Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f61e410c by Moritz Muehlenhoff at 2026-07-09T19:08:52+02:00
trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -69,12 +69,14 @@ CVE-2026-59939 (httplib2 is a comprehensive HTTP client 
library for Python. Prio
        NOTE: Fixed by: 
https://github.com/httplib2/httplib2/commit/87581ad6cf752fe3da2090c59058261d2d00a427
 (v0.32.0)
 CVE-2026-59936 (pypdf is a free and open-source pure-python PDF library. Prior 
to 6.14 ...)
        - pypdf <unfixed>
+       [trixie] - pypdf <no-dsa> (Minor issue)
        - pypdf2 <removed>
        NOTE: 
https://github.com/py-pdf/pypdf/security/advisories/GHSA-5xf7-4p34-54qr
        NOTE: https://github.com/py-pdf/pypdf/pull/3891
        NOTE: Fixed by: 
https://github.com/py-pdf/pypdf/commit/ec3b14596186c40caca7cf8ab9b2155203e01b5b 
(6.14.1)
 CVE-2026-59935 (pypdf is a free and open-source pure-python PDF library. Prior 
to 6.14 ...)
        - pypdf <unfixed>
+       [trixie] - pypdf <no-dsa> (Minor issue)
        - pypdf2 <removed>
        NOTE: 
https://github.com/py-pdf/pypdf/security/advisories/GHSA-g867-7843-wf8q
        NOTE: https://github.com/py-pdf/pypdf/pull/3892
@@ -428,12 +430,14 @@ CVE-2026-5356 (The LatePoint \u2013 Calendar Booking 
Plugin for Appointments and
        NOT-FOR-US: WordPress plugin
 CVE-2026-59938 (pypdf is a free and open-source pure-python PDF library. Prior 
to 6.14 ...)
        - pypdf <unfixed>
+       [trixie] - pypdf <no-dsa> (Minor issue)
        - pypdf2 <removed>
        NOTE: 
https://github.com/py-pdf/pypdf/security/advisories/GHSA-5qjq-93h5-hrgp
        NOTE: https://github.com/py-pdf/pypdf/pull/3888
        NOTE: Fixed by: 
https://github.com/py-pdf/pypdf/commit/c64583be16b8e8763d8777075f8ecbf382014b7a 
(6.14.0)
 CVE-2026-59937 (pypdf is a free and open-source pure-python PDF library. Prior 
to 6.14 ...)
        - pypdf <unfixed>
+       [trixie] - pypdf <no-dsa> (Minor issue)
        - pypdf2 <removed>
        NOTE: 
https://github.com/py-pdf/pypdf/security/advisories/GHSA-55h5-xmcq-c37v
        NOTE: https://github.com/py-pdf/pypdf/pull/3887
@@ -527,18 +531,22 @@ CVE-2026-59876 (protobufjs compiles protobuf definitions 
into JavaScript (JS) fu
        - node-protobufjs <itp> (bug #977564)
 CVE-2026-59875 (node-tar is a tar archive manipulation library for Node.js. 
Prior to 7 ...)
        - node-tar <unfixed>
+       [trixie] - node-tar <no-dsa> (Minor issue)
        NOTE: 
https://github.com/isaacs/node-tar/security/advisories/GHSA-gvwx-54wh-qm9j
        NOTE: Fixed by: 
https://github.com/isaacs/node-tar/commit/7a635c29f5edbf083557374d43984273ecfed5b3
 (v7.5.17)
 CVE-2026-59874 (node-tar is a tar archive manipulation library for Node.js. 
Prior to 7 ...)
        - node-tar <unfixed>
+       [trixie] - node-tar <no-dsa> (Minor issue)
        NOTE: 
https://github.com/isaacs/node-tar/security/advisories/GHSA-8x88-c5mf-7j5w
        NOTE: Fixed by: 
https://github.com/isaacs/node-tar/commit/9e78bf058b2c22dd4d52e00d8922d5c06fc2f7b5
 (v7.5.18)
 CVE-2026-59873 (node-tar is a tar archive manipulation library for Node.js. 
Prior to 7 ...)
        - node-tar <unfixed>
+       [trixie] - node-tar <no-dsa> (Minor issue)
        NOTE: 
https://github.com/isaacs/node-tar/security/advisories/GHSA-23hp-3jrh-7fpw
        NOTE: Fixed by: 
https://github.com/isaacs/node-tar/commit/2812e9338665659b183aa7226518c307044957d3
 (v7.5.19)
 CVE-2026-59871 (node-tar is a tar archive manipulation library for Node.js. 
Prior to 7 ...)
        - node-tar <unfixed>
+       [trixie] - node-tar <no-dsa> (Minor issue)
        NOTE: 
https://github.com/isaacs/node-tar/security/advisories/GHSA-w8wr-v893-vjvp
        NOTE: Fixed by: 
https://github.com/isaacs/node-tar/commit/e02a4e9e013c4be95302e2eb2047a942b883c27b
 (v7.5.18)
 CVE-2026-59870 (js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 
before 5.2. ...)
@@ -547,6 +555,7 @@ CVE-2026-59870 (js-yaml is a JavaScript YAML parser and 
dumper. From 5.0.0 befor
        NOTE: Fixed by: 
https://github.com/nodeca/js-yaml/commit/39f3211a2f01b3c6982710cf21434ab7060acefe
 (5.2.1)
 CVE-2026-59869 (js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 
before 3.15 ...)
        - node-js-yaml <unfixed>
+       [trixie] - node-js-yaml <no-dsa> (Minor issue)
        NOTE: 
https://github.com/nodeca/js-yaml/security/advisories/GHSA-52cp-r559-cp3m
        NOTE: Fixed by: 
https://github.com/nodeca/js-yaml/commit/24f13e79ee1343a7e30bd6f6c9d9cdbf0ac9b2b7
 (3.15.0)
        NOTE: Fixed by: 
https://github.com/nodeca/js-yaml/commit/59423c6f8cdc78742ac00e25a4dd39ef16b702e4
 (4.3.0)
@@ -1115,6 +1124,7 @@ CVE-2026-14940 (A heap-buffer-overflow flaw was found in 
389 Directory Server (3
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2497697
 CVE-2026-14935 (A logic vulnerability was found in GStreamer's webrtcbin 
component. Th ...)
        - gst-plugins-bad1.0 <unfixed>
+       [trixie] - gst-plugins-bad1.0 <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2497679
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5171 (private)
 CVE-2026-14904 (AWS Research and Engineering Studio (RES) is an open-source 
solution t ...)
@@ -1778,6 +1788,7 @@ CVE-2026-54893 (URL path injection in the Microsoft Graph 
adapter of Swoosh. Swo
        NOT-FOR-US: Swoosh
 CVE-2026-54291 (pgjdbc is an open source postgresql JDBC Driver. In releases 
42.7.4 th ...)
        - libpgjava 42.7.12-1
+       [trixie] - libpgjava <no-dsa> (Minor issue)
        NOTE: 
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-j92g-9f8w-j867
        NOTE: Fixed by: 
https://github.com/pgjdbc/pgjdbc/commit/77df98e4e66c12936ded3478a0954f6f580bad99
 (REL42.7.12)
 CVE-2026-54060 (Pillow is a Python imaging library. Prior to 12.3.0, 
PIL/FontFile.py F ...)
@@ -3252,9 +3263,11 @@ CVE-2026-54886 (Loop with Unreachable Exit Condition 
('Infinite Loop') vulnerabi
        NOTE: 
https://github.com/erlang/otp/commit/eaf9550b8ad4738b81149d3f617102d980c6dd18 
(OTP-29.0.3, OTP-28.5.0.3, OTP-27.3.4.14)
 CVE-2026-54431 (In liboauth2 the Demonstrating Proof-of-Possession (DPoP) 
verifier acc ...)
        - liboauth2 2.3.0-1
+       [trixie] - liboauth2 <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/OpenIDC/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800
 (v2.3.0)
 CVE-2026-54430 (liboauth2 is vulnerable to Server-Side Request Forgery 
inoauth2_jose_j ...)
        - liboauth2 2.3.0-1
+       [trixie] - liboauth2 <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/OpenIDC/liboauth2/commit/347507ac5b51f48c2933bbe49b2ee07c2af4712b
 (v2.3.0)
 CVE-2026-54409 (A malicious actor with access to the network and under certain 
conditi ...)
        NOT-FOR-US: UniFi
@@ -10746,12 +10759,15 @@ CVE-2026-55488 (motionEye (mEye) is an online 
interface for a piece of software
        NOT-FOR-US: motionEye (mEye)
 CVE-2026-54906 (concurrent-ruby is a modern concurrency tools for Ruby. Prior 
to 1.3.7 ...)
        - ruby-concurrent 1.3.7-1
+       [trixie] - ruby-concurrent <no-dsa> (Minor issue)
        NOTE: 
https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-6wx8-w4f5-wwcr
 CVE-2026-54905 (concurrent-ruby is a modern concurrency tools for Ruby. Prior 
to 1.3.7 ...)
        - ruby-concurrent 1.3.7-1
+       [trixie] - ruby-concurrent <no-dsa> (Minor issue)
        NOTE: 
https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-wv3x-4vxv-whpp
 CVE-2026-54904 (concurrent-ruby is a modern concurrency tools for Ruby. Prior 
to 1.3.7 ...)
        - ruby-concurrent 1.3.7-1
+       [trixie] - ruby-concurrent <no-dsa> (Minor issue)
        NOTE: 
https://github.com/ruby-concurrency/concurrent-ruby/security/advisories/GHSA-h8w8-99g7-qmvj
 CVE-2026-54699 (Warp is an agentic development environment. From 
0.2024.03.12.08.02.st ...)
        NOT-FOR-US: Warp
@@ -13399,6 +13415,7 @@ CVE-2026-50146 (Astro is a web framework. Prior to 
6.3.3, when a component uses
        NOT-FOR-US: Astro
 CVE-2026-49356 (Babel is a compiler for writing next generation JavaScript. 
Prior to 8 ...)
        - node-babel7 <unfixed> (bug #1140816)
+       [trixie] - node-babel7 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8
 CVE-2026-49241 (The Angular Language Service VS Code Extension provides a rich 
editing ...)
        NOT-FOR-US: VS Code extension
@@ -29324,6 +29341,7 @@ CVE-2026-42250 (bzip2 contains an off\u2011by\u2011one 
error in the bzip2recover
        NOTE: Fixed by: 
https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67
 CVE-2026-41565 (CryptX versions before 0.088_001 for Perl have a stack buffer 
overflow ...)
        - libcryptx-perl 0.089-1
+       [trixie] - libcryptx-perl <no-dsa> (Minor issue)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/40477993/
        NOTE: Fixed by: 
https://github.com/DCIT/perl-CryptX/commit/57e69e541b0718ca8724c2f61514322a2d859bc1
 (v0.088)
        NOTE: Fixed by: 
https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642
 (v0.089)
@@ -37479,24 +37497,31 @@ CVE-2026-43996 (OpenImageIO is a toolset for reading, 
writing, and manipulating
        NOTE: 
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-mq8j-73c4-cr55
 CVE-2026-43909 (OpenImageIO is a toolset for reading, writing, and 
manipulating image  ...)
        - openimageio <unfixed> (bug #1139915)
+       [trixie] - openimageio <no-dsa> (Minor issue)
        NOTE: 
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-g267-j53j-5258
 CVE-2026-43908 (OpenImageIO is a toolset for reading, writing, and 
manipulating image  ...)
        - openimageio <unfixed> (bug #1139915)
+       [trixie] - openimageio <no-dsa> (Minor issue)
        NOTE: 
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-2jr5-q49v-3858
 CVE-2026-43907 (OpenImageIO is a toolset for reading, writing, and 
manipulating image  ...)
        - openimageio <unfixed> (bug #1139915)
+       [trixie] - openimageio <no-dsa> (Minor issue)
        NOTE: 
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-cq46-hp4h-cvfr
 CVE-2026-43906 (OpenImageIO is a toolset for reading, writing, and 
manipulating image  ...)
        - openimageio <unfixed> (bug #1139915)
+       [trixie] - openimageio <no-dsa> (Minor issue)
        NOTE: 
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-gmrp-x952-3m66
 CVE-2026-43905 (OpenImageIO is a toolset for reading, writing, and 
manipulating image  ...)
        - openimageio <unfixed> (bug #1139915)
+       [trixie] - openimageio <no-dsa> (Minor issue)
        NOTE: 
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-pj45-cf3g-28gq
 CVE-2026-43904 (OpenImageIO is a toolset for reading, writing, and 
manipulating image  ...)
        - openimageio <unfixed> (bug #1139915)
+       [trixie] - openimageio <no-dsa> (Minor issue)
        NOTE: 
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-4499-j545-7q33
 CVE-2026-43903 (OpenImageIO is a toolset for reading, writing, and 
manipulating image  ...)
        - openimageio <unfixed> (bug #1139915)
+       [trixie] - openimageio <no-dsa> (Minor issue)
        NOTE: 
https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-jg3q-vm3q-2j35
 CVE-2026-43490 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
        {DSA-6274-1}
@@ -43976,10 +44001,12 @@ CVE-2026-44263 (Weblate is a web based localization 
tool. Prior to version 5.17.
        - weblate <itp> (bug #745661)
 CVE-2026-44244 (GitPython is a python library used to interact with Git 
repositories.  ...)
        - python-git 3.1.50-1
+       [trixie] - python-git <no-dsa> (Minor issue)
        NOTE: 
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67
        NOTE: https://github.com/gitpython-developers/GitPython/pull/2137
 CVE-2026-44243 (GitPython is a python library used to interact with Git 
repositories.  ...)
        - python-git 3.1.50-1
+       [trixie] - python-git <no-dsa> (Minor issue)
        NOTE: 
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24
        NOTE: https://github.com/gitpython-developers/GitPython/pull/2134
 CVE-2026-42285 (GoBGP is an open source Border Gateway Protocol (BGP) 
implementation i ...)
@@ -50040,9 +50067,11 @@ CVE-2026-21023 (Insufficient verification of data 
authenticity in PackageManager
        NOT-FOR-US: Samsung Mobile
 CVE-2026-42215 (GitPython is a python library used to interact with Git 
repositories.  ...)
        - python-git 3.1.50-1 (bug #1135349)
+       [trixie] - python-git <no-dsa> (Minor issue)
        NOTE: 
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4
 CVE-2026-42284 (GitPython is a python library used to interact with Git 
repositories.  ...)
        - python-git 3.1.50-1 (bug #1135350)
+       [trixie] - python-git <no-dsa> (Minor issue)
        NOTE: 
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485
 CVE-2026-7363 (Use after free in Canvas in Google Chrome on Linux, ChromeOS 
prior to  ...)
        {DSA-6239-1}
@@ -62207,11 +62236,13 @@ CVE-2026-27314 (Privilege escalationin Apache 
Cassandra 5.0 on an mTLS environme
        - cassandra <itp> (bug #585905)
 CVE-2026-24660 (A heap-based buffer overflow vulnerability exists in the 
x3f_load_huff ...)
        - libraw 0.22.1-1 (bug #1133845)
+       [trixie] - libraw <no-dsa> (Minor issue)
        NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2359
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/a4a0ab69d286c7638741e70a11f04fb3d7b49db2
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/ac151a829b8d3e4c74fa3aefa8a029c3cc3f857f
 (0.22.1)
 CVE-2026-24450 (An integer overflow vulnerability exists in the 
uncompressed_fp_dng_lo ...)
        - libraw 0.22.1-1 (bug #1133845)
+       [trixie] - libraw <no-dsa> (Minor issue)
        NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2363
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/a58727c1a3cfef4101700e546a6a661c6a299d97
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/c911c9b9edffa5fab99f828d0fee6dd2d0f6105f
 (0.22.1)
@@ -62245,6 +62276,7 @@ CVE-2026-22666 (Dolibarr ERP/CRM versions prior to 
23.0.2 contain an authenticat
        - dolibarr <removed>
 CVE-2026-21413 (A heap-based buffer overflow vulnerability exists in the 
lossless_jpeg ...)
        - libraw 0.22.1-1 (bug #1133845)
+       [trixie] - libraw <no-dsa> (Minor issue)
        NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/32c7b783de262f21fa5e3f58a59031edf23ab3cb
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/75ed2c12a35b765b3b6ad695cc1f044f19efe644
 (0.22.1)
@@ -62259,11 +62291,13 @@ CVE-2026-20911 (A heap-based buffer overflow 
vulnerability exists in the HuffTab
        NOTE: Introduced by: 
https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8
 (0.22.0)
 CVE-2026-20889 (A heap-based buffer overflow vulnerability exists in the 
x3f_thumb_loa ...)
        - libraw 0.22.1-1 (bug #1133845)
+       [trixie] - libraw <no-dsa> (Minor issue)
        NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/657b68d20456eaeb9639976f328827195ff41383
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/b9809e410d07ca7bf408e6d036615fb34f8c47cc
 (0.22.1)
 CVE-2026-20884 (An integer overflow vulnerability exists in the 
deflate_dng_load_raw f ...)
        - libraw 0.22.1-1 (bug #1133845)
+       [trixie] - libraw <no-dsa> (Minor issue)
        NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/39873163faa29ed5dfc3bb5aab1b46ed807b210f
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/aa4458eb511daeae90676c1ce5c587106e4aaec1
 (0.22.1)
@@ -74176,6 +74210,7 @@ CVE-2026-27977 (Next.js is a React framework for 
building full-stack web applica
        NOT-FOR-US: Next.js
 CVE-2026-27895 (LDAP Account Manager (LAM) is a webfrontend for managing 
entries (e.g. ...)
        - ldap-account-manager 9.5.1-1 (bug #1131370)
+       [trixie] - ldap-account-manager <no-dsa> (Minor issue)
        [bookworm] - ldap-account-manager <not-affected> (Vulnerable code 
introduced later)
        [bullseye] - ldap-account-manager <not-affected> (Vulnerable code 
introduced later)
        NOTE: 
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8
@@ -90255,6 +90290,7 @@ CVE-2025-15571 (A security vulnerability has been 
detected in ckolivas lrzip up
 CVE-2025-15570 (A vulnerability was found in ckolivas lrzip up to 0.651. This 
impacts  ...)
        {DLA-4567-1}
        - lrzip 0.660-1 (bug #1128069)
+       [trixie] - lrzip <no-dsa> (Minor issue)
        NOTE: https://github.com/ckolivas/lrzip/issues/262
        NOTE: Fixed by: 
https://github.com/ckolivas/lrzip/commit/96931e7019c8cde6b5f2d3286a5470a67ed9a8f6
 (v0.660)
 CVE-2025-15569 (A flaw has been found in Artifex MuPDF up to 1.26.1 on 
Windows. The im ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f61e410cd848c8e88bb79f9bd60e958ff773e451

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f61e410cd848c8e88bb79f9bd60e958ff773e451
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to