Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f062a5c6 by Moritz Muehlenhoff at 2026-07-09T16:05:00+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -483,11 +483,13 @@ CVE-2026-59887 (linkify-it is a links recognition library
with full Unicode supp
TODO: check
CVE-2026-59883 (Guzzle is an extensible PHP HTTP client. Prior to 7.12.3,
CookieJar di ...)
- guzzle 7.12.3-1
+ [trixie] - guzzle <no-dsa> (Minor issue)
NOTE:
https://github.com/guzzle/guzzle/security/advisories/GHSA-g446-98w2-8p5w
NOTE: https://github.com/guzzle/guzzle/pull/3694
NOTE: Fixed by:
https://github.com/guzzle/guzzle/commit/b9944c161b12d9ee9c9334cfc5b9659ecd7451f8
(7.12.3)
CVE-2026-59882 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation
in PHP. ...)
- php-guzzlehttp-psr7 2.12.3-1
+ [trixie] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
NOTE:
https://github.com/guzzle/psr7/security/advisories/GHSA-c2w2-prh8-qm98
NOTE: https://github.com/guzzle/psr7/pull/811
NOTE: Fixed by:
https://github.com/guzzle/psr7/commit/ddd64f17d4cc1f7e5ffe6fd2c989ec7221712580
(2.12.3)
@@ -996,6 +998,7 @@ CVE-2026-53729 (DataEase is an open source data
visualization and analysis tool.
NOT-FOR-US: DataEase
CVE-2026-53511 (calibre is an e-book manager. Prior to 9.10.0, a malicious
EPUB, OPF, ...)
- calibre 9.10.0+ds+~0.10.6-1
+ [trixie] - calibre <no-dsa> (Minor issue)
NOTE:
https://github.com/kovidgoyal/calibre/security/advisories/GHSA-2j4m-2q7x-2c47
NOTE: Fixed by:
https://github.com/kovidgoyal/calibre/commit/712f4e1ff5c1e798c335bef3bacc4efdee052e9c
(v9.10.0)
CVE-2026-53483 (Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7,
LTS2026 r ...)
@@ -8073,6 +8076,7 @@ CVE-2026-9639 (Nil-pointer dereference in
CreateCustomVolumeFromBackup in LXD up
NOTE: https://github.com/canonical/lxd/pull/18390
CVE-2026-6658 (A vulnerability in jupyter/nbconvert versions <= 7.17.0 allows
for Cro ...)
- nbconvert <unfixed>
+ [trixie] - nbconvert <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/47570290-3b26-4477-8cfa-fdef7db5aefe
CVE-2026-5757 (Unauthenticated remote information disclosure vulnerability in
Ollama' ...)
- ollama <itp> (bug #1094806)
@@ -8938,29 +8942,37 @@ CVE-2026-57451 (Vim is an open source, command line
text editor. Prior to 9.2.06
NOTE: Fixed by:
https://github.com/vim/vim/commit/b2338ca90643e2f01ecb6547c1172716aaec4f79
(v9.2.0670)
CVE-2026-57438 (Nokogiri is an open source XML and HTML library for the Ruby
programmi ...)
- ruby-nokogiri 1.19.4+dfsg-1 (bug #1140769)
+ [trixie] - ruby-nokogiri <no-dsa> (Minor issue)
NOTE:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wfpw-mmfh-qq69
CVE-2026-57437 (Nokogiri is an open source XML and HTML library for the Ruby
programmi ...)
- ruby-nokogiri 1.19.4+dfsg-1 (bug #1140769)
+ [trixie] - ruby-nokogiri <no-dsa> (Minor issue)
NOTE:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7
CVE-2026-57436 (Nokogiri is an open source XML and HTML library for the Ruby
programmi ...)
- ruby-nokogiri 1.19.4+dfsg-1 (bug #1140769)
+ [trixie] - ruby-nokogiri <no-dsa> (Minor issue)
NOTE:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wjv4-x9w8-wm3h
CVE-2026-57435 (Nokogiri is an open source XML and HTML library for the Ruby
programmi ...)
- ruby-nokogiri 1.19.4+dfsg-1 (bug #1140769)
+ [trixie] - ruby-nokogiri <no-dsa> (Minor issue)
NOTE:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp
CVE-2026-57434 (Nokogiri is an open source XML and HTML library for the Ruby
programmi ...)
- ruby-nokogiri 1.19.4+dfsg-1 (bug #1140769)
+ [trixie] - ruby-nokogiri <no-dsa> (Minor issue)
NOTE:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-9cv2-cfxc-v4v2
CVE-2026-57429 (Contributor Broken Access Control in Slim SEO <= 4.6.2
versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-57236 (Nokogiri is an open source XML and HTML library for the Ruby
programmi ...)
- ruby-nokogiri 1.19.4+dfsg-1 (bug #1140769)
+ [trixie] - ruby-nokogiri <no-dsa> (Minor issue)
NOTE:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5v8h-3h3q-446p
CVE-2026-57235 (Nokogiri is an open source XML and HTML library for the Ruby
programmi ...)
- ruby-nokogiri 1.19.4+dfsg-1 (bug #1140769)
+ [trixie] - ruby-nokogiri <no-dsa> (Minor issue)
NOTE:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5prr-v3j2-97mh
CVE-2026-57234 (Nokogiri is an open source XML and HTML library for the Ruby
programmi ...)
- ruby-nokogiri 1.19.4+dfsg-1 (bug #1140769)
+ [trixie] - ruby-nokogiri <no-dsa> (Minor issue)
NOTE:
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2
CVE-2026-56790 (CANBoat through 6.22, fixed in commit a5a22b7, contains an
off-by-one ...)
- canboat <itp> (bug #921311)
@@ -14816,9 +14828,11 @@ CVE-2026-7300 (Buffer Copy without Checking Size of
Input ('Classic Buffer Overf
NOT-FOR-US: RTI Connext
CVE-2026-6734 (Impact: When using Socks5ProxyAgent, undici reuses a single
connection ...)
- node-undici 8.5.0+dfsg+~cs3.2.0-1 (bug #1140363)
+ [trixie] - node-undici <no-dsa> (Minor issue)
NOTE:
https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj
CVE-2026-6733 (Impact: Undici's HTTP/1.1 client is vulnerable to response
queue poiso ...)
- node-undici 8.5.0+dfsg+~cs3.2.0-1 (bug #1140363)
+ [trixie] - node-undici <no-dsa> (Minor issue)
NOTE:
https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52
CVE-2026-5667 (Use of Hard-coded Credentials vulnerability in Mitsubishi
Electric Roo ...)
NOT-FOR-US: Mitsubishi
@@ -19127,18 +19141,23 @@ CVE-2026-44692 (Sharp is a content management
framework built for Laravel as a p
NOT-FOR-US: Sharp
CVE-2026-44496 (Axios is a promise based HTTP client for the browser and
Node.js. Axio ...)
- node-axios 1.16.0-1
+ [trixie] - node-axios <no-dsa> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf
CVE-2026-44495 (Axios is a promise based HTTP client for the browser and
Node.js. From ...)
- node-axios 1.15.2-1
+ [trixie] - node-axios <no-dsa> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw
CVE-2026-44494 (Axios is a promise based HTTP client for the browser and
Node.js. From ...)
- node-axios 1.16.0-1
+ [trixie] - node-axios <no-dsa> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh
CVE-2026-44492 (Axios is a promise based HTTP client for the browser and
Node.js. Prio ...)
- node-axios 1.16.0-1
+ [trixie] - node-axios <no-dsa> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv
CVE-2026-44490 (Axios is a promise based HTTP client for the browser and
Node.js. Prio ...)
- node-axios 1.16.0-1
+ [trixie] - node-axios <no-dsa> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-898c-q2cr-xwhg
CVE-2026-44489 (Axios is a promise based HTTP client for the browser and
Node.js. From ...)
- node-axios 1.16.0-1
@@ -19148,12 +19167,15 @@ CVE-2026-44489 (Axios is a promise based HTTP client
for the browser and Node.js
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-654m-c8p4-x5fp
CVE-2026-44488 (Axios is a promise based HTTP client for the browser and
Node.js. Axio ...)
- node-axios 1.16.0-1
+ [trixie] - node-axios <no-dsa> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf
CVE-2026-44487 (Axios is a promise based HTTP client for the browser and
Node.js. Prio ...)
- node-axios 1.16.0-1
+ [trixie] - node-axios <no-dsa> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v
CVE-2026-44486 (Axios is a promise based HTTP client for the browser and
Node.js. Prio ...)
- node-axios 1.16.0-1
+ [trixie] - node-axios <no-dsa> (Minor issue)
NOTE:
https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc
CVE-2026-42568 (Yamcs is a mission control framework. Prior to versions 5.13.0
and 5.1 ...)
NOT-FOR-US: Yamcs
@@ -26741,6 +26763,7 @@ CVE-2026-44211 (Cline is an autonomous coding agent as
an SDK, IDE extension, or
NOT-FOR-US: Cline
CVE-2026-43958 (A flaw was found in rrdcached, a component of rrdtool. A local
attacke ...)
- rrdtool <unfixed> (bug #1140106)
+ [trixie] - rrdtool <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460932
NOTE: Fixed by:
https://github.com/oetiker/rrdtool-1.x/commit/4218ec7127ba6c7ea1c20d7c8ea6e2b3f83df73a
(v1.10.0)
CVE-2026-43625 (CodexBar prior to 0.32.0 contains a session cookie leakage
vulnerabili ...)
@@ -29051,22 +29074,27 @@ CVE-2026-48735 (pypdf is a free and open-source
pure-python PDF library. Prior t
NOTE: https://github.com/py-pdf/pypdf/pull/3796
CVE-2026-48526 (PyJWT is a JSON Web Token implementation in Python. Prior to
2.13.0, w ...)
- pyjwt 2.13.0-1 (bug #1138191)
+ [trixie] - pyjwt <no-dsa> (Minor issue)
NOTE:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx
NOTE:
https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81
(2.13.0)
CVE-2026-48525 (PyJWT is a JSON Web Token implementation in Python. From 2.8.0
to 2.12 ...)
- pyjwt 2.13.0-1 (bug #1138191)
+ [trixie] - pyjwt <no-dsa> (Minor issue)
NOTE:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39
NOTE:
https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81
(2.13.0)
CVE-2026-48524 (PyJWT is a JSON Web Token implementation in Python. Prior to
2.13.0, P ...)
- pyjwt 2.13.0-1 (bug #1138191)
+ [trixie] - pyjwt <no-dsa> (Minor issue)
NOTE:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8
NOTE:
https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81
(2.13.0)
CVE-2026-48523 (PyJWT is a JSON Web Token implementation in Python. From 2.9.0
to 2.12 ...)
- pyjwt 2.13.0-1 (bug #1138191)
+ [trixie] - pyjwt <no-dsa> (Minor issue)
NOTE:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f
NOTE:
https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81
(2.13.0)
CVE-2026-48522 (PyJWT is a JSON Web Token implementation in Python. Prior to
2.13.0, P ...)
- pyjwt 2.13.0-1 (bug #1138191)
+ [trixie] - pyjwt <no-dsa> (Minor issue)
NOTE:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4
NOTE:
https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81
(2.13.0)
CVE-2026-48156 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.12 ...)
@@ -38220,6 +38248,7 @@ CVE-2026-41932 (Vvveb before 1.0.8.3 contains a stored
cross-site scripting vuln
NOT-FOR-US: Vvveb
CVE-2026-41888 (Distribution is a toolkit to pack, ship, store, and deliver
container ...)
- docker-registry <unfixed>
+ [trixie] - docker-registry <no-dsa> (Minor issue)
NOTE:
https://github.com/distribution/distribution/security/advisories/GHSA-6pjf-3r9x-m592
NOTE:
https://github.com/distribution/distribution/commit/8baf3e08266a19590cc5d4725f3976a9a876d4bf
(v3.1.1)
CVE-2026-41615 (Exposure of sensitive information to an unauthorized actor in
Microsof ...)
@@ -62773,6 +62802,7 @@ CVE-2026-33727 (Pi-hole is a Linux network-level
advertisement and Internet trac
NOT-FOR-US: Pi-Hole
CVE-2026-33540 (Distribution is a toolkit to pack, ship, store, and deliver
container ...)
- docker-registry <unfixed> (bug #1134567)
+ [trixie] - docker-registry <no-dsa> (Minor issue)
NOTE:
https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r
CVE-2026-33510 (Homarr is an open-source dashboard. Prior to 1.57.0, a
DOM-based Cross ...)
NOT-FOR-US: Homarr
@@ -74114,6 +74144,7 @@ CVE-2026-27895 (LDAP Account Manager (LAM) is a
webfrontend for managing entries
NOTE:
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8
CVE-2026-27894 (LDAP Account Manager (LAM) is a webfrontend for managing
entries (e.g. ...)
- ldap-account-manager 9.5.1-1 (bug #1131370)
+ [trixie] - ldap-account-manager <no-dsa> (Minor issue)
NOTE:
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf
CVE-2026-27811 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache
and Kee ...)
NOT-FOR-US: Roxy-WI
=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ botan3 (aron)
cacti
probably best to move to 1.2.31
--
+caddy
+--
chromium (dilinger)
--
cockpit
@@ -28,6 +30,8 @@ containerd
--
cups
--
+docker.io
+--
dulwich
--
erlang
@@ -68,6 +72,8 @@ libde265
libheif
possibly best to move to 1.23.0
--
+libxfont
+--
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more 6.12.y versions
@@ -78,6 +84,8 @@ nodejs
--
node-dompurify
--
+openexr
+--
pacemaker
--
pdfminer (carnil)
@@ -90,6 +98,10 @@ podman
--
prometheus
--
+py7zr
+--
+python-httplib2
+--
python-msgpack
--
redis
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f062a5c652ab30d6e91989673fad376915fb892b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f062a5c652ab30d6e91989673fad376915fb892b
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits