[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Apr 28 17:10:58 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
bccd3f94 by Moritz Muehlenhoff at 2026-04-28T18:06:43+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3843,12 +3843,16 @@ CVE-2026-34266 (Vulnerability in the PeopleSoft Enterprise HCM Absence Managemen
NOT-FOR-US: Oracle
CVE-2026-33813 (Parsing a WEBP image with an invalid, large size panics on 32-bit plat ...)
- golang-golang-x-image 0.39.0-1
+ [trixie] - golang-golang-x-image <no-dsa> (Minor issue)
+ [bookworm] - golang-golang-x-image <no-dsa> (Minor issue)
[bullseye] - golang-golang-x-image <no-dsa> (Limited support; minor issue)
NOTE: https://go-review.googlesource.com/c/image/+/759860
NOTE: https://github.com/golang/go/issues/78407
NOTE: Fixed by: https://github.com/golang/image/commit/96edba0fa84213a8c3cefe5d25fcc0a7c75b6a66 (v0.39.0)
CVE-2026-33812 (Parsing a malicious font file can cause excessive memory allocation.)
- golang-golang-x-image 0.39.0-1
+ [trixie] - golang-golang-x-image <no-dsa> (Minor issue)
+ [bookworm] - golang-golang-x-image <no-dsa> (Minor issue)
[bullseye] - golang-golang-x-image <no-dsa> (Limited support; minor issue)
NOTE: https://go-review.googlesource.com/c/image/+/761180
NOTE: https://github.com/golang/go/issues/78382
@@ -14738,6 +14742,8 @@ CVE-2026-34155 (RAUC controls the update process on embedded Linux systems. Prio
NOTE: Fixed by: https://github.com/rauc/rauc/commit/4fb7c798d6ae412344fb8f8d310d773046af3441 (v1.15.2)
CVE-2026-33762 (go-git is an extensible git implementation library written in pure Go. ...)
- golang-github-go-git-go-git 5.17.1-1 (bug #1132584)
+ [trixie] - golang-github-go-git-go-git <no-dsa> (Minor issue)
+ [bookworm] - golang-github-go-git-go-git <no-dsa> (Minor issue)
NOTE: https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8
CVE-2026-33581 (OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in t ...)
NOT-FOR-US: OpenClaw
@@ -16682,6 +16688,8 @@ CVE-2026-33535 (ImageMagick is free and open-source software used for editing an
NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/3bdfa6a73a6c0ba5f2d0986cd2a1892c37f796f3 (6.9.13-43)
CVE-2026-33532 (`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML ...)
- node-yaml 2.8.3+~cs0.4.0-1 (bug #1132040)
+ [trixie] - node-yaml <no-dsa> (Minor issue)
+ [bookworm] - node-yaml <no-dsa> (Minor issue)
[bullseye] - node-yaml <postponed> (minor issue; DoS)
NOTE: https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp
NOTE: Fixed by: https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b (v2.8.3)
@@ -17309,6 +17317,8 @@ CVE-2026-34085 (fontconfig before 2.17.1 has an off-by-one error in allocation d
NOTE: Introduced by: https://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/bf3fbad0ffa955a63bc7b515da002d363cf4d5fc (2.17.0)
CVE-2026-33809 (A maliciously crafted TIFF file can cause image decoding to attempt to ...)
- golang-golang-x-image 0.38.0-1
+ [trixie] - golang-golang-x-image <no-dsa> (Minor issue)
+ [bookworm] - golang-golang-x-image <no-dsa> (Minor issue)
[bullseye] - golang-golang-x-image <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/78267
NOTE: Fixed by: https://github.com/golang/image/commit/23ae9ed61c1d3343fb95015810f62dcbf444976e (v0.38.0)
@@ -73257,6 +73267,8 @@ CVE-2025-4619 (A denial-of-service (DoS) vulnerability in Palo Alto Networks PAN
NOT-FOR-US: Palo Alto Networks
CVE-2025-47913 (SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed respons ...)
- golang-go.crypto 1:0.43.0-1
+ [trixie] - golang-go.crypto <no-dsa> (Minor issue)
+ [bookworm] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
NOTE: https://github.com/advisories/GHSA-56w8-48fp-6mgv
NOTE: https://go-review.googlesource.com/c/crypto/+/700295
=====================================
data/dsa-needed.txt
=====================================
@@ -109,3 +109,5 @@ tomcat10 (apo)
--
tomcat11/stable (apo)
--
+xrdp
+--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bccd3f9480f6f1f9129368b2f900af9b8892e8af
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bccd3f9480f6f1f9129368b2f900af9b8892e8af
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260428/fc9a425d/attachment.htm>
More information about the debian-security-tracker-commits
mailing list