Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e9eb03e0 by Moritz Muehlenhoff at 2026-07-09T08:47:31+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -133,6 +133,7 @@ CVE-2026-59937 (pypdf is a free and open-source pure-python 
PDF library. Prior t
        NOTE: Fixed by: 
https://github.com/py-pdf/pypdf/commit/b5fc5aa714f4b696fb9b1deaa35a9e4a4eb50dae 
(6.14.0)
 CVE-2026-59930 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-2hm2-hc3v-44h9
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/c4093c4742ed0d10d9332fb8edb455869b7b581b
 (v3.3.0)
 CVE-2026-59929 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
@@ -153,6 +154,7 @@ CVE-2026-59926 (Mistune is a Python Markdown parser with 
renderers and plugins.
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2
 (v3.2.1)
 CVE-2026-59925 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-4j32-57v6-6g45
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/5de41fb8e527004dbc363e047a3c380c9288c74f
 (v3.3.0)
 CVE-2026-59924 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
@@ -884,15 +886,18 @@ CVE-2026-14895 (String::Util versions before 1.36 for 
Perl are susceptible to a
        NOTE: Fixed by: 
https://github.com/scottchiefbaker/String-Util/commit/f8150867aaeb8f57c59601aefb2193f2caed8745
 (v1.36)
 CVE-2026-14380 (DBI versions before 1.650 for Perl are vulnerable to code 
injection vi ...)
        - libdbi-perl 1.650-1 (bug #1141667)
+       [trixie] - libdbi-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41625527/
        NOTE: 
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-ch8w-hxc2-v557
        NOTE: Fixed by: 
https://github.com/perl5-dbi/dbi/commit/b73d5d9901767fc1d16b6661ef08fbed4532e259
 (1.650)
 CVE-2026-14739 (DBI versions before 1.650 for Perl have a heap overflow when 
preparsin ...)
        - libdbi-perl 1.650-1 (bug #1141667)
+       [trixie] - libdbi-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41625530/
        NOTE: Fixed by: 
https://github.com/perl5-dbi/dbi/commit/2b77c88b655e9539a592c71a61fb965fc0075395
 (1.650)
 CVE-2026-14740 (DBI versions before 1.650 for Perl read one byte out-of-bounds 
in prep ...)
        - libdbi-perl 1.650-1 (bug #1141667)
+       [trixie] - libdbi-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41625532/
        NOTE: 
https://github.com/perl5-dbi/dbi/security/advisories/GHSA-35f4-f8m9-w8xg
        NOTE: Fixed by: 
https://github.com/perl5-dbi/dbi/commit/fc16f9e8b3dd5c65caf1867781ab2bfe2fadcc01
 (1.650)
@@ -1017,6 +1022,7 @@ CVE-2011-10043 (Module::Load versions before 0.22 for 
Perl allow arbitrary modul
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41608305/
 CVE-2026-7017 (HTTP::Tiny versions before 0.095 for Perl forward credential 
headers t ...)
        - libhttp-tiny-perl 0.096-1 (bug #1141638)
+       [trixie] - libhttp-tiny-perl <no-dsa> (Minor issue)
        - perl <unfixed> (bug #1141639)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/41618211/
        NOTE: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36
@@ -6556,6 +6562,7 @@ CVE-2026-28979 (An out-of-bounds access issue was 
addressed with improved bounds
        NOT-FOR-US: Apple
 CVE-2026-14164 (A double free issue has been identified in libarchive's RAR5 
reader. D ...)
        - libarchive 3.8.8-1 (bug #1141180)
+       [trixie] - libarchive <no-dsa> (Minor issue)
        NOTE: https://github.com/libarchive/libarchive/issues/3069
        NOTE: https://github.com/libarchive/libarchive/pull/3071
        NOTE: 
https://github.com/libarchive/libarchive/commit/1c914cdfef533cbee1ae3aa21a89ba02ed4d5f61
 (master)
@@ -8655,15 +8662,19 @@ CVE-2026-56790 (CANBoat through 6.22, fixed in commit 
a5a22b7, contains an off-b
        - canboat <itp> (bug #921311)
 CVE-2026-56789 (RTKLIB through 2.4.3 contains a heap buffer overflow 
vulnerability in  ...)
        - rtklib <unfixed> (bug #1140766)
+       [trixie] - rtklib <no-dsa> (Minor issue)
        NOTE: https://github.com/tomojitakasu/RTKLIB/issues/796
 CVE-2026-56788 (RTKLIB through 2.4.3 contains an out-of-bounds read 
vulnerability in g ...)
        - rtklib <unfixed> (bug #1140766)
+       [trixie] - rtklib <no-dsa> (Minor issue)
        NOTE: https://github.com/tomojitakasu/RTKLIB/issues/797
 CVE-2026-56787 (RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read 
vulnera ...)
        - rtklib <unfixed> (bug #1140766)
+       [trixie] - rtklib <no-dsa> (Minor issue)
        NOTE: https://github.com/tomojitakasu/RTKLIB/issues/798
 CVE-2026-56786 (RTKLIB through 2.4.3 contains an out-of-bounds write 
vulnerability in  ...)
        - rtklib <unfixed> (bug #1140766)
+       [trixie] - rtklib <no-dsa> (Minor issue)
        NOTE: https://github.com/tomojitakasu/RTKLIB/issues/799
 CVE-2026-56779 (MaxKB before 2.10.0 contains a server-side request forgery 
vulnerabili ...)
        NOT-FOR-US: MaxKB
@@ -10403,6 +10414,7 @@ CVE-2026-54686 (Warp is an agentic development 
environment. From 0.2021.04.25.23
        NOT-FOR-US: Warp
 CVE-2026-54297 (Faraday is an HTTP client library abstraction layer that 
provides a co ...)
        - ruby-faraday 2.14.3-1
+       [trixie] - ruby-faraday <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lostisland/faraday/security/advisories/GHSA-98m9-hrrm-r99r
 CVE-2026-53950 (@tryghost/activitypub is Ghost\u2019s social/federation client 
app. Pr ...)
        NOT-FOR-US: tryghost/activitypub
@@ -43985,8 +43997,12 @@ CVE-2026-40174 (Masa CMS is a content management 
system forked from Mura CMS. In
        NOT-FOR-US: Masa CMS
 CVE-2026-40171 (In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab 
versions  ...)
        - jupyter-notebook <unfixed>
+       [trixie] - jupyter-notebook <not-affected> (Vulnerable code not 
present, introduced in 7.0)
+       [bookworm] - jupyter-notebook <not-affected> (Vulnerable code not 
present, introduced in 7.0)
+       [bullseye] - jupyter-notebook <not-affected> (Vulnerable code not 
present, introduced in 7.0)
        - jupyterlab <unfixed>
        NOTE: 
https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9
+       NOTE: 
https://github.com/jupyter/notebook/commit/50e5222c9670121c3369900c7dce01aae53823fc
 CVE-2026-40076 (OpenMRS Core is an open source electronic medical record 
system platfo ...)
        NOT-FOR-US: OpenMRS
 CVE-2026-40004 (There exists an openssl.cnf privilege escalation vulnerability 
in ZTE  ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -115,6 +115,8 @@ rust-wasmtime
 --
 shaarli
 --
+starlette
+--
 tomcat10
 --
 tomcat11



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9eb03e0cb798c94f13d7cbeeeff13f83b48402e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9eb03e0cb798c94f13d7cbeeeff13f83b48402e
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to