Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e9eb03e0 by Moritz Muehlenhoff at 2026-07-09T08:47:31+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -133,6 +133,7 @@ CVE-2026-59937 (pypdf is a free and open-source pure-python
PDF library. Prior t
NOTE: Fixed by:
https://github.com/py-pdf/pypdf/commit/b5fc5aa714f4b696fb9b1deaa35a9e4a4eb50dae
(6.14.0)
CVE-2026-59930 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-2hm2-hc3v-44h9
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/c4093c4742ed0d10d9332fb8edb455869b7b581b
(v3.3.0)
CVE-2026-59929 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
@@ -153,6 +154,7 @@ CVE-2026-59926 (Mistune is a Python Markdown parser with
renderers and plugins.
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2
(v3.2.1)
CVE-2026-59925 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-4j32-57v6-6g45
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/5de41fb8e527004dbc363e047a3c380c9288c74f
(v3.3.0)
CVE-2026-59924 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
@@ -884,15 +886,18 @@ CVE-2026-14895 (String::Util versions before 1.36 for
Perl are susceptible to a
NOTE: Fixed by:
https://github.com/scottchiefbaker/String-Util/commit/f8150867aaeb8f57c59601aefb2193f2caed8745
(v1.36)
CVE-2026-14380 (DBI versions before 1.650 for Perl are vulnerable to code
injection vi ...)
- libdbi-perl 1.650-1 (bug #1141667)
+ [trixie] - libdbi-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41625527/
NOTE:
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-ch8w-hxc2-v557
NOTE: Fixed by:
https://github.com/perl5-dbi/dbi/commit/b73d5d9901767fc1d16b6661ef08fbed4532e259
(1.650)
CVE-2026-14739 (DBI versions before 1.650 for Perl have a heap overflow when
preparsin ...)
- libdbi-perl 1.650-1 (bug #1141667)
+ [trixie] - libdbi-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41625530/
NOTE: Fixed by:
https://github.com/perl5-dbi/dbi/commit/2b77c88b655e9539a592c71a61fb965fc0075395
(1.650)
CVE-2026-14740 (DBI versions before 1.650 for Perl read one byte out-of-bounds
in prep ...)
- libdbi-perl 1.650-1 (bug #1141667)
+ [trixie] - libdbi-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41625532/
NOTE:
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-35f4-f8m9-w8xg
NOTE: Fixed by:
https://github.com/perl5-dbi/dbi/commit/fc16f9e8b3dd5c65caf1867781ab2bfe2fadcc01
(1.650)
@@ -1017,6 +1022,7 @@ CVE-2011-10043 (Module::Load versions before 0.22 for
Perl allow arbitrary modul
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41608305/
CVE-2026-7017 (HTTP::Tiny versions before 0.095 for Perl forward credential
headers t ...)
- libhttp-tiny-perl 0.096-1 (bug #1141638)
+ [trixie] - libhttp-tiny-perl <no-dsa> (Minor issue)
- perl <unfixed> (bug #1141639)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/41618211/
NOTE: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36
@@ -6556,6 +6562,7 @@ CVE-2026-28979 (An out-of-bounds access issue was
addressed with improved bounds
NOT-FOR-US: Apple
CVE-2026-14164 (A double free issue has been identified in libarchive's RAR5
reader. D ...)
- libarchive 3.8.8-1 (bug #1141180)
+ [trixie] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/issues/3069
NOTE: https://github.com/libarchive/libarchive/pull/3071
NOTE:
https://github.com/libarchive/libarchive/commit/1c914cdfef533cbee1ae3aa21a89ba02ed4d5f61
(master)
@@ -8655,15 +8662,19 @@ CVE-2026-56790 (CANBoat through 6.22, fixed in commit
a5a22b7, contains an off-b
- canboat <itp> (bug #921311)
CVE-2026-56789 (RTKLIB through 2.4.3 contains a heap buffer overflow
vulnerability in ...)
- rtklib <unfixed> (bug #1140766)
+ [trixie] - rtklib <no-dsa> (Minor issue)
NOTE: https://github.com/tomojitakasu/RTKLIB/issues/796
CVE-2026-56788 (RTKLIB through 2.4.3 contains an out-of-bounds read
vulnerability in g ...)
- rtklib <unfixed> (bug #1140766)
+ [trixie] - rtklib <no-dsa> (Minor issue)
NOTE: https://github.com/tomojitakasu/RTKLIB/issues/797
CVE-2026-56787 (RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read
vulnera ...)
- rtklib <unfixed> (bug #1140766)
+ [trixie] - rtklib <no-dsa> (Minor issue)
NOTE: https://github.com/tomojitakasu/RTKLIB/issues/798
CVE-2026-56786 (RTKLIB through 2.4.3 contains an out-of-bounds write
vulnerability in ...)
- rtklib <unfixed> (bug #1140766)
+ [trixie] - rtklib <no-dsa> (Minor issue)
NOTE: https://github.com/tomojitakasu/RTKLIB/issues/799
CVE-2026-56779 (MaxKB before 2.10.0 contains a server-side request forgery
vulnerabili ...)
NOT-FOR-US: MaxKB
@@ -10403,6 +10414,7 @@ CVE-2026-54686 (Warp is an agentic development
environment. From 0.2021.04.25.23
NOT-FOR-US: Warp
CVE-2026-54297 (Faraday is an HTTP client library abstraction layer that
provides a co ...)
- ruby-faraday 2.14.3-1
+ [trixie] - ruby-faraday <no-dsa> (Minor issue)
NOTE:
https://github.com/lostisland/faraday/security/advisories/GHSA-98m9-hrrm-r99r
CVE-2026-53950 (@tryghost/activitypub is Ghost\u2019s social/federation client
app. Pr ...)
NOT-FOR-US: tryghost/activitypub
@@ -43985,8 +43997,12 @@ CVE-2026-40174 (Masa CMS is a content management
system forked from Mura CMS. In
NOT-FOR-US: Masa CMS
CVE-2026-40171 (In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab
versions ...)
- jupyter-notebook <unfixed>
+ [trixie] - jupyter-notebook <not-affected> (Vulnerable code not
present, introduced in 7.0)
+ [bookworm] - jupyter-notebook <not-affected> (Vulnerable code not
present, introduced in 7.0)
+ [bullseye] - jupyter-notebook <not-affected> (Vulnerable code not
present, introduced in 7.0)
- jupyterlab <unfixed>
NOTE:
https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9
+ NOTE:
https://github.com/jupyter/notebook/commit/50e5222c9670121c3369900c7dce01aae53823fc
CVE-2026-40076 (OpenMRS Core is an open source electronic medical record
system platfo ...)
NOT-FOR-US: OpenMRS
CVE-2026-40004 (There exists an openssl.cnf privilege escalation vulnerability
in ZTE ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -115,6 +115,8 @@ rust-wasmtime
--
shaarli
--
+starlette
+--
tomcat10
--
tomcat11
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9eb03e0cb798c94f13d7cbeeeff13f83b48402e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9eb03e0cb798c94f13d7cbeeeff13f83b48402e
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits