[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Apr 27 21:09:44 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
84295507 by Moritz Muehlenhoff at 2026-04-27T22:09:35+02:00
trixie/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -683,6 +683,8 @@ CVE-2026-42033 (Axios is a promise based HTTP client for the browser and Node.js
NOTE: https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf
CVE-2026-41907 (uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to ...)
- node-uuid 14.0.0+~11.0.0-1
+ [trixie] - node-uuid <no-dsa> (Minor issue)
+ [bookworm] - node-uuid <no-dsa> (Minor issue)
NOTE: https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
NOTE: Fixed by: https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34 (v14.0.0)
NOTE: Duplicate with CVE-2026-41988 (CNA contacted)
@@ -1606,6 +1608,8 @@ CVE-2026-33076 (Roxy-WI is a web interface for managing Haproxy, Nginx, Apache a
NOT-FOR-US: Roxy-WI
CVE-2026-32952 (go-ntlmssp is a Go package that provides NTLM/Negotiate authentication ...)
- golang-github-azure-go-ntlmssp <unfixed>
+ [trixie] - golang-github-azure-go-ntlmssp <no-dsa> (Minor issue)
+ [bookworm] - golang-github-azure-go-ntlmssp <no-dsa> (Minor issue)
NOTE: https://github.com/Azure/go-ntlmssp/security/advisories/GHSA-pjcq-xvwq-hhpj
CVE-2026-32870 (Kirby is an open-source content management system. Kirby's `Xml::value ...)
NOT-FOR-US: Kirby CMS
@@ -1861,6 +1865,8 @@ CVE-2026-4049
REJECTED
CVE-2026-41988 (uuid before 14.0.0 can make unexpected writes when external output buf ...)
- node-uuid 14.0.0+~11.0.0-1
+ [trixie] - node-uuid <no-dsa> (Minor issue)
+ [bookworm] - node-uuid <no-dsa> (Minor issue)
NOTE: https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
NOTE: Fixed by: https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34 (v14.0.0)
CVE-2026-41679 (Paperclip is a Node.js server and React UI that orchestrates a team of ...)
@@ -5000,6 +5006,8 @@ CVE-2026-1559 (The Youzify plugin for WordPress is vulnerable to Stored Cross-Si
CVE-2025-54505 (A transient execution vulnerability within AMD CPUs may allow a local ...)
- linux 6.19.13-1
- xen <unfixed>
+ [trixie] - xen <no-dsa> (Minor issue)
+ [bookworm] - xen <no-dsa> (Minor issue)
[bullseye] - xen <end-of-life> (not supported under bullseye)
NOTE: AMD CPU HW issue:
NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7053.html
@@ -6048,6 +6056,8 @@ CVE-2026-5397 (It has been identified that a vulnerability (CWE-427) exists in t
NOT-FOR-US: OMRON
CVE-2026-5160 (Versions of the package github.com/yuin/goldmark/renderer/html before ...)
- golang-github-yuin-goldmark 1.8.2-1
+ [trixie] - golang-github-yuin-goldmark <no-dsa> (Minor issue)
+ [bookworm] - golang-github-yuin-goldmark <no-dsa> (Minor issue)
[bullseye] - golang-github-yuin-goldmark <ignored> (Out of security support for bullseye)
NOTE: Fixed by: https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9 (v1.7.17)
CVE-2026-4812 (The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to ...)
@@ -9550,6 +9560,8 @@ CVE-2026-39883 (OpenTelemetry-Go is the Go implementation of OpenTelemetry. From
NOTE: https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx
CVE-2026-39882 (OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1 ...)
- golang-opentelemetry-otel <unfixed> (bug #1133077)
+ [trixie] - golang-opentelemetry-otel <no-dsa> (Minor issue)
+ [bookworm] - golang-opentelemetry-otel <no-dsa> (Minor issue)
NOTE: https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
NOTE: https://github.com/open-telemetry/opentelemetry-go/pull/8108
NOTE: Fixed by: https://github.com/open-telemetry/opentelemetry-go/commit/5e363de517dba6db62736b2f5cdef0e0929b4cd0 (v1.43.0)
@@ -15667,7 +15679,6 @@ CVE-2026-34362 (WWBN AVideo is an open source video platform. In versions up to
NOT-FOR-US: WWBN AVideo
CVE-2026-34353 (In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, ...)
- ocaml 5.2.0-1
- [trixie] - ocaml <no-dsa> (Minor issue)
[bookworm] - ocaml <no-dsa> (Minor issue)
NOTE: https://github.com/ocaml/ocaml/issues/14655
NOTE: Fixed as side effect in: https://github.com/ocaml/ocaml/pull/11022
@@ -30399,6 +30410,8 @@ CVE-2026-28370 (In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0,
CVE-2026-28364 (In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Mar ...)
[experimental] - ocaml 5.4.1-1~exp1
- ocaml <unfixed> (bug #1129317)
+ [trixie] - ocaml <no-dsa> (Minor issue)
+ [bookworm] - ocaml <no-dsa> (Minor issue)
NOTE: https://osv.dev/vulnerability/OSEC-2026-01
NOTE: Fixed by: https://github.com/ocaml/ocaml/commit/e3919fef436f89271bc30bbe8592851f7289fb68 (5.4.1)
NOTE: Fixed by: https://github.com/ocaml/ocaml/commit/b0a2614684a52acded784ec213f14ddfe085d146 (4.13.3)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/842955078adf725a07458ba352d54ebf665b056e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/842955078adf725a07458ba352d54ebf665b056e
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260427/8b28d443/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list