[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Apr 5 23:56:14 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
802ccdb5 by Moritz Muehlenhoff at 2026-04-06T00:55:37+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11860,11 +11860,14 @@ CVE-2026-2890 (The Formidable Forms plugin for WordPress is vulnerable to a paym
 	NOT-FOR-US: WordPress plugin
 CVE-2026-2581 (This is an uncontrolled resource consumption vulnerability (CWE-400) t ...)
 	- node-undici 7.24.5+dfsg+~cs3.2.0-1 (bug #1130885)
+	[trixie] - node-undici <no-dsa> (Minor issue)
 	[bookworm] - node-undici <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h
 	NOTE: https://github.com/nodejs/undici/commit/5890c7b7076894d00402f0c23c0fe72e59c72ff4 (v7.24.0)
 CVE-2026-2229 (ImpactThe undici WebSocket client is vulnerable to a denial-of-service ...)
 	- node-undici 7.24.5+dfsg+~cs3.2.0-1 (bug #1130884)
+	[trixie] - node-undici <no-dsa> (Minor issue)
+	[bookworm] - node-undici <no-dsa> (Minor issue)
 	NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
 	NOTE: https://github.com/nodejs/undici/commit/e9e2997ed18bff6ae389712d5f0e169f8a6546a0 (v6.24.0)
 	NOTE: https://github.com/nodejs/undici/commit/cb79c5704ac47e42ce01a72269994fc70e377536 (v7.24.0)
@@ -33670,9 +33673,9 @@ CVE-2025-13465 (Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototyp
 CVE-2025-12781 (When passing data to the b64decode(), standard_b64decode(), and urlsaf ...)
 	- python3.14 <unfixed>
 	- python3.13 <unfixed>
-	[trixie] - python3.13 <no-dsa> (Minor issue)
+	[trixie] - python3.13 <ignored> (Not backported to older Python releases due to compat concerns)
 	- python3.11 <removed>
-	[bookworm] - python3.11 <no-dsa> (Minor issue)
+	[bookworm] - python3.11 <ignored> (Not backported to older Python releases due to compat concerns)
 	- python3.9 <removed>
 	[bullseye] - python3.9 <ignored> (Minor issue, no fix, only additional warnings)
 	- pypy3 <unfixed>
@@ -34074,9 +34077,9 @@ CVE-2025-15367 (The poplib module, when passed a user-controlled command, can ha
 	{DLA-4455-1}
 	- python3.14 <unfixed>
 	- python3.13 <unfixed>
-	[trixie] - python3.13 <no-dsa> (Minor issue)
+	[trixie] - python3.13 <ignored> (Not backported to older Python releases due to compat concerns)
 	- python3.11 <removed>
-	[bookworm] - python3.11 <no-dsa> (Minor issue)
+	[bookworm] - python3.11 <ignored> (Not backported to older Python releases due to compat concerns)
 	- python3.9 <removed>
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
@@ -34097,9 +34100,9 @@ CVE-2025-15366 (The imaplib module, when passed a user-controlled command, can h
 	{DLA-4455-1}
 	- python3.14 <unfixed>
 	- python3.13 <unfixed>
-	[trixie] - python3.13 <no-dsa> (Minor issue)
+	[trixie] - python3.13 <ignored> (Not backported to older Python releases due to compat concerns)
 	- python3.11 <removed>
-	[bookworm] - python3.11 <no-dsa> (Minor issue)
+	[bookworm] - python3.11 <ignored> (Not backported to older Python releases due to compat concerns)
 	- python3.9 <removed>
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
@@ -56450,6 +56453,7 @@ CVE-2025-12084 (When building nested elements using xml.dom.minidom methods such
 	NOTE: Fixed by: https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8 (v3.11.15)
 	NOTE: Regression: https://github.com/python/cpython/issues/142754
 	NOTE: Regression: https://github.com/python/cpython/commit/1cc7551b3f9f71efbc88d96dce90f82de98b2454 (v3.15.0a3)
+	NOTE: Regression: https://github.com/python/cpython/commit/86747f1a1a7b4f0ea2d47fe94b841c224bae5073 (v3.13.12)
 CVE-2024-3884 (A flaw was found in Undertow that can cause remote denial of service a ...)
 	- undertow <unfixed> (bug #1123001)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2275287



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/802ccdb5ad845f1f1aca4e52a932a7bb469ece5f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/802ccdb5ad845f1f1aca4e52a932a7bb469ece5f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260405/df8ff59b/attachment.htm>

More information about the debian-security-tracker-commits mailing list