Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f894e47d by Moritz Muehlenhoff at 2026-07-08T23:27:49+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -421,12 +421,15 @@ CVE-2026-6101 (The AMP for WP \u2013 Accelerated Mobile
Pages plugin for WordPre
NOT-FOR-US: WordPress plugin
CVE-2026-60002 (ssh in OpenSSH before 10.4 can have a use-after-free when a
server cha ...)
- openssh 1:10.4p1-1
+ [trixie] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
CVE-2026-60001 (sshd in OpenSSH before 10.4 does not always honor the minimum
authenti ...)
- openssh 1:10.4p1-1
+ [trixie] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
CVE-2026-60000 (sshd in OpenSSH before 10.4 allows remote attackers to cause a
denial ...)
- openssh 1:10.4p1-1
+ [trixie] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
CVE-2026-5799 (Authorization bypass through User-Controlled key vulnerability
in Idvl ...)
NOT-FOR-US: Idvlabs Ontime
@@ -434,18 +437,23 @@ CVE-2026-5730 (Authorization bypass through
User-Controlled key vulnerability in
NOT-FOR-US: Idvlabs Ontime
CVE-2026-59999 (In sshd in OpenSSH before 10.4, DisableForwarding=yes was
supposed to ...)
- openssh 1:10.4p1-1
+ [trixie] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
CVE-2026-59998 (sshd in OpenSSH before 10.4 has an undocumented
security-relevant beha ...)
- openssh 1:10.4p1-1
+ [trixie] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
CVE-2026-59997 (internal-sftp in sshd in OpenSSH before 10.4 recognizes only
the first ...)
- openssh 1:10.4p1-1
+ [trixie] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
CVE-2026-59996 (scp in OpenSSH before 10.4 may place a file in the parent
directory of ...)
- openssh 1:10.4p1-1
+ [trixie] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
CVE-2026-59995 (sftp in OpenSSH before 10.4 does not properly constrain the
location o ...)
- openssh 1:10.4p1-1
+ [trixie] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.4p1
CVE-2026-59800 (9Router before 0.4.44 contains an OS command injection
vulnerability i ...)
NOT-FOR-US: 9Router
@@ -471,15 +479,19 @@ CVE-2026-58473 (Cognee before 1.2.0 contains an improper
access control vulnerab
NOT-FOR-US: Cognee
CVE-2026-58472 (GNU Wget through 1.25.0, fixed in commit dd692d9, contains a
heap buff ...)
- wget <unfixed> (bug #1141689)
+ [trixie] - wget <no-dsa> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/gnuwget/wget/-/commit/dd692d9cea5335b181d877ae917fe6e75587a812
CVE-2026-58471 (GNU Wget through 1.25.0, fixed in commit c2640fe, contains a
heap buff ...)
- wget <unfixed> (bug #1141689)
+ [trixie] - wget <no-dsa> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/gnuwget/wget/-/commit/c2640fe5171c59f87c58dc9fcb195b2d18b010ee
CVE-2026-58470 (GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an
integer ...)
- wget <unfixed> (bug #1141689)
+ [trixie] - wget <no-dsa> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/gnuwget/wget/-/commit/43d3ba9336bc94937e6fae2365c6ffd30c34ffcf
CVE-2026-58469 (GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a
heap buff ...)
- wget <unfixed> (bug #1141689)
+ [trixie] - wget <no-dsa> (Minor issue)
NOTE: Fixed by:
https://gitlab.com/gnuwget/wget/-/commit/37a40fcb450153f69537c7cbc2a7a4fb0b6f7826
CVE-2026-58468 (NocoBase through 2.1.20 contains a server-side request forgery
vulnera ...)
NOT-FOR-US: NocoBase
@@ -1201,36 +1213,47 @@ CVE-2024-56141 (Minosoft is an open-source,
multi-version Minecraft Java Edition
NOT-FOR-US: Minosoft
CVE-2026-49861
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
CVE-2026-53589
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
CVE-2026-45098
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
CVE-2026-49862
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
CVE-2026-55063
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
CVE-2026-49863
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
CVE-2026-53588
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
CVE-2026-53590
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
CVE-2026-45096
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/d9f4b373c90179c96f3b1542e72f16e282ef0104
(v3.6.2)
CVE-2026-45095
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/d9f4b373c90179c96f3b1542e72f16e282ef0104
(v3.6.2)
CVE-2026-45094
- fastdds <unfixed>
+ [trixie] - fastdds <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/eProsima/Fast-DDS/commit/d9f4b373c90179c96f3b1542e72f16e282ef0104
(v3.6.2)
CVE-2026-59089 (A flaw was found in GIMP. The PlayStation TIM loader,
responsible for ...)
- gimp <unfixed>
@@ -1475,13 +1498,16 @@ CVE-2024-6228 (The Notifications for Forms & WordPress
Actions WordPress plugin
NOT-FOR-US: WordPress plugin
CVE-2026-XXXX [RUSTSEC-2026-0190]
- rust-anyhow <unfixed> (bug #1141593)
+ [trixie] - rust-anyhow <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0190.html
NOTE: https://github.com/dtolnay/anyhow/issues/451
CVE-2026-XXXX [RUSTSEC-2026-0193]
- rust-ammonia <unfixed> (bug #1141594)
+ [trixie] - rust-ammonia <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0193.html
CVE-2026-XXXX [RUSTSEC-2026-0194]
- rust-quick-xml <unfixed> (bug #1141595)
+ [trixie] - rust-quick-xml <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0194.html
NOTE: https://github.com/tafia/quick-xml/issues/969
NOTE: https://github.com/tafia/quick-xml/pull/971
@@ -1503,6 +1529,7 @@ CVE-2026-XXXX [RUSTSEC-2026-0195]
NOTE:
https://github.com/tafia/quick-xml/commit/7ca25266e94987210daa864889ab15c9332c8a2a
(v0.41.0)
CVE-2026-XXXX [RUSTSEC-2026-0197]
- rust-cgmath <unfixed> (bug #1141589)
+ [trixie] - rust-cgmath <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0197.html
NOTE: https://github.com/rustgd/cgmath/issues/565
CVE-2026-XXXX [RUSTSEC-2026-0199]
@@ -1510,10 +1537,12 @@ CVE-2026-XXXX [RUSTSEC-2026-0199]
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0199.html
CVE-2026-XXXX [RUSTSEC-2026-0202]
- rust-cxx <unfixed> (bug #1141591)
+ [trixie] - rust-cxx <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0202.html
NOTE: https://github.com/dtolnay/cxx/issues/1729
CVE-2026-XXXX [RUSTSEC-2026-0166]
- rust-stackvector <unfixed> (bug #1141592)
+ [trixie] - rust-stackvector <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2025-0166.html
NOTE: https://github.com/Alexhuszagh/rust-stackvector/issues/3
NOTE: https://github.com/Alexhuszagh/rust-stackvector/issues/5
@@ -2220,6 +2249,7 @@ CVE-2026-9148 (The Comments \u2013 wpDiscuz plugin for
WordPress is vulnerable t
NOT-FOR-US: WordPress plugin
CVE-2026-8804 (Puppet resource_api (shipped in Puppet Core 8.x and Puppet
Enterprise ...)
- ruby-puppet-resource-api <unfixed> (bug #1141432)
+ [trixie] - ruby-puppet-resource-api <no-dsa> (Minor issue)
NOTE: https://github.com/puppetlabs/puppet-resource_api/pull/384
NOTE: Fixed by:
https://github.com/puppetlabs/puppet-resource_api/commit/87737def98e5b299fcd78b198159bca88be991e7
(v1.9.2)
CVE-2026-8351 (The RTMKit plugin for WordPress is vulnerable to Stored
Cross-Site Scr ...)
@@ -32748,6 +32778,7 @@ CVE-2026-40383 (An improper validation of user-supplied
input leads to a local f
NOT-FOR-US: Joomla
CVE-2026-40034 (gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix
before 0.84.0 ...)
- rust-gix-submodule <unfixed>
+ [trixie] - rust-gix-submodule <no-dsa> (Minor issue)
NOTE:
https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f26g-jm89-4g65
NOTE: Introduced with:
https://github.com/GitoxideLabs/gitoxide/commit/6a2e6a436f76c8bbf2487f9967413a51356667a0
CVE-2026-40033 (FreeRDP before 3.26.0 contains a heap-buffer-overflow
vulnerability in ...)
@@ -34065,16 +34096,19 @@ CVE-2026-47101 (LiteLLM prior to 1.83.14 allows an
authenticated internal_user t
NOT-FOR-US: LiteLLM
CVE-2026-46598 (For certain crafted inputs, a 'ed25519.PrivateKey' was created
by cast ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79596
CVE-2026-46597 (An incorrectly placed cast from bytes to int allowed for
server-side p ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79561
CVE-2026-46595 (Previously, CVE-2024-45337 fixed an authorization bypass for
misused s ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79570
@@ -34082,6 +34116,7 @@ CVE-2026-44409 (There is an an information disclosure
vulnerability in ZTE MU525
NOT-FOR-US: ZTE
CVE-2026-42508 (Previously, a revoked 'SignatureKey' belonging to a CA was not
correct ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79568
@@ -34089,46 +34124,55 @@ CVE-2026-3481 (The WP Blockade plugin for WordPress
is vulnerable to Reflected C
NOT-FOR-US: WordPress plugin
CVE-2026-39835 (SSH servers which use CertChecker as a public key callback
without set ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79563
CVE-2026-39834 (When writing data larger than 4GB in a single Write call on an
SSH cha ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79567
CVE-2026-39833 (The in-memory keyring returned by NewKeyring() silently
accepted keys ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79436
CVE-2026-39832 (When adding a key to a remote agent constraint extensions such
as rest ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79435
CVE-2026-39831 (The Verify() method for FIDO/U2F security key types
(sk-ecdsa-sha2-nis ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79566
CVE-2026-39830 (A malicious SSH peer could send unsolicited global request
responses t ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79564
CVE-2026-39829 (The RSA and DSA public key parsers did not enforce size limits
on key ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79565
CVE-2026-39828 (When an SSH server authentication callback returned
PartialSuccessErro ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79562
CVE-2026-39827 (An authenticated SSH client that repeatedly opened channels
which were ...)
- golang-go.crypto 1:0.52.0-1 (bug #1137516)
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/35127
@@ -55897,11 +55941,13 @@ CVE-2026-5617 (The Login as User plugin for WordPress
is vulnerable to Privilege
NOT-FOR-US: WordPress plugin
CVE-2026-5598 (Covert timing channel vulnerability in Legion of the Bouncy
Castle Inc ...)
- bouncycastle <unfixed> (bug #1134386)
+ [trixie] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <not-affected> (Vulnerable code introduced in
1.71)
NOTE:
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598
NOTE: Fixed by:
https://github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e87
(r1rv84)
CVE-2026-5588 (Use of a Broken or Risky Cryptographic Algorithm vulnerability
in Legi ...)
- bouncycastle <unfixed> (bug #1134196)
+ [trixie] - bouncycastle <no-dsa> (Minor issue)
NOTE:
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588
NOTE:
https://github.com/bcgit/bc-java/commit/656bae0dbd9b1521f840521ff786e78749fe3057
(r1rv84)
CVE-2026-5426 (Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge
Knowledge ...)
@@ -56089,6 +56135,7 @@ CVE-2026-3551 (The Custom New User Notification plugin
for WordPress is vulnerab
NOT-FOR-US: WordPress plugin
CVE-2026-3505 (Allocation of resources without limits or throttling,
Uncontrolled Res ...)
- bouncycastle <unfixed> (bug #1134195)
+ [trixie] - bouncycastle <no-dsa> (Minor issue)
NOTE:
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505
NOTE: Fixed by:
https://github.com/bcgit/bc-java/commit/dc7530939ffb6cdb57636f3609d98e23b94e71c1
(r1rv84)
CVE-2026-3489 (The DirectoryPress \u2013 Business Directory And Classified Ad
Listing ...)
@@ -56314,6 +56361,7 @@ CVE-2026-0718 (The Post Grid Gutenberg Blocks for News,
Magazines, Blog Websites
NOT-FOR-US: WordPress plugin
CVE-2026-0636 (Improper neutralization of special elements used in an LDAP
query ('LD ...)
- bouncycastle <unfixed> (bug #1134343)
+ [trixie] - bouncycastle <no-dsa> (Minor issue)
NOTE:
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%900636
NOTE:
https://github.com/bcgit/bc-java/commit/d20cdb8430e09224114fec0179a71859929fcbde
(r1rv84)
CVE-2025-6024 (The authentication endpoint fails to encode user-supplied input
before ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -124,5 +124,9 @@ vim
some of the issues seem worth fixing
Lee Garrett is interested in contributing an update for stable
--
+xen
+--
+xorg-server
+--
xrdp
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f894e47d36a4886fc5591dd0d51f1aeb0b9affde
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f894e47d36a4886fc5591dd0d51f1aeb0b9affde
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits