Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
eaca5000 by Moritz Muehlenhoff at 2026-07-09T21:59:46+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1479,9 +1479,11 @@ CVE-2026-14482 (The
\u591a\u8bf4\u793e\u4f1a\u5316\u8bc4\u8bba\u6846 plugin for
NOT-FOR-US: WordPress plugin
CVE-2026-14476 (A path traversal flaw was found in SSSD's AD GPO provider. The
ad_gpo_ ...)
- sssd <unfixed>
+ [trixie] - sssd <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2496581
CVE-2026-14474 (A flaw was found in SSSD's LDAP sudo provider. When the
ldap_sudo_sear ...)
- sssd <unfixed>
+ [trixie] - sssd <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2496556
CVE-2026-14244 (The Jssor Slider by jssor.com plugin for WordPress is
vulnerable to Di ...)
NOT-FOR-US: WordPress plugin
@@ -7108,6 +7110,7 @@ CVE-2026-44605
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2482481
CVE-2026-13606
- graphicsmagick <unfixed> (bug #1141493)
+ [trixie] - graphicsmagick <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2494107
CVE-2026-9576 (The Fluent Booking WordPress plugin before 2.1.2 does not
verify owne ...)
NOT-FOR-US: WordPress plugin
@@ -11157,6 +11160,7 @@ CVE-2026-49980 (Rclone is a command-line program to
sync files and directories t
NOTE:
https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv
CVE-2026-49851 (Mistune is a Python Markdown parser with renderers and
plugins. Prior ...)
- mistune <unfixed>
+ [trixie] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p
CVE-2026-49269 (Apple M1 GPUs retain register file data between compute shader
dispatc ...)
NOT-FOR-US: Apple Silicon HW issue
@@ -13427,6 +13431,7 @@ CVE-2026-44889 (WebOb provides objects for HTTP
requests and responses. Prior to
NOTE:
https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95
CVE-2026-44727 (Jupyter Server is the backend for Jupyter web applications.
Prior to 2 ...)
- jupyter-server 2.20.0-1
+ [trixie] - jupyter-server <no-dsa> (Minor issue)
NOTE:
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-fcw5-x6j4-ccmp
NOTE: Fixed by:
https://github.com/jupyter-server/jupyter_server/commit/6cbee8d65e71abac851c4492fea987ad080580bd
(v2.20.0)
CVE-2026-44311 (Fabric.js is a Javascript HTML5 canvas library. Prior to
7.4.0, a pote ...)
@@ -25602,6 +25607,7 @@ CVE-2026-7888 (Concrete CMS below 9.5.2 is vulnerable
to PHP Object Injection vi
NOT-FOR-US: Concrete CMS
CVE-2026-6657 (A vulnerability in jupyter-server versions 1.12.0 through
2.17.0 allow ...)
- jupyter-server <unfixed>
+ [trixie] - jupyter-server <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/18f642db-3569-43b3-b58d-ff97be4b09d7
CVE-2026-5241 (A vulnerability in the LightGlue model loading path of
huggingface/tra ...)
NOT-FOR-US: huggingface/transformers
@@ -26376,6 +26382,7 @@ CVE-2026-7195 (CWE-20: Improper Input Validation in web
services in Progress Sit
NOT-FOR-US: Progress Software
CVE-2026-5422 (A path traversal vulnerability exists in jupyter-server version
2.17.0 ...)
- jupyter-server <unfixed>
+ [trixie] - jupyter-server <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/24a36953-6490-466f-8cb2-a90d1ca56e0f
CVE-2026-5191 (The Tiled Gallery Carousel Without JetPack plugin for WordPress
is vul ...)
NOT-FOR-US: WordPress plugin
@@ -34571,6 +34578,7 @@ CVE-2026-41069 (libheif is a HEIF and AVIF file format
decoder and encoder. In v
NOTE:
https://github.com/strukturag/libheif/security/advisories/GHSA-p82x-fpmv-576r
CVE-2026-40864 (JupyterHub is software that allows users to create a
multi-user server ...)
- jupyterhub <unfixed>
+ [trixie] - jupyterhub <no-dsa> (Minor issue)
NOTE:
https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9
NOTE: Fixed by:
https://github.com/jupyterhub/jupyterhub/commit/9c5ec277d3cda5a59de2d8c8117efa77bd941127
(5.4.5)
CVE-2026-40610 (BentoML is a Python library for building online serving
systems optimi ...)
@@ -46714,6 +46722,7 @@ CVE-2026-41950 (Dify before version 1.14.0 contains an
authorization bypass vuln
NOT-FOR-US: Dify
CVE-2026-40934 (Jupyter Server is the backend for Jupyter web applications. In
version ...)
- jupyter-server 2.20.0-1 (bug #1136022)
+ [trixie] - jupyter-server <no-dsa> (Minor issue)
NOTE:
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f
CVE-2026-40331 (Masa CMS is an open source content management system. In
versions 7.2. ...)
NOT-FOR-US: Masa CMS
@@ -46725,6 +46734,7 @@ CVE-2026-40280 (Gotenberg is an API-based document
conversion tool. In versions
NOT-FOR-US: Gotenberg
CVE-2026-40110 (Jupyter Server is the backend for Jupyter web applications. In
version ...)
- jupyter-server 2.20.0-1 (bug #1136022)
+ [trixie] - jupyter-server <no-dsa> (Minor issue)
NOTE:
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p
NOTE: https://github.com/jupyter-server/jupyter_server/pull/603
NOTE:
https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea
(v2.18.0)
@@ -46747,6 +46757,7 @@ CVE-2026-35453 (PhpSpreadsheet is a library for reading
and writing spreadsheet
NOT-FOR-US: PhpSpreadsheet
CVE-2026-35397 (Jupyter Server is the backend for Jupyter web applications. In
version ...)
- jupyter-server 2.20.0-1 (bug #1136022)
+ [trixie] - jupyter-server <no-dsa> (Minor issue)
NOTE:
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3
CVE-2026-34596 (Sandboxie-Plus is an open source sandbox-based isolation
software for ...)
NOT-FOR-US: Sandboxie-Plus
@@ -47011,6 +47022,7 @@ CVE-2025-66369 (An issue was discovered in MM in
Samsung Mobile Processor, Weara
NOT-FOR-US: Samsung
CVE-2025-61669 (Jupyter Server is the backend for Jupyter web applications. In
jupyter ...)
- jupyter-server 2.20.0-1 (bug #1136022)
+ [trixie] - jupyter-server <no-dsa> (Minor issue)
NOTE:
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w
CVE-2025-52206 (ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS)
via the sy ...)
NOT-FOR-US: ISPConfig
@@ -51889,6 +51901,7 @@ CVE-2026-41067 (Astro is a web framework. Prior to
6.1.6, the defineScriptVars f
NOT-FOR-US: Astro web framework
CVE-2026-41066 (lxml is a library for processing XML and HTML in the Python
language. ...)
- lxml 6.1.0-1
+ [trixie] - lxml <no-dsa> (Minor issue)
NOTE:
https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
NOTE: Fixed by:
https://github.com/lxml/lxml/commit/ab431ea0b9a7357d968f1d1c5c614649e9aaf358
(lxml-6.1.0)
NOTE: https://bugs.launchpad.net/lxml/+bug/2146291
@@ -54898,6 +54911,7 @@ CVE-2026-34304 (Vulnerability in the MySQL Server
product of Oracle MySQL (compo
CVE-2026-34303 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- mysql-8.0 8.0.46-1 (bug #1134614)
- mariadb 1:11.8.6-1
+ [trixie] - mariadb <no-dsa> (Minor issue)
NOTE: Fixed in MariaDB: 12.2.2, 11.8.6, 11.4.10, 10.11.16
CVE-2026-34302 (Vulnerability in the Oracle Workflow product of Oracle
E-Business Suit ...)
NOT-FOR-US: Oracle
@@ -63907,6 +63921,7 @@ CVE-2026-34052 (LTI JupyterHub Authenticator is a
JupyterHub authenticator for L
NOT-FOR-US: LTI JupyterHub Authenticator
CVE-2026-33709 (JupyterHub is software that allows one to create a multi-user
server f ...)
- jupyterhub <unfixed> (bug #1132715)
+ [trixie] - jupyterhub <no-dsa> (Minor issue)
NOTE:
https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8
CVE-2026-33184 (nimiq/core-rs-albatross is a Rust implementation of the Nimiq
Proof-of ...)
NOT-FOR-US: nimiq/core-rs-albatross
@@ -81351,6 +81366,7 @@ CVE-2026-2376 (A flaw was found in mirror-registry
where an authenticated user c
NOT-FOR-US: mirror-registry for Quay
CVE-2026-3494 (In MariaDB server version through 11.8.5, when server audit
plugin is ...)
- mariadb 1:11.8.6-1
+ [trixie] - mariadb <no-dsa> (Minor issue)
NOTE:
https://github.com/MariaDB/server/commit/635559a2ad68a5a6d1a354e8209c58323dba0261
NOTE: Fixed in MariaDB: 12.3.1, 12.2.2, 11.8.6, 11.4.10, 10.11.16,
10.6.25
CVE-2026-3484 (A vulnerability was detected in PhialsBasement nmap-mcp-server
up to b ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
If needed, specify the release by adding a slash after the name of the source
package.
+--
+389-ds-base
--
activemq
probably best to move to latest 5.19 version
@@ -83,12 +85,17 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more 6.12.y versions
--
+nats-server
+ maybe move to 2.12.2 if sufficiently backwards compatible
+--
netty
--
nodejs
--
node-dompurify
--
+opam
+--
openexr
--
pacemaker
@@ -105,6 +112,9 @@ prometheus
--
py7zr
--
+python-authlib
+ possibly move trixie to 1.6.12
+--
python-httplib2
--
python-msgpack
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaca5000e4c13a10bd46fe9aa7c9341bf224fbff
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaca5000e4c13a10bd46fe9aa7c9341bf224fbff
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits