[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Apr 27 10:59:00 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a447bf99 by Moritz Muehlenhoff at 2026-04-27T11:53:30+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1731,6 +1731,8 @@ CVE-2026-3890 [hcd-ohci: infinite loop]
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/129922c2bc398b656a9180150e667f98fdf0d402 (v11.0.0-rc1)
 CVE-2026-6862 (A flaw was found in libefiboot, a component of efivar. The device path ...)
 	- efivar <unfixed> (bug #1134691)
+	[trixie] - efivar <no-dsa> (Minor issue)
+	[bookworm] - efivar <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2459982
 CVE-2026-6861 (A flaw was found in GNU Emacs. This vulnerability, a memory corruption ...)
 	- emacs <unfixed> (bug #1134692)
@@ -18266,6 +18268,7 @@ CVE-2026-3836
 CVE-2026-21717 (A flaw in V8's string hashing mechanism causes integer-like strings to ...)
 	{DSA-6183-1}
 	- nodejs 22.22.2+dfsg+~cs22.19.15-1
+	[bookworm] - nodejs <ignored> (Too intrusive to backport)
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#hashdos-in-v8-cve-2026-21717---medium
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/af5c144ebcf9814ef5dc74555bbdcd2a4cb20a12 (v20.20.2)
 CVE-2026-21716 (An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and ` ...)
@@ -18969,6 +18972,8 @@ CVE-2026-4739 (Integer Overflow or Wraparound vulnerability in InsightSoftwareCo
 	NOTE: and uses the system library.
 CVE-2026-4738 (Improper Restriction of Operations within the Bounds of a Memory Buffe ...)
 	- gdal 3.11.3+dfsg-1
+	[trixie] - gdal <no-dsa> (Minor issue)
+	[bookworm] - gdal <no-dsa> (Minor issue)
 	NOTE: https://github.com/OSGeo/gdal/pull/12244
 	NOTE: https://github.com/OSGeo/gdal/commit/7f3406edd992fa4afe3a638371860d9a4104db04 (v3.11.0RC1)
 	NOTE: Issue for the gdal use of an embedded zlib copy vulnerable to CVE-2016-9840.
@@ -20126,9 +20131,11 @@ CVE-2026-33156 (ScreenToGif is a screen recording tool. In versions from 2.42.1
 	NOT-FOR-US: ScreenToGif
 CVE-2026-33155 (DeepDiff is a project focused on Deep Difference and search of any Pyt ...)
 	- deepdiff <unfixed> (bug #1131472)
+	[trixie] - deepdiff <no-dsa> (Minor issue)
+	[bookworm] - deepdiff <no-dsa> (Minor issue)
 	[bullseye] - deepdiff <not-affected> (Vulnerable code introduced in 5.0.0)
 	NOTE: https://github.com/qlustered/deepdiff/security/advisories/GHSA-54jj-px8x-5w5q
-	NOTE: Fixed by: https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb
+	NOTE: Fixed by: https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb (8.6.2)
 CVE-2026-33154 (dynaconf is a configuration management tool for Python. Prior to versi ...)
 	- python-dynaconf 3.2.13-1 (bug #1131476)
 	NOTE: https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p
@@ -98247,6 +98254,8 @@ CVE-2025-58369 (fs2 is a compositional, streaming I/O library for Scala. Version
 	NOT-FOR-US: fs2 compositional, streaming I/O library for Scala
 CVE-2025-58367 (DeepDiff is a project focused on Deep Difference and search of any Pyt ...)
 	- deepdiff 8.6.1-1
+	[trixie] - deepdiff <no-dsa> (Minor issue)
+	[bookworm] - deepdiff <no-dsa> (Minor issue)
 	[bullseye] - deepdiff <not-affected> (Vulnerable code introduced in 5.0.0)
 	NOTE: https://github.com/qlustered/deepdiff/security/advisories/GHSA-mw26-5g2v-hqw3
 	NOTE: Fixed by: https://github.com/qlustered/deepdiff/commit/c69c06c13f75e849c770ade3f556cd16209fd183 (8.6.1)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a447bf993d9f10975006b2bbb882020b26e8121b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a447bf993d9f10975006b2bbb882020b26e8121b
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260427/f2f56c8e/attachment.htm>

More information about the debian-security-tracker-commits mailing list