[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Feb 23 10:18:41 GMT 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ce852fc0 by Moritz Muehlenhoff at 2026-02-23T11:18:24+01:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -360,6 +360,8 @@ CVE-2026-27210 (Pannellum is a lightweight, free, and open source panorama viewe
 	NOT-FOR-US: Pannellum
 CVE-2026-27205 (Flask is a web server gateway interface (WSGI) web application framewo ...)
 	- flask <unfixed> (bug #1128620)
+	[trixie] - flask <no-dsa> (Minor issue)
+	[bookworm] - flask <no-dsa> (Minor issue)
 	NOTE: https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
 	NOTE: Fixed by: https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4 (3.1.3)
 CVE-2026-27203 (eBay API MCP Server is an open source local MCP server providing AI as ...)
@@ -696,6 +698,8 @@ CVE-2026-21627 (The vulnerability was rooted in how the Tassos Framework plugin
 	NOT-FOR-US: Joomla
 CVE-2026-21620 (Relative Path Traversal, Improper Isolation or Compartmentalization vu ...)
 	- erlang <unfixed> (bug #1128651)
+	[trixie] - erlang <no-dsa> (Minor issue)
+	[bookworm] - erlang <no-dsa> (Minor issue)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp
 	NOTE: https://github.com/erlang/otp/pull/10706
 	NOTE: Fixed by (merge): https://github.com/erlang/otp/commit/696fdec922661d4a3cc528fc34bc24fae8d4ad8a (OTP-28.3.2)
@@ -1079,6 +1083,8 @@ CVE-2026-2819 (A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.
 	NOT-FOR-US: Dromara RuoYi-Vue-Plus
 CVE-2026-2739 (This affects versions of the package bn.js before 5.2.3. Calling maskn ...)
 	- node-bn.js <unfixed> (bug #1128619)
+	[trixie] - node-bn.js <no-dsa> (Minor issue)
+	[bookworm] - node-bn.js <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301
 	NOTE: https://github.com/indutny/bn.js/issues/316
 	NOTE: https://github.com/indutny/bn.js/issues/186
@@ -1278,6 +1284,7 @@ CVE-2026-26064 (calibre is a cross-platform e-book manager for viewing, converti
 	NOTE: Fixed by: https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62 (v9.3.0)
 CVE-2026-24122 (Cosign provides code signing and transparency for containers and binar ...)
 	- cosign <unfixed> (bug #1128652)
+	[trixie] - cosign <no-dsa> (Minor issue)
 	NOTE: https://github.com/sigstore/cosign/security/advisories/GHSA-wfqv-66vq-46rm
 	NOTE: Fixed by: https://github.com/sigstore/cosign/commit/3c9a7363f563db76d78e2de2cabd945450f3781e (v3.0.5)
 CVE-2026-21535 (Improper access control in Microsoft Teams allows an unauthorized atta ...)
@@ -2185,11 +2192,13 @@ CVE-2026-2662 (A weakness has been identified in FascinatedBox lily up to 2.3. T
 	NOT-FOR-US: FascinatedBox lily
 CVE-2026-2661 (A security flaw has been discovered in Squirrel up to 3.2. This affect ...)
 	- squirrel3 <unfixed>
+	[trixie] - squirrel3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/albertodemichelis/squirrel/issues/310
 CVE-2026-2660 (A vulnerability was identified in FascinatedBox lily up to 2.3. Affect ...)
 	NOT-FOR-US: FascinatedBox lily
 CVE-2026-2659 (A vulnerability was determined in Squirrel up to 3.2. Affected by this ...)
 	- squirrel3 <unfixed>
+	[trixie] - squirrel3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/albertodemichelis/squirrel/issues/311
 CVE-2026-2658 (A vulnerability was found in newbee-ltd newbee-mall up to a069069b0702 ...)
 	NOT-FOR-US: newbee-ltd newbee-mall
@@ -7382,7 +7391,9 @@ CVE-2025-62615 (AutoGPT is a platform that allows users to create, deploy, and m
 CVE-2025-61732 (A discrepancy between how Go and C/C++ comments were parsed allowed fo ...)
 	- golang-1.25 1.25.7-1
 	- golang-1.24 1.24.13-1 (bug #1127436)
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
@@ -15070,8 +15081,10 @@ CVE-2025-68119 (Downloading and building modules with malicious version strings
 CVE-2025-61731 (Building a malicious file with cmd/go can cause can cause a write to a ...)
 	- golang-1.25 1.25.6-1 (bug #1125916)
 	- golang-1.24 1.24.12-1 (bug #1125917)
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
+	[bookworm] - golang-1.15 <no-dsa> (Minor issue)
 	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
 	NOTE: https://github.com/golang/go/issues/77100



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce852fc02409d93791a003b5f44b997dd46ef7df

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce852fc02409d93791a003b5f44b997dd46ef7df
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260223/d047566f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list