Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eaca5000 by Moritz Muehlenhoff at 2026-07-09T21:59:46+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1479,9 +1479,11 @@ CVE-2026-14482 (The 
\u591a\u8bf4\u793e\u4f1a\u5316\u8bc4\u8bba\u6846 plugin for
        NOT-FOR-US: WordPress plugin
 CVE-2026-14476 (A path traversal flaw was found in SSSD's AD GPO provider. The 
ad_gpo_ ...)
        - sssd <unfixed>
+       [trixie] - sssd <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2496581
 CVE-2026-14474 (A flaw was found in SSSD's LDAP sudo provider. When the 
ldap_sudo_sear ...)
        - sssd <unfixed>
+       [trixie] - sssd <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2496556
 CVE-2026-14244 (The Jssor Slider by jssor.com plugin for WordPress is 
vulnerable to Di ...)
        NOT-FOR-US: WordPress plugin
@@ -7108,6 +7110,7 @@ CVE-2026-44605
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2482481
 CVE-2026-13606
        - graphicsmagick <unfixed> (bug #1141493)
+       [trixie] - graphicsmagick <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2494107
 CVE-2026-9576 (The Fluent Booking  WordPress plugin before 2.1.2 does not 
verify owne ...)
        NOT-FOR-US: WordPress plugin
@@ -11157,6 +11160,7 @@ CVE-2026-49980 (Rclone is a command-line program to 
sync files and directories t
        NOTE: 
https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv
 CVE-2026-49851 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
+       [trixie] - mistune <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p
 CVE-2026-49269 (Apple M1 GPUs retain register file data between compute shader 
dispatc ...)
        NOT-FOR-US: Apple Silicon HW issue
@@ -13427,6 +13431,7 @@ CVE-2026-44889 (WebOb provides objects for HTTP 
requests and responses. Prior to
        NOTE: 
https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95
 CVE-2026-44727 (Jupyter Server is the backend for Jupyter web applications. 
Prior to 2 ...)
        - jupyter-server 2.20.0-1
+       [trixie] - jupyter-server <no-dsa> (Minor issue)
        NOTE: 
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-fcw5-x6j4-ccmp
        NOTE: Fixed by: 
https://github.com/jupyter-server/jupyter_server/commit/6cbee8d65e71abac851c4492fea987ad080580bd
 (v2.20.0)
 CVE-2026-44311 (Fabric.js is a Javascript HTML5 canvas library. Prior to 
7.4.0, a pote ...)
@@ -25602,6 +25607,7 @@ CVE-2026-7888 (Concrete CMS below 9.5.2 is vulnerable 
to PHP Object Injection vi
        NOT-FOR-US: Concrete CMS
 CVE-2026-6657 (A vulnerability in jupyter-server versions 1.12.0 through 
2.17.0 allow ...)
        - jupyter-server <unfixed>
+       [trixie] - jupyter-server <no-dsa> (Minor issue)
        NOTE: https://huntr.com/bounties/18f642db-3569-43b3-b58d-ff97be4b09d7
 CVE-2026-5241 (A vulnerability in the LightGlue model loading path of 
huggingface/tra ...)
        NOT-FOR-US: huggingface/transformers
@@ -26376,6 +26382,7 @@ CVE-2026-7195 (CWE-20: Improper Input Validation in web 
services in Progress Sit
        NOT-FOR-US: Progress Software
 CVE-2026-5422 (A path traversal vulnerability exists in jupyter-server version 
2.17.0 ...)
        - jupyter-server <unfixed>
+       [trixie] - jupyter-server <no-dsa> (Minor issue)
        NOTE: https://huntr.com/bounties/24a36953-6490-466f-8cb2-a90d1ca56e0f
 CVE-2026-5191 (The Tiled Gallery Carousel Without JetPack plugin for WordPress 
is vul ...)
        NOT-FOR-US: WordPress plugin
@@ -34571,6 +34578,7 @@ CVE-2026-41069 (libheif is a HEIF and AVIF file format 
decoder and encoder. In v
        NOTE: 
https://github.com/strukturag/libheif/security/advisories/GHSA-p82x-fpmv-576r
 CVE-2026-40864 (JupyterHub is software that allows users to create a 
multi-user server ...)
        - jupyterhub <unfixed>
+       [trixie] - jupyterhub <no-dsa> (Minor issue)
        NOTE: 
https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9
        NOTE: Fixed by: 
https://github.com/jupyterhub/jupyterhub/commit/9c5ec277d3cda5a59de2d8c8117efa77bd941127
 (5.4.5)
 CVE-2026-40610 (BentoML is a Python library for building online serving 
systems optimi ...)
@@ -46714,6 +46722,7 @@ CVE-2026-41950 (Dify before version 1.14.0 contains an 
authorization bypass vuln
        NOT-FOR-US: Dify
 CVE-2026-40934 (Jupyter Server is the backend for Jupyter web applications. In 
version ...)
        - jupyter-server 2.20.0-1 (bug #1136022)
+       [trixie] - jupyter-server <no-dsa> (Minor issue)
        NOTE: 
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f
 CVE-2026-40331 (Masa CMS is an open source content management system. In 
versions 7.2. ...)
        NOT-FOR-US: Masa CMS
@@ -46725,6 +46734,7 @@ CVE-2026-40280 (Gotenberg is an API-based document 
conversion tool. In versions
        NOT-FOR-US: Gotenberg
 CVE-2026-40110 (Jupyter Server is the backend for Jupyter web applications. In 
version ...)
        - jupyter-server 2.20.0-1 (bug #1136022)
+       [trixie] - jupyter-server <no-dsa> (Minor issue)
        NOTE: 
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p
        NOTE: https://github.com/jupyter-server/jupyter_server/pull/603
        NOTE: 
https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea
 (v2.18.0)
@@ -46747,6 +46757,7 @@ CVE-2026-35453 (PhpSpreadsheet is a library for reading 
and writing spreadsheet
        NOT-FOR-US: PhpSpreadsheet
 CVE-2026-35397 (Jupyter Server is the backend for Jupyter web applications. In 
version ...)
        - jupyter-server 2.20.0-1 (bug #1136022)
+       [trixie] - jupyter-server <no-dsa> (Minor issue)
        NOTE: 
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3
 CVE-2026-34596 (Sandboxie-Plus is an open source sandbox-based isolation 
software for  ...)
        NOT-FOR-US: Sandboxie-Plus
@@ -47011,6 +47022,7 @@ CVE-2025-66369 (An issue was discovered in MM in 
Samsung Mobile Processor, Weara
        NOT-FOR-US: Samsung
 CVE-2025-61669 (Jupyter Server is the backend for Jupyter web applications. In 
jupyter ...)
        - jupyter-server 2.20.0-1 (bug #1136022)
+       [trixie] - jupyter-server <no-dsa> (Minor issue)
        NOTE: 
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w
 CVE-2025-52206 (ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) 
via the sy ...)
        NOT-FOR-US: ISPConfig
@@ -51889,6 +51901,7 @@ CVE-2026-41067 (Astro is a web framework. Prior to 
6.1.6, the defineScriptVars f
        NOT-FOR-US: Astro web framework
 CVE-2026-41066 (lxml is a library for processing XML and HTML in the Python 
language.  ...)
        - lxml 6.1.0-1
+       [trixie] - lxml <no-dsa> (Minor issue)
        NOTE: 
https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw
        NOTE: Fixed by: 
https://github.com/lxml/lxml/commit/ab431ea0b9a7357d968f1d1c5c614649e9aaf358 
(lxml-6.1.0)
        NOTE: https://bugs.launchpad.net/lxml/+bug/2146291
@@ -54898,6 +54911,7 @@ CVE-2026-34304 (Vulnerability in the MySQL Server 
product of Oracle MySQL (compo
 CVE-2026-34303 (Vulnerability in the MySQL Server product of Oracle MySQL 
(component:  ...)
        - mysql-8.0 8.0.46-1 (bug #1134614)
        - mariadb 1:11.8.6-1
+       [trixie] - mariadb <no-dsa> (Minor issue)
        NOTE: Fixed in MariaDB: 12.2.2, 11.8.6, 11.4.10, 10.11.16
 CVE-2026-34302 (Vulnerability in the Oracle Workflow product of Oracle 
E-Business Suit ...)
        NOT-FOR-US: Oracle
@@ -63907,6 +63921,7 @@ CVE-2026-34052 (LTI JupyterHub Authenticator is a 
JupyterHub authenticator for L
        NOT-FOR-US: LTI JupyterHub Authenticator
 CVE-2026-33709 (JupyterHub is software that allows one to create a multi-user 
server f ...)
        - jupyterhub <unfixed> (bug #1132715)
+       [trixie] - jupyterhub <no-dsa> (Minor issue)
        NOTE: 
https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8
 CVE-2026-33184 (nimiq/core-rs-albatross is a Rust implementation of the Nimiq 
Proof-of ...)
        NOT-FOR-US: nimiq/core-rs-albatross
@@ -81351,6 +81366,7 @@ CVE-2026-2376 (A flaw was found in mirror-registry 
where an authenticated user c
        NOT-FOR-US: mirror-registry for Quay
 CVE-2026-3494 (In MariaDB server version through 11.8.5, when server audit 
plugin is  ...)
        - mariadb 1:11.8.6-1
+       [trixie] - mariadb <no-dsa> (Minor issue)
        NOTE: 
https://github.com/MariaDB/server/commit/635559a2ad68a5a6d1a354e8209c58323dba0261
        NOTE: Fixed in MariaDB: 12.3.1, 12.2.2, 11.8.6, 11.4.10, 10.11.16, 
10.6.25
 CVE-2026-3484 (A vulnerability was detected in PhialsBasement nmap-mcp-server 
up to b ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source 
package.
 
+--
+389-ds-base
 --
 activemq
   probably best to move to latest 5.19 version
@@ -83,12 +85,17 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.12.y versions
 --
+nats-server
+  maybe move to 2.12.2 if sufficiently backwards compatible
+--
 netty
 --
 nodejs
 --
 node-dompurify
 --
+opam
+--
 openexr
 --
 pacemaker
@@ -105,6 +112,9 @@ prometheus
 --
 py7zr
 --
+python-authlib
+  possibly move trixie to 1.6.12
+--
 python-httplib2
 --
 python-msgpack



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaca5000e4c13a10bd46fe9aa7c9341bf224fbff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaca5000e4c13a10bd46fe9aa7c9341bf224fbff
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to