Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f61e410c by Moritz Muehlenhoff at 2026-07-09T19:08:52+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -69,12 +69,14 @@ CVE-2026-59939 (httplib2 is a comprehensive HTTP client
library for Python. Prio
NOTE: Fixed by:
https://github.com/httplib2/httplib2/commit/87581ad6cf752fe3da2090c59058261d2d00a427
(v0.32.0)
CVE-2026-59936 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.14 ...)
- pypdf <unfixed>
+ [trixie] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-5xf7-4p34-54qr
NOTE: https://github.com/py-pdf/pypdf/pull/3891
NOTE: Fixed by:
https://github.com/py-pdf/pypdf/commit/ec3b14596186c40caca7cf8ab9b2155203e01b5b
(6.14.1)
CVE-2026-59935 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.14 ...)
- pypdf <unfixed>
+ [trixie] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-g867-7843-wf8q
NOTE: https://github.com/py-pdf/pypdf/pull/3892
@@ -428,12 +430,14 @@ CVE-2026-5356 (The LatePoint \u2013 Calendar Booking
Plugin for Appointments and
NOT-FOR-US: WordPress plugin
CVE-2026-59938 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.14 ...)
- pypdf <unfixed>
+ [trixie] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-5qjq-93h5-hrgp
NOTE: https://github.com/py-pdf/pypdf/pull/3888
NOTE: Fixed by:
https://github.com/py-pdf/pypdf/commit/c64583be16b8e8763d8777075f8ecbf382014b7a
(6.14.0)
CVE-2026-59937 (pypdf is a free and open-source pure-python PDF library. Prior
to 6.14 ...)
- pypdf <unfixed>
+ [trixie] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
NOTE:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-55h5-xmcq-c37v
NOTE: https://github.com/py-pdf/pypdf/pull/3887
@@ -527,18 +531,22 @@ CVE-2026-59876 (protobufjs compiles protobuf definitions
into JavaScript (JS) fu
- node-protobufjs <itp> (bug #977564)
CVE-2026-59875 (node-tar is a tar archive manipulation library for Node.js.
Prior to 7 ...)
- node-tar <unfixed>
+ [trixie] - node-tar <no-dsa> (Minor issue)
NOTE:
https://github.com/isaacs/node-tar/security/advisories/GHSA-gvwx-54wh-qm9j
NOTE: Fixed by:
https://github.com/isaacs/node-tar/commit/7a635c29f5edbf083557374d43984273ecfed5b3
(v7.5.17)
CVE-2026-59874 (node-tar is a tar archive manipulation library for Node.js.
Prior to 7 ...)
- node-tar <unfixed>
+ [trixie] - node-tar <no-dsa> (Minor issue)
NOTE:
https://github.com/isaacs/node-tar/security/advisories/GHSA-8x88-c5mf-7j5w
NOTE: Fixed by:
https://github.com/isaacs/node-tar/commit/9e78bf058b2c22dd4d52e00d8922d5c06fc2f7b5
(v7.5.18)
CVE-2026-59873 (node-tar is a tar archive manipulation library for Node.js.
Prior to 7 ...)
- node-tar <unfixed>
+ [trixie] - node-tar <no-dsa> (Minor issue)
NOTE:
https://github.com/isaacs/node-tar/security/advisories/GHSA-23hp-3jrh-7fpw
NOTE: Fixed by:
https://github.com/isaacs/node-tar/commit/2812e9338665659b183aa7226518c307044957d3
(v7.5.19)
CVE-2026-59871 (node-tar is a tar archive manipulation library for Node.js.
Prior to 7 ...)
- node-tar <unfixed>
+ [trixie] - node-tar <no-dsa> (Minor issue)
NOTE:
https://github.com/isaacs/node-tar/security/advisories/GHSA-w8wr-v893-vjvp
NOTE: Fixed by:
https://github.com/isaacs/node-tar/commit/e02a4e9e013c4be95302e2eb2047a942b883c27b
(v7.5.18)
CVE-2026-59870 (js-yaml is a JavaScript YAML parser and dumper. From 5.0.0
before 5.2. ...)
@@ -547,6 +555,7 @@ CVE-2026-59870 (js-yaml is a JavaScript YAML parser and
dumper. From 5.0.0 befor
NOTE: Fixed by:
https://github.com/nodeca/js-yaml/commit/39f3211a2f01b3c6982710cf21434ab7060acefe
(5.2.1)
CVE-2026-59869 (js-yaml is a JavaScript YAML parser and dumper. From 3.0.0
before 3.15 ...)
- node-js-yaml <unfixed>
+ [trixie] - node-js-yaml <no-dsa> (Minor issue)
NOTE:
https://github.com/nodeca/js-yaml/security/advisories/GHSA-52cp-r559-cp3m
NOTE: Fixed by:
https://github.com/nodeca/js-yaml/commit/24f13e79ee1343a7e30bd6f6c9d9cdbf0ac9b2b7
(3.15.0)
NOTE: Fixed by:
https://github.com/nodeca/js-yaml/commit/59423c6f8cdc78742ac00e25a4dd39ef16b702e4
(4.3.0)
@@ -1115,6 +1124,7 @@ CVE-2026-14940 (A heap-buffer-overflow flaw was found in
389 Directory Server (3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2497697
CVE-2026-14935 (A logic vulnerability was found in GStreamer's webrtcbin
component. Th ...)
- gst-plugins-bad1.0 <unfixed>
+ [trixie] - gst-plugins-bad1.0 <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2497679
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5171 (private)
CVE-2026-14904 (AWS Research and Engineering Studio (RES) is an open-source
solution t ...)
@@ -1778,6 +1788,7 @@ CVE-2026-54893 (URL path injection in the Microsoft Graph
adapter of Swoosh. Swo
NOT-FOR-US: Swoosh
CVE-2026-54291 (pgjdbc is an open source postgresql JDBC Driver. In releases
42.7.4 th ...)
- libpgjava 42.7.12-1
+ [trixie] - libpgjava <no-dsa> (Minor issue)
NOTE:
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-j92g-9f8w-j867
NOTE: Fixed by:
https://github.com/pgjdbc/pgjdbc/commit/77df98e4e66c12936ded3478a0954f6f580bad99
(REL42.7.12)
CVE-2026-54060 (Pillow is a Python imaging library. Prior to 12.3.0,
PIL/FontFile.py F ...)
@@ -3252,9 +3263,11 @@ CVE-2026-54886 (Loop with Unreachable Exit Condition
('Infinite Loop') vulnerabi
NOTE:
https://github.com/erlang/otp/commit/eaf9550b8ad4738b81149d3f617102d980c6dd18
(OTP-29.0.3, OTP-28.5.0.3, OTP-27.3.4.14)
CVE-2026-54431 (In liboauth2 the Demonstrating Proof-of-Possession (DPoP)
verifier acc ...)
- liboauth2 2.3.0-1
+ [trixie] - liboauth2 <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/OpenIDC/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800
(v2.3.0)
CVE-2026-54430 (liboauth2 is vulnerable to Server-Side Request Forgery
inoauth2_jose_j ...)
- liboauth2 2.3.0-1
+ [trixie] - liboauth2 <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/OpenIDC/liboauth2/commit/347507ac5b51f48c2933bbe49b2ee07c2af4712b
(v2.3.0)
CVE-2026-54409 (A malicious actor with access to the network and under certain
conditi ...)
NOT-FOR-US: UniFi
@@ -10746,12 +10759,15 @@ CVE-2026-55488 (motionEye (mEye) is an online
interface for a piece of software
NOT-FOR-US: motionEye (mEye)
CVE-2026-54906 (concurrent-ruby is a modern concurrency tools for Ruby. Prior
to 1.3.7 ...)
- ruby-concurrent 1.3.7-1
+ [trixie] - ruby-concurrent <no-dsa> (Minor issue)
NOTE:
https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-6wx8-w4f5-wwcr
CVE-2026-54905 (concurrent-ruby is a modern concurrency tools for Ruby. Prior
to 1.3.7 ...)
- ruby-concurrent 1.3.7-1
+ [trixie] - ruby-concurrent <no-dsa> (Minor issue)
NOTE:
https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-wv3x-4vxv-whpp
CVE-2026-54904 (concurrent-ruby is a modern concurrency tools for Ruby. Prior
to 1.3.7 ...)
- ruby-concurrent 1.3.7-1
+ [trixie] - ruby-concurrent <no-dsa> (Minor issue)
NOTE:
https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-h8w8-99g7-qmvj
CVE-2026-54699 (Warp is an agentic development environment. From
0.2024.03.12.08.02.st ...)
NOT-FOR-US: Warp
@@ -13399,6 +13415,7 @@ CVE-2026-50146 (Astro is a web framework. Prior to
6.3.3, when a component uses
NOT-FOR-US: Astro
CVE-2026-49356 (Babel is a compiler for writing next generation JavaScript.
Prior to 8 ...)
- node-babel7 <unfixed> (bug #1140816)
+ [trixie] - node-babel7 <no-dsa> (Minor issue)
NOTE:
https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8
CVE-2026-49241 (The Angular Language Service VS Code Extension provides a rich
editing ...)
NOT-FOR-US: VS Code extension
@@ -29324,6 +29341,7 @@ CVE-2026-42250 (bzip2 contains an off\u2011by\u2011one
error in the bzip2recover
NOTE: Fixed by:
https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67
CVE-2026-41565 (CryptX versions before 0.088_001 for Perl have a stack buffer
overflow ...)
- libcryptx-perl 0.089-1
+ [trixie] - libcryptx-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40477993/
NOTE: Fixed by:
https://github.com/DCIT/perl-CryptX/commit/57e69e541b0718ca8724c2f61514322a2d859bc1
(v0.088)
NOTE: Fixed by:
https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642
(v0.089)
@@ -37479,24 +37497,31 @@ CVE-2026-43996 (OpenImageIO is a toolset for reading,
writing, and manipulating
NOTE:
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-mq8j-73c4-cr55
CVE-2026-43909 (OpenImageIO is a toolset for reading, writing, and
manipulating image ...)
- openimageio <unfixed> (bug #1139915)
+ [trixie] - openimageio <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-g267-j53j-5258
CVE-2026-43908 (OpenImageIO is a toolset for reading, writing, and
manipulating image ...)
- openimageio <unfixed> (bug #1139915)
+ [trixie] - openimageio <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-2jr5-q49v-3858
CVE-2026-43907 (OpenImageIO is a toolset for reading, writing, and
manipulating image ...)
- openimageio <unfixed> (bug #1139915)
+ [trixie] - openimageio <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-cq46-hp4h-cvfr
CVE-2026-43906 (OpenImageIO is a toolset for reading, writing, and
manipulating image ...)
- openimageio <unfixed> (bug #1139915)
+ [trixie] - openimageio <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-gmrp-x952-3m66
CVE-2026-43905 (OpenImageIO is a toolset for reading, writing, and
manipulating image ...)
- openimageio <unfixed> (bug #1139915)
+ [trixie] - openimageio <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-pj45-cf3g-28gq
CVE-2026-43904 (OpenImageIO is a toolset for reading, writing, and
manipulating image ...)
- openimageio <unfixed> (bug #1139915)
+ [trixie] - openimageio <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-4499-j545-7q33
CVE-2026-43903 (OpenImageIO is a toolset for reading, writing, and
manipulating image ...)
- openimageio <unfixed> (bug #1139915)
+ [trixie] - openimageio <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-jg3q-vm3q-2j35
CVE-2026-43490 (In the Linux kernel, the following vulnerability has been
resolved: k ...)
{DSA-6274-1}
@@ -43976,10 +44001,12 @@ CVE-2026-44263 (Weblate is a web based localization
tool. Prior to version 5.17.
- weblate <itp> (bug #745661)
CVE-2026-44244 (GitPython is a python library used to interact with Git
repositories. ...)
- python-git 3.1.50-1
+ [trixie] - python-git <no-dsa> (Minor issue)
NOTE:
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67
NOTE: https://github.com/gitpython-developers/GitPython/pull/2137
CVE-2026-44243 (GitPython is a python library used to interact with Git
repositories. ...)
- python-git 3.1.50-1
+ [trixie] - python-git <no-dsa> (Minor issue)
NOTE:
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24
NOTE: https://github.com/gitpython-developers/GitPython/pull/2134
CVE-2026-42285 (GoBGP is an open source Border Gateway Protocol (BGP)
implementation i ...)
@@ -50040,9 +50067,11 @@ CVE-2026-21023 (Insufficient verification of data
authenticity in PackageManager
NOT-FOR-US: Samsung Mobile
CVE-2026-42215 (GitPython is a python library used to interact with Git
repositories. ...)
- python-git 3.1.50-1 (bug #1135349)
+ [trixie] - python-git <no-dsa> (Minor issue)
NOTE:
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4
CVE-2026-42284 (GitPython is a python library used to interact with Git
repositories. ...)
- python-git 3.1.50-1 (bug #1135350)
+ [trixie] - python-git <no-dsa> (Minor issue)
NOTE:
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485
CVE-2026-7363 (Use after free in Canvas in Google Chrome on Linux, ChromeOS
prior to ...)
{DSA-6239-1}
@@ -62207,11 +62236,13 @@ CVE-2026-27314 (Privilege escalationin Apache
Cassandra 5.0 on an mTLS environme
- cassandra <itp> (bug #585905)
CVE-2026-24660 (A heap-based buffer overflow vulnerability exists in the
x3f_load_huff ...)
- libraw 0.22.1-1 (bug #1133845)
+ [trixie] - libraw <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2359
NOTE:
https://github.com/LibRaw/LibRaw/commit/a4a0ab69d286c7638741e70a11f04fb3d7b49db2
NOTE:
https://github.com/LibRaw/LibRaw/commit/ac151a829b8d3e4c74fa3aefa8a029c3cc3f857f
(0.22.1)
CVE-2026-24450 (An integer overflow vulnerability exists in the
uncompressed_fp_dng_lo ...)
- libraw 0.22.1-1 (bug #1133845)
+ [trixie] - libraw <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2363
NOTE:
https://github.com/LibRaw/LibRaw/commit/a58727c1a3cfef4101700e546a6a661c6a299d97
NOTE:
https://github.com/LibRaw/LibRaw/commit/c911c9b9edffa5fab99f828d0fee6dd2d0f6105f
(0.22.1)
@@ -62245,6 +62276,7 @@ CVE-2026-22666 (Dolibarr ERP/CRM versions prior to
23.0.2 contain an authenticat
- dolibarr <removed>
CVE-2026-21413 (A heap-based buffer overflow vulnerability exists in the
lossless_jpeg ...)
- libraw 0.22.1-1 (bug #1133845)
+ [trixie] - libraw <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331
NOTE:
https://github.com/LibRaw/LibRaw/commit/32c7b783de262f21fa5e3f58a59031edf23ab3cb
NOTE:
https://github.com/LibRaw/LibRaw/commit/75ed2c12a35b765b3b6ad695cc1f044f19efe644
(0.22.1)
@@ -62259,11 +62291,13 @@ CVE-2026-20911 (A heap-based buffer overflow
vulnerability exists in the HuffTab
NOTE: Introduced by:
https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8
(0.22.0)
CVE-2026-20889 (A heap-based buffer overflow vulnerability exists in the
x3f_thumb_loa ...)
- libraw 0.22.1-1 (bug #1133845)
+ [trixie] - libraw <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358
NOTE:
https://github.com/LibRaw/LibRaw/commit/657b68d20456eaeb9639976f328827195ff41383
NOTE:
https://github.com/LibRaw/LibRaw/commit/b9809e410d07ca7bf408e6d036615fb34f8c47cc
(0.22.1)
CVE-2026-20884 (An integer overflow vulnerability exists in the
deflate_dng_load_raw f ...)
- libraw 0.22.1-1 (bug #1133845)
+ [trixie] - libraw <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364
NOTE:
https://github.com/LibRaw/LibRaw/commit/39873163faa29ed5dfc3bb5aab1b46ed807b210f
NOTE:
https://github.com/LibRaw/LibRaw/commit/aa4458eb511daeae90676c1ce5c587106e4aaec1
(0.22.1)
@@ -74176,6 +74210,7 @@ CVE-2026-27977 (Next.js is a React framework for
building full-stack web applica
NOT-FOR-US: Next.js
CVE-2026-27895 (LDAP Account Manager (LAM) is a webfrontend for managing
entries (e.g. ...)
- ldap-account-manager 9.5.1-1 (bug #1131370)
+ [trixie] - ldap-account-manager <no-dsa> (Minor issue)
[bookworm] - ldap-account-manager <not-affected> (Vulnerable code
introduced later)
[bullseye] - ldap-account-manager <not-affected> (Vulnerable code
introduced later)
NOTE:
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8
@@ -90255,6 +90290,7 @@ CVE-2025-15571 (A security vulnerability has been
detected in ckolivas lrzip up
CVE-2025-15570 (A vulnerability was found in ckolivas lrzip up to 0.651. This
impacts ...)
{DLA-4567-1}
- lrzip 0.660-1 (bug #1128069)
+ [trixie] - lrzip <no-dsa> (Minor issue)
NOTE: https://github.com/ckolivas/lrzip/issues/262
NOTE: Fixed by:
https://github.com/ckolivas/lrzip/commit/96931e7019c8cde6b5f2d3286a5470a67ed9a8f6
(v0.660)
CVE-2025-15569 (A flaw has been found in Artifex MuPDF up to 1.26.1 on
Windows. The im ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f61e410cd848c8e88bb79f9bd60e958ff773e451
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f61e410cd848c8e88bb79f9bd60e958ff773e451
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits