blog
 CVE-2025-15114 (Ksenia Security lares (legacy model) Home Automation version 
1.6 conta ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ botan3 (aron)
 cacti
   probably best to move to 1.2.31
 --
+cockpit
+--
 containerd
 --
 cups
@@ -80,6 +82,8 @@ pdfminer (carnil)
 perl (carnil)
   Comment from maintainer: I'd prefer to wait until upstream gets the point 
releases out
 --
+podman
+--
 prometheus
 --
 python-msgpack
@@ -96,6 +100,8 @@ roundcube
 --
 ruby3.3
 --
+ruby-oj
+--
 ruby-rack
 --
 ruby-rack-session



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb492a6dc1d28af23404e41d6690860ae6a7943d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb492a6dc1d28af23404e41d6690860ae6a7943d
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to