[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat Apr 4 13:06:40 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
54ba70b2 by Moritz Muehlenhoff at 2026-04-04T14:05:39+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -20,6 +20,8 @@ CVE-2026-35468 (nimiq/core-rs-albatross is a Rust implementation of the Nimiq Pr
 	NOT-FOR-US: nimiq/core-rs-albatross
 CVE-2026-34990 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
 	- cups <unfixed>
+	[trixie] - cups <no-dsa> (Minor issue)
+	[bookworm] - cups <no-dsa> (Minor issue)
 	NOTE: https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
 CVE-2026-34980 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
 	- cups <unfixed>
@@ -29,6 +31,8 @@ CVE-2026-34979 (OpenPrinting CUPS is an open source printing system for Linux an
 	NOTE: https://github.com/OpenPrinting/cups/security/advisories/GHSA-6qxf-7jx6-86fh
 CVE-2026-34978 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
 	- cups <unfixed>
+	[trixie] - cups <no-dsa> (Minor issue)
+	[bookworm] - cups <no-dsa> (Minor issue)
 	NOTE: https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr
 CVE-2026-34955 (PraisonAI is a multi-agent teams system. Prior to version 4.5.97, Subp ...)
 	NOT-FOR-US: PraisonAI
@@ -54,6 +58,8 @@ CVE-2026-34934 (PraisonAI is a multi-agent teams system. Prior to version 4.5.90
 	NOT-FOR-US: PraisonAI
 CVE-2026-34933 (Avahi is a system which facilitates service discovery on a local netwo ...)
 	- avahi <unfixed>
+	[trixie] - avahi <no-dsa> (Minor issue)
+	[bookworm] - avahi <no-dsa> (Minor issue)
 	NOTE: https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc
 	NOTE: https://github.com/avahi/avahi/pull/891
 	NOTE: Fixed by: https://github.com/avahi/avahi/commit/0be89b6bb5c3983837b5e0febcbbbf452ecf7675 (v0.9-rc4)
@@ -2611,13 +2617,15 @@ CVE-2026-32884 (Botan is a C++ cryptography library. Prior to version 3.11.0, du
 CVE-2026-32883 (Botan is a C++ cryptography library. From version 3.0.0 to before vers ...)
 	[experimental] - botan3 3.11.0+dfsg-1
 	- botan3 <unfixed>
-	- botan <removed>
+	- botan <not-affected> (Only affects Botan 3x)
 	NOTE: https://github.com/randombit/botan/security/advisories/GHSA-9j2j-hqmc-hf5x
+	NOTE: https://github.com/randombit/botan/commit/acbffadcede18b36eea42beae57e6cae4b4da4a0 (3.11.0)
 CVE-2026-32877 (Botan is a C++ cryptography library. From version 2.3.0 to before vers ...)
 	[experimental] - botan3 3.11.0+dfsg-1
 	- botan3 <unfixed>
 	- botan <removed>
 	NOTE: https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6
+	NOTE: https://github.com/randombit/botan/commit/f3c31f96f58f1d1d482032d8f4286dc9ebbc6712 (3.11.0)
 CVE-2026-32794 (Improper Certificate Validation vulnerability in Apache Airflow Provid ...)
 	NOT-FOR-US: Apache Airflow Provider for Databricks
 CVE-2026-32734 (baserCMS is a website development framework. Prior to version 5.2.3, b ...)
@@ -7968,6 +7976,8 @@ CVE-2026-33154 (dynaconf is a configuration management tool for Python. Prior to
 	NOTE: Fixed by: https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7 (3.2.13)
 CVE-2026-33151 (Socket.IO is an open source, real-time, bidirectional, event-based, co ...)
 	- node-socket.io-parser 4.2.1+~3.1.0-4 (bug #1131477)
+	[trixie] - node-socket.io-parser <no-dsa> (Minor issue)
+	[bookworm] - node-socket.io-parser <no-dsa> (Minor issue)
 	NOTE: https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9
 	NOTE: Fixed by: https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78 (main)
 	NOTE: Fixed by: https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4 (socket.io-parser at 3.4.4)
@@ -10718,6 +10728,8 @@ CVE-2026-32776 (libexpat before 2.7.5 allows a NULL pointer dereference with emp
 	NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/5be25657583ea91b09025c858b4785834c20f59c
 CVE-2026-32775 (libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_ ...)
 	- libexif <unfixed> (bug #1131116)
+	[trixie] - libexif <no-dsa> (Minor issue)
+	[bookworm] - libexif <no-dsa> (Minor issue)
 	NOTE: https://github.com/libexif/libexif/issues/247
 	NOTE: Fixed by: https://github.com/libexif/libexif/commit/7df372e9d31d7c993a22b913c813a5f7ec4f3692
 CVE-2026-31386 (OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies c ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54ba70b21a24748bb58a0ccffa6ae17bb77caefe

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54ba70b21a24748bb58a0ccffa6ae17bb77caefe
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260404/1b55cc39/attachment.htm>

More information about the debian-security-tracker-commits mailing list