[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sat Apr 25 13:39:53 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
97d88124 by Moritz Muehlenhoff at 2026-04-25T14:39:46+02:00
bugnums
cleanup various bogus CVEs by the VulnCheck CNA
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -215,7 +215,7 @@ CVE-2026-38743 (The authenticated /ui/dagsendpoint did not enforce per-DAG acces
CVE-2026-33666 (Zserio is a framework for serializing structured data with a compact a ...)
NOT-FOR-US: Zserio
CVE-2026-33662 (OP-TEE is a Trusted Execution Environment (TEE) designed as companion ...)
- - optee-os <unfixed>
+ - optee-os <unfixed> (bug #1134896)
NOTE: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4cf8-v5g3-73gr
CVE-2026-33524 (Zserio is a framework for serializing structured data with a compact a ...)
NOT-FOR-US: Zserio
@@ -1024,13 +1024,13 @@ CVE-2026-41246 (Contour is a Kubernetes ingress controller using Envoy proxy. Fr
CVE-2026-41241 (pretalx is a conference planning tool. Prior to 2026.1.0, The organise ...)
NOT-FOR-US: pretalx
CVE-2026-41240 (DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathM ...)
- - node-dompurify <unfixed>
+ - node-dompurify <unfixed> (bug #1134892)
NOTE: https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m
CVE-2026-41239 (DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathM ...)
- - node-dompurify <unfixed>
+ - node-dompurify <unfixed> (bug #1134892)
NOTE: https://github.com/cure53/DOMPurify/security/advisories/GHSA-crv5-9vww-q3g8
CVE-2026-41238 (DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathM ...)
- - node-dompurify <unfixed>
+ - node-dompurify <unfixed> (bug #1134892)
NOTE: https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp
CVE-2026-41213 (@node-oauth/oauth2-server is a module for implementing an OAuth2 serve ...)
NOT-FOR-US: node-oauth2-server
@@ -1283,7 +1283,7 @@ CVE-2026-40882 (OpenRemote is an open-source internet-of-things platform. Prior
CVE-2026-40529 (CMS ALAYA provided by KANATA Limited contains an SQL injection vulnera ...)
NOT-FOR-US: CMS ALAYA
CVE-2026-40517 (radare2 prior to 6.1.4 contains a command injection vulnerability in t ...)
- - radare2 <unfixed>
+ - radare2 <unfixed> (bug #1134893)
NOTE: https://github.com/radareorg/radare2/issues/25730
NOTE: https://github.com/radareorg/radare2/pull/25731
NOTE: Fixed by: https://github.com/radareorg/radare2/commit/0e38152560e689327a74d2944fa45ba7afd4cb33 (6.1.4)
@@ -2838,7 +2838,7 @@ CVE-2026-34284 (Vulnerability in the Oracle Business Process Management Suite pr
CVE-2026-34283 (Vulnerability in the Oracle Identity Manager product of Oracle Fusion ...)
NOT-FOR-US: Oracle
CVE-2026-34282 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
- - openjdk-11 <unfixed>
+ - openjdk-11 11.0.31+11-1
- openjdk-17 17.0.19+10-1
- openjdk-21 21.0.11+10-1
- openjdk-25 25.0.3+9-1
@@ -2870,7 +2870,7 @@ CVE-2026-34270 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
CVE-2026-34269 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...)
NOT-FOR-US: Oracle
CVE-2026-34268 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
- - openjdk-8 <unfixed>
+ - openjdk-8 <unfixed> (bug #1134894)
- openjdk-11 11.0.31+11-1
- openjdk-17 17.0.19+10-1
- openjdk-21 21.0.11+10-1
@@ -2910,7 +2910,7 @@ CVE-2026-22746 (Vulnerability in Spring Spring Security. If an application is us
- libspring-security-2.0-java <removed>
NOTE: https://spring.io/security/cve-2026-22746
CVE-2026-22021 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
- - openjdk-8 <unfixed>
+ - openjdk-8 <unfixed> (bug #1134894)
- openjdk-11 11.0.31+11-1
- openjdk-17 17.0.19+10-1
- openjdk-21 21.0.11+10-1
@@ -2919,7 +2919,7 @@ CVE-2026-22021 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Ora
CVE-2026-22019 (Vulnerability in the PeopleSoft Enterprise HCM Shared Components produ ...)
NOT-FOR-US: Oracle
CVE-2026-22018 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
- - openjdk-8 <unfixed>
+ - openjdk-8 <unfixed> (bug #1134894)
- openjdk-11 11.0.31+11-1
- openjdk-17 17.0.19+10-1
- openjdk-21 21.0.11+10-1
@@ -2928,7 +2928,7 @@ CVE-2026-22018 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Ora
CVE-2026-22017 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mysql-8.0 8.0.46-1 (bug #1134614)
CVE-2026-22016 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
- - openjdk-8 <unfixed>
+ - openjdk-8 <unfixed> (bug #1134894)
- openjdk-11 11.0.31+11-1
- openjdk-17 17.0.19+10-1
- openjdk-21 21.0.11+10-1
@@ -2939,7 +2939,7 @@ CVE-2026-22015 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
CVE-2026-22014 (Vulnerability in the Oracle User Management product of Oracle E-Busine ...)
NOT-FOR-US: Oracle
CVE-2026-22013 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
- - openjdk-8 <unfixed>
+ - openjdk-8 <unfixed> (bug #1134894)
- openjdk-11 11.0.31+11-1
- openjdk-17 17.0.19+10-1
- openjdk-21 21.0.11+10-1
@@ -2955,7 +2955,7 @@ CVE-2026-22008 (Vulnerability in Oracle Java SE (component: Libraries). The su
- openjdk-25 25.0.3+9-1
NOTE: https://openjdk.org/groups/vulnerability/advisories/2026-04-21
CVE-2026-22007 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...)
- - openjdk-8 <unfixed>
+ - openjdk-8 <unfixed> (bug #1134894)
- openjdk-11 11.0.31+11-1
- openjdk-17 17.0.19+10-1
- openjdk-21 21.0.11+10-1
@@ -2968,7 +2968,7 @@ CVE-2026-22005 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
CVE-2026-22004 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mysql-8.0 8.0.46-1 (bug #1134614)
CVE-2026-22003 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...)
- - openjdk-8 <unfixed>
+ - openjdk-8 <unfixed> (bug #1134894)
CVE-2026-22002 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mysql-8.0 8.0.46-1 (bug #1134614)
CVE-2026-22001 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
@@ -4604,7 +4604,7 @@ CVE-2026-6414 (@fastify/static versions 8.0.0 through 9.1.0 decode percent-encod
CVE-2026-6410 (@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when ...)
NOT-FOR-US: fastify/static
CVE-2026-6409 (A Denial of Service (DoS) vulnerability exists in the Protobuf PHP lib ...)
- - protobuf <unfixed>
+ - protobuf <unfixed> (bug #1134895)
[trixie] - protobuf <no-dsa> (Minor issue)
[bookworm] - protobuf <no-dsa> (Minor issue)
[bullseye] - protobuf <postponed> (minor issue)
@@ -14768,8 +14768,7 @@ CVE-2016-20043 (NRSS RSS Reader 0.3.9-1 contains a stack buffer overflow vulnera
CVE-2016-20042 (TRN 3.6-23 contains a stack buffer overflow vulnerability that allows ...)
- trn <removed>
CVE-2016-20041 (Yasr 0.6.9-5 contains a buffer overflow vulnerability that allows loca ...)
- - yasr <undetermined>
- NOTE: https://www.exploit-db.com/exploits/39734
+ NOTE: Bogus CVE assignment for yasr
CVE-2016-20040 (TiEmu 3.03-nogdb+dfsg-3 contains a buffer overflow vulnerability in th ...)
- tiemu <removed> (unimportant)
NOTE: https://www.exploit-db.com/exploits/39692
@@ -14777,11 +14776,9 @@ CVE-2016-20040 (TiEmu 3.03-nogdb+dfsg-3 contains a buffer overflow vulnerability
CVE-2016-20039 (Multi Emulator Super System 0.154-3.1 contains a buffer overflow vulne ...)
NOT-FOR-US: Multi Emulator Super System
CVE-2016-20038 (yTree 1.94-1.1 contains a stack-based buffer overflow vulnerability th ...)
- - ytree <undetermined>
- NOTE: https://www.exploit-db.com/exploits/39406
+ NOTE: Bogus CVE assignment for yasr
CVE-2016-20037 (xwpe 1.5.30a-2.1 and prior contains a stack-based buffer overflow vuln ...)
- - xwpe <undetermined>
- NOTE: https://www.exploit-db.com/exploits/39285
+ NOTE: Bogus CVE assignment for xwpe
CVE-2026-3256 (HTTP::Session versions through 0.53 for Perl defaults to using insecur ...)
NOT-FOR-US: HTTP::Session Perl module
CVE-2025-15604 (Amon2 versions before 6.17 for Perl use an insecure random_string impl ...)
@@ -34096,9 +34093,7 @@ CVE-2019-25357 (Control Center PRO 6.2.9 contains a stack-based buffer overflow
CVE-2019-25356 (Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer conta ...)
NOT-FOR-US: Bematech
CVE-2019-25355 (gSOAP 2.8 contains a directory traversal vulnerability that allows una ...)
- - gsoap <undetermined>
- NOTE: https://www.exploit-db.com/exploits/47653
- TODO: check upstream status
+ NOTE: Bogus CVE assignment for gsoap
CVE-2019-25354 (iSmartViewPro 1.3.34 contains a denial of service vulnerability that a ...)
NOT-FOR-US: iSmartViewPro
CVE-2019-25353 (Foscam Video Management System 1.1.4.9 contains a denial of service vu ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97d8812470914d0e3cd46e74de93053bae50b853
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97d8812470914d0e3cd46e74de93053bae50b853
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260425/0226a755/attachment.htm>
More information about the debian-security-tracker-commits
mailing list