[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Apr 27 09:34:22 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c18b5919 by Moritz Muehlenhoff at 2026-04-27T10:33:56+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -389,10 +389,12 @@ CVE-2026-42254 (Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zon
 	NOTE: https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-83hf-93m4-rgwq
 CVE-2026-XXXX [RUSTSEC-2026-0109]
 	- rust-sequoia-git 0.6.0-1
+	[trixie] - rust-sequoia-git <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0109.html
 	NOTE: https://gitlab.com/sequoia-pgp/sequoia-git/-/commit/f9c9074bd80023456221f09c3c4ff19957ee9c58 (0.6.0)
 CVE-2026-XXXX [RUSTSEC-2026-0111]
 	- rust-diesel <unfixed> (bug #1134947)
+	[trixie] - rust-diesel <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0111.html
 	NOTE: https://github.com/diesel-rs/diesel/pull/5042
 CVE-2026-6912 (Improperly controlled modification of dynamically-determined object at ...)
@@ -1246,6 +1248,7 @@ CVE-2026-40254 (FreeRDP is a free implementation of the Remote Desktop Protocol.
 	- freerdp3 3.25.0+dfsg-1
 	[trixie] - freerdp3 <no-dsa> (Minor issue)
 	- freerdp2 <removed>
+	[bookworm] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx
 CVE-2026-40099 (Kirby is an open-source content management system. Kirby's user permis ...)
 	NOT-FOR-US: Kirby CMS
@@ -1704,12 +1707,14 @@ CVE-2026-35058
 	NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/607e2fcb9cbcff785abfa372c7a59029767b5ed9 (v2.7.2)
 CVE-2026-5744 [hw/uefi: heap overflow]
 	- qemu 1:11.0.0+ds-1
+	[trixie] - qemu <no-dsa> (Minor issue)
 	[bookworm] - qemu <not-affected> (Vulnerable code introduced later)
 	[bullseye] - qemu <not-affected> (Vulnerable code introduced later)
 	NOTE: Introduced with: https://gitlab.com/qemu-project/qemu/-/commit/90ca4e03c27dc8ac821a2e1686e705ae9a93d301 (v10.0.0-rc0)
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/af74c9e46bb55e2da042315a0c65666f59c61686 (v11.0.0-rc3)
 CVE-2026-5761 [virtio-blk: zone report buffer out-of-memory]
 	- qemu 1:11.0.0+ds-1
+	[trixie] - qemu <no-dsa> (Minor issue)
 	[bookworm] - qemu <not-affected> (Vulnerable code introduced later)
 	[bullseye] - qemu <not-affected> (Vulnerable code introduced later)
 	NOTE: Introduced with: https://gitlab.com/qemu-project/qemu/-/commit/4f7366506a96c862c796d4ea1913110d9c341e7d (v8.1.0-rc0)
@@ -7660,6 +7665,7 @@ CVE-2026-40023 (Apache Log4cxx's  XMLLayout https://logging.apache.org/log4cxx/1
 	NOTE: https://lists.apache.org/thread/y15cv3zblg3dfwr5vy6ddbnl4zyrzr8b
 CVE-2026-40021 (Apache Log4net's  XmlLayout https://logging.apache.org/log4net/manual/ ...)
 	- log4net <unfixed> (bug #1133360)
+	[trixie] - log4net <no-dsa> (Minor issue)
 	[bullseye] - log4net <postponed> (Minor issue)
 	NOTE: https://github.com/apache/logging-log4net/pull/280
 	NOTE: https://logging.apache.org/security.html#CVE-2026-40021


=====================================
data/dsa-needed.txt
=====================================
@@ -22,7 +22,7 @@ corosync
 --
 cups
 --
-dnsdist/stable
+dnsdist/stable (jmm)
 --
 dovecot/oldstable
   Regression fix for #1134464
@@ -79,9 +79,9 @@ openvswitch
 pdfminer (carnil)
   Required followup for CVE-2025-64512 as original fix was incomplete.
 --
-pdns/stable
+pdns/stable (jmm)
 --
-pdns-recursor/stable
+pdns-recursor/stable (jmm)
 --
 php-laravel-framework/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c18b5919cd2c76f3bd266af5e93ebfd6d3260569

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c18b5919cd2c76f3bd266af5e93ebfd6d3260569
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260427/95d865b0/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list