Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7675245b by Moritz Muehlenhoff at 2026-07-09T17:50:10+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -4,9 +4,11 @@ CVE-2026-57825
NOTE: https://github.com/ocaml/opam/pull/7005
CVE-2026-44918
- ironic 1:35.0.1-8 (bug #1141716)
+ [trixie] - ironic <no-dsa> (Minor issue)
NOTE: https://security.openstack.org/ossa/OSSA-2026-026.html
CVE-2026-54423
- ironic 1:35.0.1-8 (bug #1141717)
+ [trixie] - ironic <no-dsa> (Minor issue)
NOTE: https://security.openstack.org/ossa/OSSA-2026-025.html
CVE-2026-3886 [virtio-gpu: fix overflow check when allocating 2d image]
- qemu 1:11.0.0+ds-1
@@ -443,18 +445,22 @@ CVE-2026-59930 (Mistune is a Python Markdown parser with
renderers and plugins.
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/c4093c4742ed0d10d9332fb8edb455869b7b581b
(v3.3.0)
CVE-2026-59929 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-qfrw-5rxm-mhh2
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/c7101fcbb6e8790e8e39157c5ca2238fc6dd6cbc
(v3.3.0)
CVE-2026-59928 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-ffq3-xpv3-j92q
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/2b04d7ba341c16ac78fe82d3076bdd5c3de87c69
(v3.3.0)
CVE-2026-59927 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-8mpj-m6qm-5qr8
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/1bef343ade163fc3bb95572b15be720084cdb993
(v3.3.0)
CVE-2026-59926 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-g97x-gvcm-x72h
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/a3cb6e5655308797e8be021d6c7b5bab13cbace2
(v3.2.1)
CVE-2026-59925 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
@@ -464,15 +470,18 @@ CVE-2026-59925 (Mistune is a Python Markdown parser with
renderers and plugins.
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/5de41fb8e527004dbc363e047a3c380c9288c74f
(v3.3.0)
CVE-2026-59924 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-r4rv-85jg-w4mf
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-r4rv-85jg-w4mf
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/1bef343ade163fc3bb95572b15be720084cdb993
(v3.3.0)
CVE-2026-59923 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-8c25-4j27-2rv3
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/c7101fcbb6e8790e8e39157c5ca2238fc6dd6cbc
(v3.3.0)
CVE-2026-59922 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-c8j7-8cv4-2xmq
NOTE: Fixed by:
https://github.com/lepture/mistune/commit/96d0f57f8fe9eeb06bb4cff521962a27d7c402e7
(v3.3.0)
CVE-2026-59897 (Hono is a Web application framework that provides support for
any Java ...)
@@ -502,11 +511,13 @@ CVE-2026-59882 (guzzlehttp/psr7 is a PSR-7 HTTP message
library implementation i
NOTE: Fixed by:
https://github.com/guzzle/psr7/commit/ddd64f17d4cc1f7e5ffe6fd2c989ec7221712580
(2.12.3)
CVE-2026-59880 (Immutable.js provides many Persistent Immutable data
structures. Prior ...)
- node-immutable <unfixed>
+ [trixie] - node-immutable <no-dsa> (Minor issue)
NOTE:
https://github.com/immutable-js/immutable-js/security/advisories/GHSA-xvcm-6775-5m9r
NOTE: Fixed by:
https://github.com/immutable-js/immutable-js/commit/3dd7e5655012597a41873e328bf9142a8901527b
(v4.3.9)
NOTE: Fixed by:
https://github.com/immutable-js/immutable-js/commit/e51d49fc612ded5ec4dfb94ff294d22074269b0f
(v5.1.8)
CVE-2026-59879 (Immutable.js provides many Persistent Immutable data
structures. Prior ...)
- node-immutable <unfixed>
+ [trixie] - node-immutable <no-dsa> (Minor issue)
NOTE:
https://github.com/immutable-js/immutable-js/security/advisories/GHSA-v56q-mh7h-f735
NOTE: Fixed by:
https://github.com/immutable-js/immutable-js/commit/f0bc997d8eb9886aff2236635aa210a95a04304a
(v4.3.9)
NOTE: Fixed by:
https://github.com/immutable-js/immutable-js/commit/a1a1ee412dcaa380ab325196283d06594ffe4b84
(v5.1.8)
@@ -3290,6 +3301,7 @@ CVE-2026-49779 (Customer Path Traversal in Tax Exempt for
WooCommerce <= 1.9.3 v
NOT-FOR-US: WordPress plugin or theme
CVE-2026-44941 (A relative path traversal in the "keyhint" option in
repomd.xml parsin ...)
- libzypp 17.38.12-1
+ [trixie] - libzypp <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/openSUSE/libzypp/commit/294b1bad442d089ca671c5c03adc8031e3b29e04
(17.38.12)
CVE-2026-44935 (Missing validation of "valuesFrom" references in Helm Deployer
of SUSE ...)
NOT-FOR-US: Rancher Fleet
@@ -8482,6 +8494,7 @@ CVE-2026-2053 (The WSO2 API Manager's message flow
component, when processing WS
NOT-FOR-US: WSO2
CVE-2026-28385 (In Canonical LXD versions 4.12 through 6.9, a Server-Side
Request Forg ...)
- lxd <removed>
+ [trixie] - lxd <postponed> (Fix along in future DSA)
NOTE:
https://github.com/canonical/lxd/security/advisories/GHSA-3gq2-x4qg-p4g6
NOTE: https://github.com/canonical/lxd/pull/18462
CVE-2026-24547 (Unauthenticated Broken Access Control in SiteGround Email
Marketing <= ...)
@@ -10828,6 +10841,7 @@ CVE-2026-44016 (Docling simplifies document processing
by parsing diverse format
NOT-FOR-US: Docling
CVE-2026-42450 (OpenColorIO is a color management framework for visual effects
and ani ...)
- opencolorio <unfixed> (bug #1141498)
+ [trixie] - opencolorio <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/OpenColorIO/security/advisories/GHSA-rxp3-rrgx-f547
CVE-2026-35025 (ProFTPD through 1.3.9b and 1.3.10rc2 contains an access
control bypass ...)
- proftpd-dfsg <unfixed>
@@ -66262,7 +66276,7 @@ CVE-2026-33026 (Nginx UI is a web user interface for
the Nginx web server. Prior
CVE-2026-34582 (Botan is a C++ cryptography library. Prior to version 3.11.1,
the TLS ...)
[experimental] - botan3 3.11.0+dfsg-1
- botan3 3.11.0+dfsg-2
- - botan <removed>
+ - botan <not-affected> (Only affects 3.x)
NOTE:
https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g
NOTE: https://github.com/randombit/botan/pull/5499
NOTE: Fixed by:
https://github.com/randombit/botan/commit/4190398599413373f55b1073ac06fefd494af8c6
(3.11.1)
@@ -66274,6 +66288,7 @@ CVE-2026-32884 (Botan is a C++ cryptography library.
Prior to version 3.11.0, du
[experimental] - botan3 3.11.0+dfsg-1
- botan3 3.11.0+dfsg-2
- botan <removed>
+ [trixie] - botan <no-dsa> (Minor issue)
NOTE:
https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5
CVE-2026-32883 (Botan is a C++ cryptography library. From version 3.0.0 to
before vers ...)
[experimental] - botan3 3.11.0+dfsg-1
@@ -66285,6 +66300,7 @@ CVE-2026-32877 (Botan is a C++ cryptography library.
From version 2.3.0 to befor
[experimental] - botan3 3.11.0+dfsg-1
- botan3 3.11.0+dfsg-2
- botan <removed>
+ [trixie] - botan <no-dsa> (Minor issue)
NOTE:
https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6
NOTE:
https://github.com/randombit/botan/commit/f3c31f96f58f1d1d482032d8f4286dc9ebbc6712
(3.11.0)
CVE-2026-32794 (Improper Certificate Validation vulnerability in Apache
Airflow Provid ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -11,10 +11,15 @@ To pick an issue, simply add your uid behind it.
If needed, specify the release by adding a slash after the name of the source
package.
+--
+activemq
+ probably best to move to latest 5.19 version
--
amd64-microcode (carnil)
Coordinating with maintainer DSA/bookworm-pu and sync with mitgations in
src:linux
--
+aom
+--
botan3 (aron)
--
cacti
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7675245bc2da467020d3c5d3001ec6f701834ba4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7675245bc2da467020d3c5d3001ec6f701834ba4
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits