Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2eafa695 by Moritz Muehlenhoff at 2026-07-09T13:21:14+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -614,14 +614,15 @@ CVE-2026-56401 (Wazuh wazuh-modulesd before 5.0.0-beta3
contains a null pointer
NOT-FOR-US: Wazuh
CVE-2026-56374 (ImageMagick before 7.1.2-19 contains a heap buffer overflow
vulnerabil ...)
- imagemagick 8:7.1.2.19+dfsg1-1
+ [trixie] - imagemagick <postponed> (Minor issue, fix along in future
update)
[bookworm] - imagemagick <not-affected> (coder FTXT introduced later)
[bullseye] - imagemagick <not-affected> (coder FTXT introduced later)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w54j-7wpm-crhj
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/22aef933133770706caafb93f814f5306dcca345
(7.1.2-19)
CVE-2026-56362 (ImageMagick before 7.1.2-15 contains a heap-buffer-overflow
read vulne ...)
- - imagemagick <undetermined>
+ - imagemagick <unfixed>
+ [trixie] - imagemagick <postponed> (Minor issue, fix along in future
update)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gq5v-qf8q-fp77
- TODO: chedk fixing commit
CVE-2026-56360 (n8n before versions 1.123.18 and 2.6.2 fails to verify
HMAC-SHA256 sig ...)
NOT-FOR-US: n8n
CVE-2026-56359 (n8n before 2.8.0 contains a cross-site scripting vulnerability
in the ...)
@@ -1930,6 +1931,7 @@ CVE-2026-13705 (Imager versions before 1.032 for Perl
have a heap out-of-bounds
NOTE: Fixed by:
https://github.com/tonycoz/imager/commit/f28de02770dfc26ffbdc32048970ed84babbf730
(v1.032)
CVE-2026-XXXX [RUSTSEC-2026-0195]
- rust-quick-xml <unfixed> (bug #1141588)
+ [trixie] - rust-quick-xml <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0195.html
NOTE: https://github.com/tafia/quick-xml/issues/970
NOTE:
https://github.com/tafia/quick-xml/commit/7ca25266e94987210daa864889ab15c9332c8a2a
(v0.41.0)
@@ -8702,6 +8704,7 @@ CVE-2026-2299 (The Mattermost Google Drive plugin before
version 1.1.0 fails to
NOT-FOR-US: Mattermost plugin
CVE-2026-22879 (vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer
overflow ...)
- vtk-dicom <unfixed>
+ [trixie] - vtk-dicom <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2366
CVE-2026-13322 (A flaw was found in KubeVirt's downward metrics virtio-serial
server. ...)
NOT-FOR-US: KubeVirt
@@ -12918,6 +12921,7 @@ CVE-2026-55409 (Filament is a collection of full-stack
components for accelerate
NOT-FOR-US: Filament
CVE-2026-54911 (UltraJSON is a fast JSON encoder and decoder written in pure C
with bi ...)
- ujson 5.13.0-1 (bug #1140630)
+ [trixie] - ujson <no-dsa> (Minor issue)
NOTE:
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-3j69-69wj-xqx2
NOTE:
https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf
(5.13.0)
CVE-2026-54651 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.13 ...)
@@ -13176,10 +13180,12 @@ CVE-2026-54282 (Starlette is a lightweight ASGI
framework/toolkit. Prior to 1.3.
NOTE: Fixed by:
https://github.com/Kludex/starlette/commit/167b5850e809f38b27fbfed62d58bf6442855975
(1.3.0)
CVE-2026-54280 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.14.1-1
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9
NOTE: Fixed by:
https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587
(v3.14.1)
CVE-2026-54279 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.14.1-1
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2fqr-mr3j-6wp8
NOTE: Fixed by:
https://github.com/aio-libs/aiohttp/commit/a329a7aacad5284f087af36103aff778746da0f2
(v3.14.1)
CVE-2026-54278 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
@@ -13192,6 +13198,7 @@ CVE-2026-54278 (AIOHTTP is an asynchronous HTTP
client/server framework for asyn
NOTE: Major rewrite in:
https://github.com/aio-libs/aiohttp/commit/b502ae655c8788b469dcc832923a85d661719699
(v3.14.0)
CVE-2026-54277 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.14.1-1
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2
NOTE: Fixed by:
https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d
(v3.14.1)
CVE-2026-54276 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
@@ -13205,10 +13212,12 @@ CVE-2026-54276 (AIOHTTP is an asynchronous HTTP
client/server framework for asyn
NOTE: Introduced with: https://github.com/aio-libs/aiohttp/pull/10894
(v3.12.0b0)
CVE-2026-54275 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.14.1-1
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4m7w-qmgq-4wj5
NOTE: Fixed by:
https://github.com/aio-libs/aiohttp/commit/0ca2b6c28a25726527a8b60f25960262a91ed0e0
(v3.14.1)
CVE-2026-54274 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.14.1-1
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989
NOTE: Fixed by:
https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d
(v3.14.1)
CVE-2026-54273 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
@@ -13314,6 +13323,7 @@ CVE-2026-50555 (Angular is a development platform for
building mobile and deskto
NOTE:
https://github.com/angular/angular/security/advisories/GHSA-hqr9-c56f-3x7
CVE-2026-50269 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.14.0-1
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m
NOTE: Fixed by:
https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8
(v3.14.0)
CVE-2026-50184 (Angular is a development platform for building mobile and
desktop web ...)
@@ -30175,6 +30185,7 @@ CVE-2026-44681 (Authlib is a Python library which
builds OAuth and OpenID Connec
NOTE:
https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2
CVE-2026-44660 (UltraJSON is a fast JSON encoder and decoder written in pure C
with bi ...)
- ujson 5.13.0-1 (bug #1138258)
+ [trixie] - ujson <no-dsa> (Minor issue)
[bullseye] - ujson <postponed> (Minor issue)
NOTE:
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
NOTE: Fixed by:
https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9
(5.12.1)
@@ -32849,11 +32860,13 @@ CVE-2026-48961 (IO::Compress versions from 2.207
before 2.220 for Perl ship a zi
NOTE: Fixed by:
https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7
(v2.220)
CVE-2026-48959 (IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU
exhaust ...)
- libio-compress-perl 2.220-1 (bug #1138051)
+ [trixie] - libio-compress-perl <no-dsa> (Minor issue)
- perl 5.40.1-8 (bug #1138856)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40434381/
NOTE: Fixed by:
https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2
(v2.220)
CVE-2025-15649 (IO::Uncompress::Unzip versions before 2.215 for Perl propagate
uncaugh ...)
- libio-compress-perl 2.217-1
+ [trixie] - libio-compress-perl <no-dsa> (Minor issue)
- perl 5.40.1-8 (bug #1138863)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40434380/
NOTE: https://github.com/pmqs/IO-Compress/issues/65
@@ -64936,6 +64949,7 @@ CVE-2026-34525 (AIOHTTP is an asynchronous HTTP
client/server framework for asyn
CVE-2026-34520 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
{DLA-4613-1}
- python-aiohttp 3.13.5-1 (bug #1132582)
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf
NOTE: Fixed by:
https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4
(v3.13.4)
CVE-2026-34519 (AIOHTTP is an asynchronous HTTP client/server framework for
asyncio an ...)
@@ -66583,6 +66597,7 @@ CVE-2026-33691 (The OWASP core rule set (CRS) is a set
of generic attack detecti
CVE-2026-35536 (In Tornado before 6.5.5, cookie attribute injection could
occur becaus ...)
{DLA-4520-1}
- python-tornado 6.5.5-1 (bug #1132367)
+ [trixie] - python-tornado <no-dsa> (Minor issue)
NOTE:
https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7
NOTE: Fixed by:
https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104
(v6.5.5)
CVE-2026-5046 (A flaw has been found in Tenda FH1201 1.2.0.14(408). Affected
is the f ...)
@@ -72614,6 +72629,7 @@ CVE-2026-33056 (tar-rs is a tar archive reading/writing
library for Rust. In ver
[trixie] - rustc <no-dsa> (Minor issue)
[bullseye] - rustc <postponed> (Minor issue, parsing inconsistencies
among tar libraries, requires recompiling rdeps)
- rust-tar 0.4.45-1 (bug #1131481)
+ [trixie] - rust-tar <no-dsa> (Minor issue)
[bullseye] - rust-tar <postponed> (Minor issue, parsing inconsistencies
among tar libraries, requires recompiling rdeps)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0067.html
NOTE:
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
@@ -72623,6 +72639,7 @@ CVE-2026-33055 (tar-rs is a tar archive reading/writing
library for Rust. Versio
[trixie] - rustc <no-dsa> (Minor issue)
[bullseye] - rustc <postponed> (Minor issue, path traversal, requires
recompiling rdeps)
- rust-tar 0.4.45-1 (bug #1131480)
+ [trixie] - rust-tar <no-dsa> (Minor issue)
[bullseye] - rust-tar <postponed> (Minor issue, path traversal,
requires recompiling rdeps)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0068.html
NOTE:
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff
@@ -72724,12 +72741,14 @@ CVE-2026-32880 (ChurchCRM is an open-source church
management system. Versions p
NOT-FOR-US: ChurchCRM
CVE-2026-32875 (UltraJSON is a fast JSON encoder and decoder written in pure C
with bi ...)
- ujson 5.13.0-1 (bug #1131485)
+ [trixie] - ujson <no-dsa> (Minor issue)
[bullseye] - ujson <postponed> (Minor issue; DoS)
NOTE:
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c8rr-9gxc-jprv
NOTE: https://github.com/ultrajson/ultrajson/issues/700
NOTE: Fixed by:
https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea
(5.12.0)
CVE-2026-32874 (UltraJSON is a fast JSON encoder and decoder written in pure C
with bi ...)
- ujson 5.13.0-1 (bug #1131486)
+ [trixie] - ujson <no-dsa> (Minor issue)
[bullseye] - ujson <postponed> (Minor issue; DoS)
NOTE:
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm
NOTE: Fixed by:
https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2
(5.12.0)
@@ -76541,6 +76560,7 @@ CVE-2026-31959 (Quill provides simple mac binary
signing and notarization from a
CVE-2026-31958 (Tornado is a Python web framework and asynchronous networking
library. ...)
{DLA-4520-1}
- python-tornado 6.5.5-1 (bug #1130507)
+ [trixie] - python-tornado <no-dsa> (Minor issue)
NOTE:
https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
NOTE: Fixed by:
https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839
(v6.5.5)
CVE-2026-31957 (Himmelblau is an interoperability suite for Microsoft Azure
Entra ID a ...)
@@ -80805,6 +80825,7 @@ CVE-2026-27971 (Qwik is a performance focused
javascript framework. qwik <=1.19.
- qwik <removed>
CVE-2026-27932 (joserfc is a Python library that provides an implementation of
several ...)
- joserfc 1.6.3-1
+ [trixie] - joserfc <no-dsa> (Minor issue)
NOTE:
https://github.com/authlib/joserfc/security/advisories/GHSA-w5r5-m38g-f9f9
NOTE: Fixed by:
https://github.com/authlib/joserfc/commit/696a9611ab982c45ee2190ed79ca8e1d8e09398f
(1.6.3)
CVE-2026-27905 (BentoML is a Python library for building online serving
systems optimi ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -55,6 +55,8 @@ jetty12
jq
possibly move trixie to 1.8.2
--
+jupyterlab
+--
kamailio
--
kitty
@@ -117,6 +119,8 @@ shaarli
--
starlette
--
+tiff
+--
tomcat10
--
tomcat11
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2eafa6954be65e046e23fdf8c2ca38c5df2f3920
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2eafa6954be65e046e23fdf8c2ca38c5df2f3920
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits