[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
417f481e by Moritz Muehlenhoff at 2026-04-23T17:36:00+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -8,6 +8,8 @@ CVE-2026-22020 [updated libpng in Oracle Java]
 	- openjdk-25 <not-affected> (Specific to Oracle binary distribution, Debian uses system libpng)
 CVE-2026-41163 [Privilege escalation if setuid root, via ptrace]
 	- bubblewrap <unfixed> (bug #1134704)
+	[trixie] - bubblewrap <no-dsa> (Minor issue)
+	[bookworm] - bubblewrap <no-dsa> (Minor issue)
 CVE-2026-41564
 	- libcryptx-perl 0.087-2
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39209500/
@@ -20,7 +22,9 @@ CVE-2026-6874 (A vulnerability was determined in ericc-ch copilot-api up to 0.7.
 CVE-2026-6019 (http.cookies.Morsel.js_output() returns an inline <script> snippet and ...)
 	- python3.14 <unfixed>
 	- python3.13 <unfixed>
+	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	- pypy3 <unfixed>
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/
@@ -225,15 +229,21 @@ CVE-2026-5761 [virtio-blk: zone report buffer out-of-memory]
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/4913ae36f9796c55d434dcbfa6bdb9ebb3e5e4b1 (v11.0.0-rc4)
 CVE-2026-5763 [virtio-scsi request size mismatch]
 	- qemu 1:11.0.0+ds-1
+	[trixie] - qemu <no-dsa> (Minor issue)
+	[bookworm] - qemu <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/79971302935472232a68073faddb085177e3ca54 (v11.0.0-rc3)
 CVE-2026-3890 [hcd-ohci: infinite loop]
 	- qemu 1:11.0.0+ds-1
+	[trixie] - qemu <no-dsa> (Minor issue)
+	[bookworm] - qemu <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/129922c2bc398b656a9180150e667f98fdf0d402 (v11.0.0-rc1)
 CVE-2026-6862 (A flaw was found in libefiboot, a component of efivar. The device path ...)
 	- efivar <unfixed> (bug #1134691)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2459982
 CVE-2026-6861 (A flaw was found in GNU Emacs. This vulnerability, a memory corruption ...)
 	- emacs <unfixed> (bug #1134692)
+	[trixie] - emacs <no-dsa> (Minor issue)
+	[bookworm] - emacs <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2459992
 	NOTE: https://debbugs.gnu.org/80851
 	NOTE: Fixed by: https://cgit.git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-30&id=8f535370b9efbc91673b20c6987a5cae4f6dc562
@@ -1932,6 +1942,8 @@ CVE-2026-40613 (Coturn is a free open source implementation of TURN and STUN Ser
 	NOTE: Fixed by: https://github.com/coturn/coturn/commit/eaa9e7920e98cd10d24ade07f474ddb4e05dc1ea (4.10.0)
 CVE-2026-40611 (Let's Encrypt client and ACME library written in Go (Lego). Prior to 4 ...)
 	- golang-github-xenolf-lego <unfixed> (bug #1134643)
+	[trixie] - golang-github-xenolf-lego <no-dsa> (Minor issue)
+	[bookworm] - golang-github-xenolf-lego <no-dsa> (Minor issue)
 	NOTE: https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8
 CVE-2026-40608 (Next AI Draw.io is a next.js web application that integrates AI capabi ...)
 	NOT-FOR-US: Next.js
@@ -11988,6 +12000,8 @@ CVE-2026-28265 (PowerStore, contains a Path Traversal vulnerability in the Servi
 	NOT-FOR-US: Dell / EMC
 CVE-2026-27489 (Open Neural Network Exchange (ONNX) is an open standard for machine le ...)
 	- onnx <unfixed> (bug #1133190)
+	[trixie] - onnx <no-dsa> (Minor issue)
+	[bookworm] - onnx <no-dsa> (Minor issue)
 	NOTE: https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73
 	NOTE: Fixed by: https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb
 CVE-2026-27101 (Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application versio ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -74,6 +74,8 @@ openvswitch
 pdfminer (carnil)
   Required followup for CVE-2025-64512 as original fix was incomplete.
 --
+pdns-recursor/stable
+--
 php-laravel-framework/oldstable
 --
 python-aiohttp



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/417f481ea72314df6a5ce1e3eaec49bcdad3adc8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/417f481ea72314df6a5ce1e3eaec49bcdad3adc8
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260423/3d559953/attachment.htm>