Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7675245b by Moritz Muehlenhoff at 2026-07-09T17:50:10+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4,9 +4,11 @@ CVE-2026-57825
        NOTE: https://github.com/ocaml/opam/pull/7005
 CVE-2026-44918
        - ironic 1:35.0.1-8 (bug #1141716)
+       [trixie] - ironic <no-dsa> (Minor issue)
        NOTE: https://security.openstack.org/ossa/OSSA-2026-026.html
 CVE-2026-54423
        - ironic 1:35.0.1-8 (bug #1141717)
+       [trixie] - ironic <no-dsa> (Minor issue)
        NOTE: https://security.openstack.org/ossa/OSSA-2026-025.html
 CVE-2026-3886 [virtio-gpu: fix overflow check when allocating 2d image]
        - qemu 1:11.0.0+ds-1
@@ -443,18 +445,22 @@ CVE-2026-59930 (Mistune is a Python Markdown parser with 
renderers and plugins.
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/c4093c4742ed0d10d9332fb8edb455869b7b581b
 (v3.3.0)
 CVE-2026-59929 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-qfrw-5rxm-mhh2
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/c7101fcbb6e8790e8e39157c5ca2238fc6dd6cbc
 (v3.3.0)
 CVE-2026-59928 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-ffq3-xpv3-j92q
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/2b04d7ba341c16ac78fe82d3076bdd5c3de87c69
 (v3.3.0)
 CVE-2026-59927 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-8mpj-m6qm-5qr8
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/1bef343ade163fc3bb95572b15be720084cdb993
 (v3.3.0)
 CVE-2026-59926 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-g97x-gvcm-x72h
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2
 (v3.2.1)
 CVE-2026-59925 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
@@ -464,15 +470,18 @@ CVE-2026-59925 (Mistune is a Python Markdown parser with 
renderers and plugins.
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/5de41fb8e527004dbc363e047a3c380c9288c74f
 (v3.3.0)
 CVE-2026-59924 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-r4rv-85jg-w4mf
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-r4rv-85jg-w4mf
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/1bef343ade163fc3bb95572b15be720084cdb993
 (v3.3.0)
 CVE-2026-59923 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-8c25-4j27-2rv3
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/c7101fcbb6e8790e8e39157c5ca2238fc6dd6cbc
 (v3.3.0)
 CVE-2026-59922 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-c8j7-8cv4-2xmq
        NOTE: Fixed by: 
https://github.com/lepture/mistune/commit/96d0f57f8fe9eeb06bb4cff521962a27d7c402e7
 (v3.3.0)
 CVE-2026-59897 (Hono is a Web application framework that provides support for 
any Java ...)
@@ -502,11 +511,13 @@ CVE-2026-59882 (guzzlehttp/psr7 is a PSR-7 HTTP message 
library implementation i
        NOTE: Fixed by: 
https://github.com/guzzle/psr7/commit/ddd64f17d4cc1f7e5ffe6fd2c989ec7221712580 
(2.12.3)
 CVE-2026-59880 (Immutable.js provides many Persistent Immutable data 
structures. Prior ...)
        - node-immutable <unfixed>
+       [trixie] - node-immutable <no-dsa> (Minor issue)
        NOTE: 
https://github.com/immutable-js/immutable-js/security/advisories/GHSA-xvcm-6775-5m9r
        NOTE: Fixed by: 
https://github.com/immutable-js/immutable-js/commit/3dd7e5655012597a41873e328bf9142a8901527b
 (v4.3.9)
        NOTE: Fixed by: 
https://github.com/immutable-js/immutable-js/commit/e51d49fc612ded5ec4dfb94ff294d22074269b0f
 (v5.1.8)
 CVE-2026-59879 (Immutable.js provides many Persistent Immutable data 
structures. Prior ...)
        - node-immutable <unfixed>
+       [trixie] - node-immutable <no-dsa> (Minor issue)
        NOTE: 
https://github.com/immutable-js/immutable-js/security/advisories/GHSA-v56q-mh7h-f735
        NOTE: Fixed by: 
https://github.com/immutable-js/immutable-js/commit/f0bc997d8eb9886aff2236635aa210a95a04304a
 (v4.3.9)
        NOTE: Fixed by: 
https://github.com/immutable-js/immutable-js/commit/a1a1ee412dcaa380ab325196283d06594ffe4b84
 (v5.1.8)
@@ -3290,6 +3301,7 @@ CVE-2026-49779 (Customer Path Traversal in Tax Exempt for 
WooCommerce <= 1.9.3 v
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-44941 (A relative path traversal in the "keyhint" option in 
repomd.xml parsin ...)
        - libzypp 17.38.12-1
+       [trixie] - libzypp <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/openSUSE/libzypp/commit/294b1bad442d089ca671c5c03adc8031e3b29e04
 (17.38.12)
 CVE-2026-44935 (Missing validation of "valuesFrom" references in Helm Deployer 
of SUSE ...)
        NOT-FOR-US: Rancher Fleet
@@ -8482,6 +8494,7 @@ CVE-2026-2053 (The WSO2 API Manager's message flow 
component, when processing WS
        NOT-FOR-US: WSO2
 CVE-2026-28385 (In Canonical LXD versions 4.12 through 6.9, a Server-Side 
Request Forg ...)
        - lxd <removed>
+       [trixie] - lxd <postponed> (Fix along in future DSA)
        NOTE: 
https://github.com/canonical/lxd/security/advisories/GHSA-3gq2-x4qg-p4g6
        NOTE: https://github.com/canonical/lxd/pull/18462
 CVE-2026-24547 (Unauthenticated Broken Access Control in SiteGround Email 
Marketing <= ...)
@@ -10828,6 +10841,7 @@ CVE-2026-44016 (Docling simplifies document processing 
by parsing diverse format
        NOT-FOR-US: Docling
 CVE-2026-42450 (OpenColorIO is a color management framework for visual effects 
and ani ...)
        - opencolorio <unfixed> (bug #1141498)
+       [trixie] - opencolorio <no-dsa> (Minor issue)
        NOTE: 
https://github.com/AcademySoftwareFoundation/OpenColorIO/security/advisories/GHSA-rxp3-rrgx-f547
 CVE-2026-35025 (ProFTPD through 1.3.9b and 1.3.10rc2 contains an access 
control bypass ...)
        - proftpd-dfsg <unfixed>
@@ -66262,7 +66276,7 @@ CVE-2026-33026 (Nginx UI is a web user interface for 
the Nginx web server. Prior
 CVE-2026-34582 (Botan is a C++ cryptography library. Prior to version 3.11.1, 
the TLS  ...)
        [experimental] - botan3 3.11.0+dfsg-1
        - botan3 3.11.0+dfsg-2
-       - botan <removed>
+       - botan <not-affected> (Only affects 3.x)
        NOTE: 
https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g
        NOTE: https://github.com/randombit/botan/pull/5499
        NOTE: Fixed by: 
https://github.com/randombit/botan/commit/4190398599413373f55b1073ac06fefd494af8c6
 (3.11.1)
@@ -66274,6 +66288,7 @@ CVE-2026-32884 (Botan is a C++ cryptography library. 
Prior to version 3.11.0, du
        [experimental] - botan3 3.11.0+dfsg-1
        - botan3 3.11.0+dfsg-2
        - botan <removed>
+       [trixie] - botan <no-dsa> (Minor issue)
        NOTE: 
https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5
 CVE-2026-32883 (Botan is a C++ cryptography library. From version 3.0.0 to 
before vers ...)
        [experimental] - botan3 3.11.0+dfsg-1
@@ -66285,6 +66300,7 @@ CVE-2026-32877 (Botan is a C++ cryptography library. 
From version 2.3.0 to befor
        [experimental] - botan3 3.11.0+dfsg-1
        - botan3 3.11.0+dfsg-2
        - botan <removed>
+       [trixie] - botan <no-dsa> (Minor issue)
        NOTE: 
https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6
        NOTE: 
https://github.com/randombit/botan/commit/f3c31f96f58f1d1d482032d8f4286dc9ebbc6712
 (3.11.0)
 CVE-2026-32794 (Improper Certificate Validation vulnerability in Apache 
Airflow Provid ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,10 +11,15 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source 
package.
 
+--
+activemq
+  probably best to move to latest 5.19 version
 --
 amd64-microcode (carnil)
   Coordinating with maintainer DSA/bookworm-pu and sync with mitgations in 
src:linux
 --
+aom
+--
 botan3 (aron)
 --
 cacti



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7675245bc2da467020d3c5d3001ec6f701834ba4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7675245bc2da467020d3c5d3001ec6f701834ba4
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to