[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Apr 24 09:39:50 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
647b3f1f by Moritz Muehlenhoff at 2026-04-24T10:39:38+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1901,6 +1901,8 @@ CVE-2026-40903 (goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6
 	NOT-FOR-US: goshs
 CVE-2026-40895 (follow-redirects is an open source, drop-in replacement for Node's `ht ...)
 	- node-follow-redirects <unfixed> (bug #1134646)
+	[trixie] - node-follow-redirects <no-dsa> (Minor issue)
+	[bookworm] - node-follow-redirects <no-dsa> (Minor issue)
 	NOTE: https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653
 	NOTE: https://github.com/follow-redirects/follow-redirects/pull/284
 	NOTE: https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9 (v1.16.0)
@@ -2357,6 +2359,8 @@ CVE-2026-40608 (Next AI Draw.io is a next.js web application that integrates AI
 	NOT-FOR-US: Next.js
 CVE-2026-40606 (mitmproxy is a interactive TLS-capable intercepting HTTP proxy for pen ...)
 	- mitmproxy <unfixed> (bug #1134620)
+	[trixie] - mitmproxy <no-dsa> (Minor issue)
+	[bookworm] - mitmproxy <no-dsa> (Minor issue)
 	NOTE: https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv
 	NOTE: https://github.com/mitmproxy/mitmproxy/commit/71c9234057922bc29b9734ec408d712113d294d2 (v12.2.2)
 CVE-2026-40604 (ClearanceKit intercepts file-system access events on macOS and enforce ...)
@@ -9053,6 +9057,7 @@ CVE-2026-27144 (The compiler is meant to unwrap pointers which are the operands
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <unfixed>
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
@@ -9065,6 +9070,7 @@ CVE-2026-27143 (Arithmetic over induction variables in loops were not correctly
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <unfixed>
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
@@ -9077,6 +9083,7 @@ CVE-2026-27140 (SWIG file names containing 'cgo' and well-crafted payloads could
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <unfixed>
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU


=====================================
data/dsa-needed.txt
=====================================
@@ -57,6 +57,8 @@ linux (carnil)
 --
 mbedtls/oldstable
 --
+mimetex/oldstable
+--
 netty
 --
 nghttp2
@@ -65,9 +67,9 @@ nodejs/oldstable
 --
 openjdk-17/oldstable (jmm)
 -
-openjdk-21/oldstable (jmm)
+openjdk-21/stable (jmm)
 -
-openjdk-25/oldstable (jmm)
+openjdk-25/stable (jmm)
 --
 opennds/oldstable
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
@@ -79,6 +81,8 @@ openvswitch
 pdfminer (carnil)
   Required followup for CVE-2025-64512 as original fix was incomplete.
 --
+pdns/stable
+--
 pdns-recursor/stable
 --
 php-laravel-framework/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/647b3f1fbde51670e50b5da8e63d2322318557dd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/647b3f1fbde51670e50b5da8e63d2322318557dd
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260424/8eb6cf91/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list