[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Feb 20 13:00:33 GMT 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c1d56a5f by Moritz Muehlenhoff at 2026-02-20T14:00:16+01:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -221,7 +221,11 @@ CVE-2025-13671 (Cross-Site Request Forgery (CSRF) vulnerability in OpenText\u212
 	NOT-FOR-US: OpenText
 CVE-2026-2708 [libsoup: HTTP/1 request smuggling primitives accepted (CL.CL and TE+CL) in soup_headers_parse()]
 	- libsoup3 <unfixed>
+	[trixie] - libsoup3 <no-dsa> (Minor issue)
+	[bookworm] - libsoup3 <no-dsa> (Minor issue)
 	- libsoup2.4 <removed>
+	[trixie] - libsoup2.4 <no-dsa> (Minor issue)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/500
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e032d3e9b0a27d10597398023532dd8f9b6654cf
 CVE-2026-2817 (Use of insecure directory in Spring Data Geode snapshot import extract ...)
@@ -737,6 +741,8 @@ CVE-2019-25402 (Comodo Dome Firewall 2.7.0 contains a reflected cross-site scrip
 	TODO: check
 CVE-2026-XXXX [RUSTSEC-2026-0013]
 	- rust-pyo3 <unfixed>
+	[trixie] - rust-pyo3 <no-dsa> (Minor issue)
+	[bookworm] - rust-pyo3 <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0013.html
 CVE-2026-27206 [Potential PHP Object Injection via Unrestricted @type in unserialize()]
 	- php-zumba-json-serializer <unfixed> (bug #1128481)
@@ -1216,6 +1222,8 @@ CVE-2025-65519 (mayswind ezbookkeeping versions 1.2.0 and earlier contain a crit
 	NOT-FOR-US: mayswind ezbookkeeping
 CVE-2025-61982 (An arbitrary code execution vulnerability exists in the Code Stream di ...)
 	- openfoam <unfixed> (bug #1128475)
+	[trixie] - openfoam <no-dsa> (Minor issue)
+	[bookworm] - openfoam <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2292
 	TODO: check upstream status
 CVE-2025-60038 (A vulnerabilityhas been identified in Rexroth IndraWorks. This flaw al ...)
@@ -1262,6 +1270,8 @@ CVE-2025-14340 (Cross-site scripting in REST Management Interface in Payara Serv
 	NOT-FOR-US: Payara
 CVE-2025-14009 (A critical vulnerability exists in the NLTK downloader component of nl ...)
 	- nltk <unfixed> (bug #1128474)
+	[trixie] - nltk <no-dsa> (Minor issue)
+	[bookworm] - nltk <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4
 	NOTE: https://github.com/nltk/nltk/issues/3489
 	NOTE: https://github.com/nltk/nltk/pull/3468
@@ -1390,12 +1400,14 @@ CVE-2026-2625
 	- rust-rpm-sequoia <unfixed> (bug #1128418)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2440357
 CVE-2026-2644 (A weakness has been identified in niklasso minisat up to 2.2.0. This i ...)
-	- minisat2 <unfixed>
+	- minisat2 <unfixed> (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/niklasso/minisat/issues/55
 CVE-2026-2642 (A security vulnerability has been detected in ggreer the_silver_search ...)
 	NOT-FOR-US: the_silver_searcher
 CVE-2026-2641 (A weakness has been identified in universal-ctags ctags up to 6.2.1. T ...)
-	- universal-ctags <unfixed>
+	- universal-ctags <unfixed> (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/universal-ctags/ctags/issues/4369
 CVE-2026-2633 (The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vul ...)
 	NOT-FOR-US: WordPress plugin
@@ -5024,6 +5036,7 @@ CVE-2026-23948 (FreeRDP is a free implementation of the Remote Desktop Protocol.
 	- freerdp3 3.22.0+dfsg-1
 	[trixie] - freerdp3 <no-dsa> (Minor issue)
 	- freerdp2 <removed>
+	[bookworm] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6f3c-qvqq-2px5
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/4d44e3c097656a8b9ec696353647b0888ca45860 (3.22.0)
 CVE-2026-24027 (Crafted zones can lead to increased incoming network traffic.)
@@ -12595,7 +12608,9 @@ CVE-2025-11468 (When folding a long comment in an email header containing exclus
 	{DLA-4455-1}
 	- python3.14 3.14.3-1 (bug #1126786)
 	- python3.13 3.13.12-1 (bug #1126787)
+	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	- python2.7 <not-affected> (E-mail folding API introduced in Python 3.3)
 	- pypy3 <unfixed> (bug #1126788)
@@ -13906,7 +13921,9 @@ CVE-2011-10041 (Uploadify WordPress plugin versions up to and including 1.0conta
 CVE-2025-61730 (During the TLS 1.3 handshake if multiple messages are sent in records  ...)
 	- golang-1.25 1.25.6-1 (bug #1125916)
 	- golang-1.24 1.24.12-1 (bug #1125917)
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
@@ -13967,7 +13984,9 @@ CVE-2025-61726 (The net/url package does not set a limit on the number of query
 CVE-2025-61728 (archive/zip uses a super-linear file name indexing algorithm that is i ...)
 	- golang-1.25 1.25.6-1 (bug #1125916)
 	- golang-1.24 1.24.12-1 (bug #1125917)
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
 	NOTE: https://github.com/golang/go/issues/77102


=====================================
data/dsa-needed.txt
=====================================
@@ -23,8 +23,7 @@ chromium (dilinger)
 cpp-httplib
   Maintainer preparing updates, waiting for feedback on bookworm status
 --
-frr/oldstable
-  coordination with the maintainer ongoing, Daniel Baumann proposing an update
+frr
 --
 gh/oldstable
   Santiago Vila might work on preparing an update
@@ -63,6 +62,8 @@ pillow/stable (jmm)
 --
 python-aiohttp
 --
+python-django
+--
 python-tornado (jmm)
   Daniel Leidert is proposing to work on an update, asked to send debdiffs to team for review
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1d56a5f20b6433586438da6852dee45dcb0f354

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1d56a5f20b6433586438da6852dee45dcb0f354
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260220/36187c0a/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list