Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f894e47d by Moritz Muehlenhoff at 2026-07-08T23:27:49+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -421,12 +421,15 @@ CVE-2026-6101 (The AMP for WP \u2013 Accelerated Mobile 
Pages plugin for WordPre
        NOT-FOR-US: WordPress plugin
 CVE-2026-60002 (ssh in OpenSSH before 10.4 can have a use-after-free when a 
server cha ...)
        - openssh 1:10.4p1-1
+       [trixie] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
 CVE-2026-60001 (sshd in OpenSSH before 10.4 does not always honor the minimum 
authenti ...)
        - openssh 1:10.4p1-1
+       [trixie] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
 CVE-2026-60000 (sshd in OpenSSH before 10.4 allows remote attackers to cause a 
denial  ...)
        - openssh 1:10.4p1-1
+       [trixie] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
 CVE-2026-5799 (Authorization bypass through User-Controlled key vulnerability 
in Idvl ...)
        NOT-FOR-US: Idvlabs Ontime
@@ -434,18 +437,23 @@ CVE-2026-5730 (Authorization bypass through 
User-Controlled key vulnerability in
        NOT-FOR-US: Idvlabs Ontime
 CVE-2026-59999 (In sshd in OpenSSH before 10.4, DisableForwarding=yes was 
supposed to  ...)
        - openssh 1:10.4p1-1
+       [trixie] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
 CVE-2026-59998 (sshd in OpenSSH before 10.4 has an undocumented 
security-relevant beha ...)
        - openssh 1:10.4p1-1
+       [trixie] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
 CVE-2026-59997 (internal-sftp in sshd in OpenSSH before 10.4 recognizes only 
the first ...)
        - openssh 1:10.4p1-1
+       [trixie] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
 CVE-2026-59996 (scp in OpenSSH before 10.4 may place a file in the parent 
directory of ...)
        - openssh 1:10.4p1-1
+       [trixie] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
 CVE-2026-59995 (sftp in OpenSSH before 10.4 does not properly constrain the 
location o ...)
        - openssh 1:10.4p1-1
+       [trixie] - openssh <no-dsa> (Minor issue)
        NOTE: https://www.openssh.org/releasenotes.html#10.4p1
 CVE-2026-59800 (9Router before 0.4.44 contains an OS command injection 
vulnerability i ...)
        NOT-FOR-US: 9Router
@@ -471,15 +479,19 @@ CVE-2026-58473 (Cognee before 1.2.0 contains an improper 
access control vulnerab
        NOT-FOR-US: Cognee
 CVE-2026-58472 (GNU Wget through 1.25.0, fixed in commit dd692d9, contains a 
heap buff ...)
        - wget <unfixed> (bug #1141689)
+       [trixie] - wget <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://gitlab.com/gnuwget/wget/-/commit/dd692d9cea5335b181d877ae917fe6e75587a812
 CVE-2026-58471 (GNU Wget through 1.25.0, fixed in commit c2640fe, contains a 
heap buff ...)
        - wget <unfixed> (bug #1141689)
+       [trixie] - wget <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://gitlab.com/gnuwget/wget/-/commit/c2640fe5171c59f87c58dc9fcb195b2d18b010ee
 CVE-2026-58470 (GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an 
integer  ...)
        - wget <unfixed> (bug #1141689)
+       [trixie] - wget <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://gitlab.com/gnuwget/wget/-/commit/43d3ba9336bc94937e6fae2365c6ffd30c34ffcf
 CVE-2026-58469 (GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a 
heap buff ...)
        - wget <unfixed> (bug #1141689)
+       [trixie] - wget <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://gitlab.com/gnuwget/wget/-/commit/37a40fcb450153f69537c7cbc2a7a4fb0b6f7826
 CVE-2026-58468 (NocoBase through 2.1.20 contains a server-side request forgery 
vulnera ...)
        NOT-FOR-US: NocoBase
@@ -1201,36 +1213,47 @@ CVE-2024-56141 (Minosoft is an open-source, 
multi-version Minecraft Java Edition
        NOT-FOR-US: Minosoft
 CVE-2026-49861
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
 CVE-2026-53589
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
 CVE-2026-45098
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
 CVE-2026-49862
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
 CVE-2026-55063
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
 CVE-2026-49863
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
 CVE-2026-53588
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
 CVE-2026-53590
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/aeba2db3640d1f79d9f1f0430b10a475ea4c47cb
 CVE-2026-45096
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/d9f4b373c90179c96f3b1542e72f16e282ef0104
 (v3.6.2)
 CVE-2026-45095
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/d9f4b373c90179c96f3b1542e72f16e282ef0104
 (v3.6.2)
 CVE-2026-45094
        - fastdds <unfixed>
+       [trixie] - fastdds <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/eProsima/Fast-DDS/commit/d9f4b373c90179c96f3b1542e72f16e282ef0104
 (v3.6.2)
 CVE-2026-59089 (A flaw was found in GIMP. The PlayStation TIM loader, 
responsible for  ...)
        - gimp <unfixed>
@@ -1475,13 +1498,16 @@ CVE-2024-6228 (The Notifications for Forms & WordPress 
Actions WordPress plugin
        NOT-FOR-US: WordPress plugin
 CVE-2026-XXXX [RUSTSEC-2026-0190]
        - rust-anyhow <unfixed> (bug #1141593)
+       [trixie] - rust-anyhow <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0190.html
        NOTE: https://github.com/dtolnay/anyhow/issues/451
 CVE-2026-XXXX [RUSTSEC-2026-0193]
        - rust-ammonia <unfixed> (bug #1141594)
+       [trixie] - rust-ammonia <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0193.html
 CVE-2026-XXXX [RUSTSEC-2026-0194]
        - rust-quick-xml <unfixed> (bug #1141595)
+       [trixie] - rust-quick-xml <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0194.html
        NOTE: https://github.com/tafia/quick-xml/issues/969
        NOTE: https://github.com/tafia/quick-xml/pull/971
@@ -1503,6 +1529,7 @@ CVE-2026-XXXX [RUSTSEC-2026-0195]
        NOTE: 
https://github.com/tafia/quick-xml/commit/7ca25266e94987210daa864889ab15c9332c8a2a
 (v0.41.0)
 CVE-2026-XXXX [RUSTSEC-2026-0197]
        - rust-cgmath <unfixed> (bug #1141589)
+       [trixie] - rust-cgmath <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0197.html
        NOTE: https://github.com/rustgd/cgmath/issues/565
 CVE-2026-XXXX [RUSTSEC-2026-0199]
@@ -1510,10 +1537,12 @@ CVE-2026-XXXX [RUSTSEC-2026-0199]
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0199.html
 CVE-2026-XXXX [RUSTSEC-2026-0202]
        - rust-cxx <unfixed> (bug #1141591)
+       [trixie] - rust-cxx <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0202.html
        NOTE: https://github.com/dtolnay/cxx/issues/1729
 CVE-2026-XXXX [RUSTSEC-2026-0166]
        - rust-stackvector <unfixed> (bug #1141592)
+       [trixie] - rust-stackvector <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2025-0166.html
        NOTE: https://github.com/Alexhuszagh/rust-stackvector/issues/3
        NOTE: https://github.com/Alexhuszagh/rust-stackvector/issues/5
@@ -2220,6 +2249,7 @@ CVE-2026-9148 (The Comments \u2013 wpDiscuz plugin for 
WordPress is vulnerable t
        NOT-FOR-US: WordPress plugin
 CVE-2026-8804 (Puppet resource_api (shipped in Puppet Core 8.x and Puppet 
Enterprise  ...)
        - ruby-puppet-resource-api <unfixed> (bug #1141432)
+       [trixie] - ruby-puppet-resource-api <no-dsa> (Minor issue)
        NOTE: https://github.com/puppetlabs/puppet-resource_api/pull/384
        NOTE: Fixed by: 
https://github.com/puppetlabs/puppet-resource_api/commit/87737def98e5b299fcd78b198159bca88be991e7
 (v1.9.2)
 CVE-2026-8351 (The RTMKit plugin for WordPress is vulnerable to Stored 
Cross-Site Scr ...)
@@ -32748,6 +32778,7 @@ CVE-2026-40383 (An improper validation of user-supplied 
input leads to a local f
        NOT-FOR-US: Joomla
 CVE-2026-40034 (gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix 
before 0.84.0 ...)
        - rust-gix-submodule <unfixed>
+       [trixie] - rust-gix-submodule <no-dsa> (Minor issue)
        NOTE: 
https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f26g-jm89-4g65
        NOTE: Introduced with: 
https://github.com/GitoxideLabs/gitoxide/commit/6a2e6a436f76c8bbf2487f9967413a51356667a0
 CVE-2026-40033 (FreeRDP before 3.26.0 contains a heap-buffer-overflow 
vulnerability in ...)
@@ -34065,16 +34096,19 @@ CVE-2026-47101 (LiteLLM prior to 1.83.14 allows an 
authenticated internal_user t
        NOT-FOR-US: LiteLLM
 CVE-2026-46598 (For certain crafted inputs, a 'ed25519.PrivateKey' was created 
by cast ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79596
 CVE-2026-46597 (An incorrectly placed cast from bytes to int allowed for 
server-side p ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79561
 CVE-2026-46595 (Previously, CVE-2024-45337 fixed an authorization bypass for 
misused s ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79570
@@ -34082,6 +34116,7 @@ CVE-2026-44409 (There is an an information disclosure 
vulnerability in ZTE MU525
        NOT-FOR-US: ZTE
 CVE-2026-42508 (Previously, a revoked 'SignatureKey' belonging to a CA was not 
correct ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79568
@@ -34089,46 +34124,55 @@ CVE-2026-3481 (The WP Blockade plugin for WordPress 
is vulnerable to Reflected C
        NOT-FOR-US: WordPress plugin
 CVE-2026-39835 (SSH servers which use CertChecker as a public key callback 
without set ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79563
 CVE-2026-39834 (When writing data larger than 4GB in a single Write call on an 
SSH cha ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79567
 CVE-2026-39833 (The in-memory keyring returned by NewKeyring() silently 
accepted keys  ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79436
 CVE-2026-39832 (When adding a key to a remote agent constraint extensions such 
as rest ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79435
 CVE-2026-39831 (The Verify() method for FIDO/U2F security key types 
(sk-ecdsa-sha2-nis ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79566
 CVE-2026-39830 (A malicious SSH peer could send unsolicited global request 
responses t ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79564
 CVE-2026-39829 (The RSA and DSA public key parsers did not enforce size limits 
on key  ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79565
 CVE-2026-39828 (When an SSH server authentication callback returned 
PartialSuccessErro ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/79562
 CVE-2026-39827 (An authenticated SSH client that repeatedly opened channels 
which were ...)
        - golang-go.crypto 1:0.52.0-1 (bug #1137516)
+       [trixie] - golang-go.crypto <no-dsa> (Minor issue)
        [bullseye] - golang-go.crypto <postponed> (Limited support, follow 
bookworm DSAs/point-releases)
        NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
        NOTE: https://github.com/golang/go/issues/35127
@@ -55897,11 +55941,13 @@ CVE-2026-5617 (The Login as User plugin for WordPress 
is vulnerable to Privilege
        NOT-FOR-US: WordPress plugin
 CVE-2026-5598 (Covert timing channel vulnerability in Legion of the Bouncy 
Castle Inc ...)
        - bouncycastle <unfixed> (bug #1134386)
+       [trixie] - bouncycastle <no-dsa> (Minor issue)
        [bullseye] - bouncycastle <not-affected> (Vulnerable code introduced in 
1.71)
        NOTE: 
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598
        NOTE: Fixed by: 
https://github.com/bcgit/bc-java/commit/94abbd56413dfdac651fd878bc60253871ef5e87
 (r1rv84)
 CVE-2026-5588 (Use of a Broken or Risky Cryptographic Algorithm vulnerability 
in Legi ...)
        - bouncycastle <unfixed> (bug #1134196)
+       [trixie] - bouncycastle <no-dsa> (Minor issue)
        NOTE: 
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588
        NOTE: 
https://github.com/bcgit/bc-java/commit/656bae0dbd9b1521f840521ff786e78749fe3057
 (r1rv84)
 CVE-2026-5426 (Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge 
Knowledge ...)
@@ -56089,6 +56135,7 @@ CVE-2026-3551 (The Custom New User Notification plugin 
for WordPress is vulnerab
        NOT-FOR-US: WordPress plugin
 CVE-2026-3505 (Allocation of resources without limits or throttling, 
Uncontrolled Res ...)
        - bouncycastle <unfixed> (bug #1134195)
+       [trixie] - bouncycastle <no-dsa> (Minor issue)
        NOTE: 
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%903505
        NOTE: Fixed by: 
https://github.com/bcgit/bc-java/commit/dc7530939ffb6cdb57636f3609d98e23b94e71c1
 (r1rv84)
 CVE-2026-3489 (The DirectoryPress \u2013 Business Directory And Classified Ad 
Listing ...)
@@ -56314,6 +56361,7 @@ CVE-2026-0718 (The Post Grid Gutenberg Blocks for News, 
Magazines, Blog Websites
        NOT-FOR-US: WordPress plugin
 CVE-2026-0636 (Improper neutralization of special elements used in an LDAP 
query ('LD ...)
        - bouncycastle <unfixed> (bug #1134343)
+       [trixie] - bouncycastle <no-dsa> (Minor issue)
        NOTE: 
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%900636
        NOTE: 
https://github.com/bcgit/bc-java/commit/d20cdb8430e09224114fec0179a71859929fcbde
 (r1rv84)
 CVE-2025-6024 (The authentication endpoint fails to encode user-supplied input 
before ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -124,5 +124,9 @@ vim
   some of the issues seem worth fixing
   Lee Garrett is interested in contributing an update for stable
 --
+xen
+--
+xorg-server
+--
 xrdp
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f894e47d36a4886fc5591dd0d51f1aeb0b9affde

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f894e47d36a4886fc5591dd0d51f1aeb0b9affde
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to