Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2eafa695 by Moritz Muehlenhoff at 2026-07-09T13:21:14+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -614,14 +614,15 @@ CVE-2026-56401 (Wazuh wazuh-modulesd before 5.0.0-beta3 
contains a null pointer
        NOT-FOR-US: Wazuh
 CVE-2026-56374 (ImageMagick before 7.1.2-19 contains a heap buffer overflow 
vulnerabil ...)
        - imagemagick 8:7.1.2.19+dfsg1-1
+       [trixie] - imagemagick <postponed> (Minor issue, fix along in future 
update)
        [bookworm] - imagemagick <not-affected> (coder FTXT introduced later)
        [bullseye] - imagemagick <not-affected> (coder FTXT introduced later)
        NOTE: 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w54j-7wpm-crhj
        NOTE: Fixed by: 
https://github.com/ImageMagick/ImageMagick/commit/22aef933133770706caafb93f814f5306dcca345
 (7.1.2-19)
 CVE-2026-56362 (ImageMagick before 7.1.2-15 contains a heap-buffer-overflow 
read vulne ...)
-       - imagemagick <undetermined>
+       - imagemagick <unfixed>
+       [trixie] - imagemagick <postponed> (Minor issue, fix along in future 
update)
        NOTE: 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gq5v-qf8q-fp77
-       TODO: chedk fixing commit
 CVE-2026-56360 (n8n before versions 1.123.18 and 2.6.2 fails to verify 
HMAC-SHA256 sig ...)
        NOT-FOR-US: n8n
 CVE-2026-56359 (n8n before 2.8.0 contains a cross-site scripting vulnerability 
in the  ...)
@@ -1930,6 +1931,7 @@ CVE-2026-13705 (Imager versions before 1.032 for Perl 
have a heap out-of-bounds
        NOTE: Fixed by: 
https://github.com/tonycoz/imager/commit/f28de02770dfc26ffbdc32048970ed84babbf730
 (v1.032)
 CVE-2026-XXXX [RUSTSEC-2026-0195]
        - rust-quick-xml <unfixed> (bug #1141588)
+       [trixie] - rust-quick-xml <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0195.html
        NOTE: https://github.com/tafia/quick-xml/issues/970
        NOTE: 
https://github.com/tafia/quick-xml/commit/7ca25266e94987210daa864889ab15c9332c8a2a
 (v0.41.0)
@@ -8702,6 +8704,7 @@ CVE-2026-2299 (The Mattermost Google Drive plugin before 
version 1.1.0 fails to
        NOT-FOR-US: Mattermost plugin
 CVE-2026-22879 (vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer 
overflow  ...)
        - vtk-dicom <unfixed>
+       [trixie] - vtk-dicom <no-dsa> (Minor issue)
        NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2366
 CVE-2026-13322 (A flaw was found in KubeVirt's downward metrics virtio-serial 
server.  ...)
        NOT-FOR-US: KubeVirt
@@ -12918,6 +12921,7 @@ CVE-2026-55409 (Filament is a collection of full-stack 
components for accelerate
        NOT-FOR-US: Filament
 CVE-2026-54911 (UltraJSON is a fast JSON encoder and decoder written in pure C 
with bi ...)
        - ujson 5.13.0-1 (bug #1140630)
+       [trixie] - ujson <no-dsa> (Minor issue)
        NOTE: 
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-3j69-69wj-xqx2
        NOTE: 
https://github.com/ultrajson/ultrajson/commit/169eaf36b1116fece5034ee79a7a0ef3f6deedcf
 (5.13.0)
 CVE-2026-54651 (pypdf is a free and open-source pure-python PDF library. Prior 
to 6.13 ...)
@@ -13176,10 +13180,12 @@ CVE-2026-54282 (Starlette is a lightweight ASGI 
framework/toolkit. Prior to 1.3.
        NOTE: Fixed by: 
https://github.com/Kludex/starlette/commit/167b5850e809f38b27fbfed62d58bf6442855975
 (1.3.0)
 CVE-2026-54280 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
        - python-aiohttp 3.14.1-1
+       [trixie] - python-aiohttp <no-dsa> (Minor issue)
        NOTE: 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9
        NOTE: Fixed by: 
https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587
 (v3.14.1)
 CVE-2026-54279 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
        - python-aiohttp 3.14.1-1
+       [trixie] - python-aiohttp <no-dsa> (Minor issue)
        NOTE: 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2fqr-mr3j-6wp8
        NOTE: Fixed by: 
https://github.com/aio-libs/aiohttp/commit/a329a7aacad5284f087af36103aff778746da0f2
 (v3.14.1)
 CVE-2026-54278 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
@@ -13192,6 +13198,7 @@ CVE-2026-54278 (AIOHTTP is an asynchronous HTTP 
client/server framework for asyn
        NOTE: Major rewrite in: 
https://github.com/aio-libs/aiohttp/commit/b502ae655c8788b469dcc832923a85d661719699
 (v3.14.0)
 CVE-2026-54277 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
        - python-aiohttp 3.14.1-1
+       [trixie] - python-aiohttp <no-dsa> (Minor issue)
        NOTE: 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2
        NOTE: Fixed by: 
https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d
 (v3.14.1)
 CVE-2026-54276 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
@@ -13205,10 +13212,12 @@ CVE-2026-54276 (AIOHTTP is an asynchronous HTTP 
client/server framework for asyn
        NOTE: Introduced with: https://github.com/aio-libs/aiohttp/pull/10894 
(v3.12.0b0)
 CVE-2026-54275 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
        - python-aiohttp 3.14.1-1
+       [trixie] - python-aiohttp <no-dsa> (Minor issue)
        NOTE: 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4m7w-qmgq-4wj5
        NOTE: Fixed by: 
https://github.com/aio-libs/aiohttp/commit/0ca2b6c28a25726527a8b60f25960262a91ed0e0
 (v3.14.1)
 CVE-2026-54274 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
        - python-aiohttp 3.14.1-1
+       [trixie] - python-aiohttp <no-dsa> (Minor issue)
        NOTE: 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989
        NOTE: Fixed by: 
https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d
 (v3.14.1)
 CVE-2026-54273 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
@@ -13314,6 +13323,7 @@ CVE-2026-50555 (Angular is a development platform for 
building mobile and deskto
        NOTE: 
https://github.com/angular/angular/security/advisories/GHSA-hqr9-c56f-3x7
 CVE-2026-50269 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
        - python-aiohttp 3.14.0-1
+       [trixie] - python-aiohttp <no-dsa> (Minor issue)
        NOTE: 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m
        NOTE: Fixed by: 
https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8
 (v3.14.0)
 CVE-2026-50184 (Angular is a development platform for building mobile and 
desktop web  ...)
@@ -30175,6 +30185,7 @@ CVE-2026-44681 (Authlib is a Python library which 
builds OAuth and OpenID Connec
        NOTE: 
https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2
 CVE-2026-44660 (UltraJSON is a fast JSON encoder and decoder written in pure C 
with bi ...)
        - ujson 5.13.0-1 (bug #1138258)
+       [trixie] - ujson <no-dsa> (Minor issue)
        [bullseye] - ujson <postponed> (Minor issue)
        NOTE: 
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
        NOTE: Fixed by: 
https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9
 (5.12.1)
@@ -32849,11 +32860,13 @@ CVE-2026-48961 (IO::Compress versions from 2.207 
before 2.220 for Perl ship a zi
        NOTE: Fixed by: 
https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7
 (v2.220)
 CVE-2026-48959 (IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU 
exhaust ...)
        - libio-compress-perl 2.220-1 (bug #1138051)
+       [trixie] - libio-compress-perl <no-dsa> (Minor issue)
        - perl 5.40.1-8 (bug #1138856)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/40434381/
        NOTE: Fixed by: 
https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2
 (v2.220)
 CVE-2025-15649 (IO::Uncompress::Unzip versions before 2.215 for Perl propagate 
uncaugh ...)
        - libio-compress-perl 2.217-1
+       [trixie] - libio-compress-perl <no-dsa> (Minor issue)
        - perl 5.40.1-8 (bug #1138863)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/40434380/
        NOTE: https://github.com/pmqs/IO-Compress/issues/65
@@ -64936,6 +64949,7 @@ CVE-2026-34525 (AIOHTTP is an asynchronous HTTP 
client/server framework for asyn
 CVE-2026-34520 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
        {DLA-4613-1}
        - python-aiohttp 3.13.5-1 (bug #1132582)
+       [trixie] - python-aiohttp <no-dsa> (Minor issue)
        NOTE: 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf
        NOTE: Fixed by: 
https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4
 (v3.13.4)
 CVE-2026-34519 (AIOHTTP is an asynchronous HTTP client/server framework for 
asyncio an ...)
@@ -66583,6 +66597,7 @@ CVE-2026-33691 (The OWASP core rule set (CRS) is a set 
of generic attack detecti
 CVE-2026-35536 (In Tornado before 6.5.5, cookie attribute injection could 
occur becaus ...)
        {DLA-4520-1}
        - python-tornado 6.5.5-1 (bug #1132367)
+       [trixie] - python-tornado <no-dsa> (Minor issue)
        NOTE: 
https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7
        NOTE: Fixed by: 
https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104
 (v6.5.5)
 CVE-2026-5046 (A flaw has been found in Tenda FH1201 1.2.0.14(408). Affected 
is the f ...)
@@ -72614,6 +72629,7 @@ CVE-2026-33056 (tar-rs is a tar archive reading/writing 
library for Rust. In ver
        [trixie] - rustc <no-dsa> (Minor issue)
        [bullseye] - rustc <postponed> (Minor issue, parsing inconsistencies 
among tar libraries, requires recompiling rdeps)
        - rust-tar 0.4.45-1 (bug #1131481)
+       [trixie] - rust-tar <no-dsa> (Minor issue)
        [bullseye] - rust-tar <postponed> (Minor issue, parsing inconsistencies 
among tar libraries, requires recompiling rdeps)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0067.html
        NOTE: 
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
@@ -72623,6 +72639,7 @@ CVE-2026-33055 (tar-rs is a tar archive reading/writing 
library for Rust. Versio
        [trixie] - rustc <no-dsa> (Minor issue)
        [bullseye] - rustc <postponed> (Minor issue, path traversal, requires 
recompiling rdeps)
        - rust-tar 0.4.45-1 (bug #1131480)
+       [trixie] - rust-tar <no-dsa> (Minor issue)
        [bullseye] - rust-tar <postponed> (Minor issue, path traversal, 
requires recompiling rdeps)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0068.html
        NOTE: 
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff
@@ -72724,12 +72741,14 @@ CVE-2026-32880 (ChurchCRM is an open-source church 
management system. Versions p
        NOT-FOR-US: ChurchCRM
 CVE-2026-32875 (UltraJSON is a fast JSON encoder and decoder written in pure C 
with bi ...)
        - ujson 5.13.0-1 (bug #1131485)
+       [trixie] - ujson <no-dsa> (Minor issue)
        [bullseye] - ujson <postponed> (Minor issue; DoS)
        NOTE: 
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c8rr-9gxc-jprv
        NOTE: https://github.com/ultrajson/ultrajson/issues/700
        NOTE: Fixed by: 
https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea
 (5.12.0)
 CVE-2026-32874 (UltraJSON is a fast JSON encoder and decoder written in pure C 
with bi ...)
        - ujson 5.13.0-1 (bug #1131486)
+       [trixie] - ujson <no-dsa> (Minor issue)
        [bullseye] - ujson <postponed> (Minor issue; DoS)
        NOTE: 
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm
        NOTE: Fixed by: 
https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2
 (5.12.0)
@@ -76541,6 +76560,7 @@ CVE-2026-31959 (Quill provides simple mac binary 
signing and notarization from a
 CVE-2026-31958 (Tornado is a Python web framework and asynchronous networking 
library. ...)
        {DLA-4520-1}
        - python-tornado 6.5.5-1 (bug #1130507)
+       [trixie] - python-tornado <no-dsa> (Minor issue)
        NOTE: 
https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
        NOTE: Fixed by: 
https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839
 (v6.5.5)
 CVE-2026-31957 (Himmelblau is an interoperability suite for Microsoft Azure 
Entra ID a ...)
@@ -80805,6 +80825,7 @@ CVE-2026-27971 (Qwik is a performance focused 
javascript framework. qwik <=1.19.
        - qwik <removed>
 CVE-2026-27932 (joserfc is a Python library that provides an implementation of 
several ...)
        - joserfc 1.6.3-1
+       [trixie] - joserfc <no-dsa> (Minor issue)
        NOTE: 
https://github.com/authlib/joserfc/security/advisories/GHSA-w5r5-m38g-f9f9
        NOTE: Fixed by: 
https://github.com/authlib/joserfc/commit/696a9611ab982c45ee2190ed79ca8e1d8e09398f
 (1.6.3)
 CVE-2026-27905 (BentoML is a Python library for building online serving 
systems optimi ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -55,6 +55,8 @@ jetty12
 jq
   possibly move trixie to 1.8.2
 --
+jupyterlab
+--
 kamailio
 --
 kitty
@@ -117,6 +119,8 @@ shaarli
 --
 starlette
 --
+tiff
+--
 tomcat10
 --
 tomcat11



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2eafa6954be65e046e23fdf8c2ca38c5df2f3920

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2eafa6954be65e046e23fdf8c2ca38c5df2f3920
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to