[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Feb 13 13:04:00 GMT 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4875c352 by Moritz Muehlenhoff at 2026-02-13T14:03:46+01:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -316,6 +316,8 @@ CVE-2026-26080 [BUG/MAJOR: quic: fix parsing frame type]
NOTE: Fixed by: https://git.haproxy.org/?p=haproxy-3.2.git;a=commit;h=5bb098ce8a656ec5711b4de3e4c87f12b216e7a1 (v3.2.12)
CVE-2026-2391 (### Summary The `arrayLimit` option in qs does not enforce limits for ...)
- node-qs <unfixed>
+ [trixie] - node-qs <no-dsa> (Minor issue)
+ [bookworm] - node-qs <no-dsa> (Minor issue)
NOTE: https://github.com/ljharb/qs/security/advisories/GHSA-w7fw-mjwx-w883
NOTE: Fixed by: https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482 (v6.14.2)
CVE-2026-2327 (Versions of the package markdown-it from 13.0.0 and before 14.1.1 are ...)
@@ -331,9 +333,13 @@ CVE-2026-26215 (manga-image-translator versionbeta-0.3 and prior in shared API m
NOT-FOR-US: manga-image-translator
CVE-2026-26158 (A flaw was found in BusyBox. This vulnerability allows an attacker to ...)
- busybox <unfixed> (bug #1127782)
+ [trixie] - busybox <no-dsa> (Minor issue)
+ [bookworm] - busybox <no-dsa> (Minor issue)
NOTE: https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
CVE-2026-26157 (A flaw was found in BusyBox. Incomplete path sanitization in its archi ...)
- busybox <unfixed> (bug #1127782)
+ [trixie] - busybox <no-dsa> (Minor issue)
+ [bookworm] - busybox <no-dsa> (Minor issue)
NOTE: https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
CVE-2026-26092
REJECTED
@@ -676,7 +682,11 @@ CVE-2026-25990 (Pillow is a Python imaging library. From 10.3.0 to before 12.1.1
TODO: check where introduced, GHSA-cfh3-3jmp-rvhc claims only >= 10.3.0 are affected
CVE-2026-2369
- libsoup3 <unfixed>
+ [trixie] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <removed>
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/498
NOTE: Issue introduced by the fix for CVE-2025-32052
NOTE: Introduced with: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a5b86bfc9405e01f12a975ae6898b1ce6a870e11
@@ -998,25 +1008,35 @@ CVE-2018-25157 (Phraseanet 4.0.3 contains a stored cross-site scripting vulnerab
NOT-FOR-US: Phraseanet
CVE-2026-0968 [Denial of Service due to malformed SFTP message]
- libssh <unfixed> (bug #1127693)
+ [trixie] - libssh <no-dsa> (Minor issue)
+ [bookworm] - libssh <no-dsa> (Minor issue)
NOTE: https://www.libssh.org/security/advisories/CVE-2026-0968.txt
NOTE: Tests: https://git.libssh.org/projects/libssh.git/commit/?id=212121971fb26e1e00b72bd5402c0454a4d84c03 (libssh-0.11.4)
NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=796d85f786dff62bd4bcc4408d9b7bbc855841e9 (libssh-0.11.4)
CVE-2026-0967 [Denial of Service via inefficient regular expression processing]
- libssh <unfixed> (bug #1127693)
+ [trixie] - libssh <no-dsa> (Minor issue)
+ [bookworm] - libssh <no-dsa> (Minor issue)
NOTE: https://www.libssh.org/security/advisories/CVE-2026-0967.txt
NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6d74aa6138895b3662bade9bd578338b0c4f8a15 (libssh-0.11.4)
CVE-2026-0966 [Buffer underflow in ssh_get_hexa() on invalid input]
- libssh <unfixed> (bug #1127693)
+ [trixie] - libssh <no-dsa> (Minor issue)
+ [bookworm] - libssh <no-dsa> (Minor issue)
NOTE: https://www.libssh.org/security/advisories/CVE-2026-0966.txt
NOTE: Documentation: https://git.libssh.org/projects/libssh.git/commit/?id=3e1d276a5a030938a8f144f46ff4f2a2efe31ced (libssh-0.11.4)
NOTE: Tests: https://git.libssh.org/projects/libssh.git/commit/?id=b156391833c66322436cf177d57e10b0325fbcc8 (libssh-0.11.4)
NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=6ba5ff1b7b1547a59f750fbc06b89737b7456117 (libssh-0.11.4)
CVE-2026-0965 [Denial of Service via improper configuration file handling]
- libssh <unfixed> (bug #1127693)
+ [trixie] - libssh <no-dsa> (Minor issue)
+ [bookworm] - libssh <no-dsa> (Minor issue)
NOTE: https://www.libssh.org/security/advisories/CVE-2026-0965.txt
NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=bf390a042623e02abc8f421c4c5fadc0429a8a76 (libssh-0.11.4)
CVE-2026-0964 [Improper sanitation of paths received from SCP servers]
- libssh <unfixed> (bug #1127693)
+ [trixie] - libssh <no-dsa> (Minor issue)
+ [bookworm] - libssh <no-dsa> (Minor issue)
NOTE: https://www.libssh.org/security/advisories/CVE-2026-0964.txt
NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=a5e4b12090b0c939d85af4f29280e40c5b6600aa (libssh-0.11.4)
CVE-2025-14821 [Insecure default configuration leads to local man-in-the-middle attacks on Windows]
=====================================
data/dsa-needed.txt
=====================================
@@ -64,6 +64,8 @@ php8.2/oldstable (jmm)
--
php-laravel-framework/oldstable
--
+pillow/stable
+--
python-aiohttp
--
python-django/oldstable (jmm)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4875c352972151e6eb88a3f0d325a15fddeed8c5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4875c352972151e6eb88a3f0d325a15fddeed8c5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260213/f535b790/attachment.htm>
More information about the debian-security-tracker-commits
mailing list