[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jan 12 14:08:43 GMT 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f1a24f66 by Moritz Muehlenhoff at 2026-01-12T15:07:44+01:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -119,11 +119,15 @@ CVE-2026-22703 (Cosign provides code signing and transparency for containers and
NOTE: Fixed by: https://github.com/sigstore/cosign/commit/3ade80c5f77cefc904f8c994e88618e5892e8f1c (v2.6.2)
CVE-2026-22702 (virtualenv is a tool for creating isolated virtual python environments ...)
- python-virtualenv 20.36.1+ds-1 (bug #1125191)
+ [trixie] - python-virtualenv <no-dsa> (Minor issue)
+ [bookworm] - python-virtualenv <no-dsa> (Minor issue)
NOTE: https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986
NOTE: https://github.com/pypa/virtualenv/pull/3013
NOTE: Fixed by; https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc (20.36.1)
CVE-2026-22701 (filelock is a platform-independent file lock for Python. Prior to vers ...)
- python-filelock <unfixed> (bug #1125190)
+ [trixie] - python-filelock <no-dsa> (Minor issue)
+ [bookworm] - python-filelock <no-dsa> (Minor issue)
NOTE: https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw
NOTE: Fixed by: https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5 (3.20.3)
CVE-2026-22700 (RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptogr ...)
@@ -140,13 +144,19 @@ CVE-2026-22693 (HarfBuzz is a text shaping engine. Prior to version 12.3.0, a nu
NOTE: Fixed by: https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae
CVE-2026-22691 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
- pypdf <unfixed> (bug #1125187)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv
NOTE: https://github.com/py-pdf/pypdf/pull/3594
NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45 (6.6.0)
CVE-2026-22690 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
- pypdf <unfixed> (bug #1125187)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-4xc4-762w-m6cg
NOTE: https://github.com/py-pdf/pypdf/pull/3594
NOTE: Fixed by; https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45 (6.6.0)
@@ -343,6 +353,8 @@ CVE-2025-64090 (This vulnerability allows authenticated attackers to execute com
NOT-FOR-US: Zenitel
CVE-2025-56225 (fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer de ...)
- fluidsynth 2.4.7+dfsg-1
+ [trixie] - fluidsynth <no-dsa> (Minor issue)
+ [bookworm] - fluidsynth <no-dsa> (Minor issue)
NOTE: https://github.com/FluidSynth/fluidsynth/issues/1602
NOTE: https://github.com/FluidSynth/fluidsynth/pull/1607
NOTE: Fixed by: https://github.com/FluidSynth/fluidsynth/commit/45f2a79f4265dcc4f98cfbafdb10727fb1c0d411 (v2.4.7)
@@ -651,7 +663,11 @@ CVE-2026-0747 (Exposure of sensitive information in the TeamViewer entry dashboa
NOT-FOR-US: Devolutions
CVE-2026-0719 (A flaw was identified in the NTLM authentication handling of the libso ...)
- libsoup3 <unfixed> (bug #1125083)
+ [trixie] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <removed>
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/477
CVE-2026-0701 (A vulnerability was identified in code-projects Intern Membership Mana ...)
NOT-FOR-US: code-projects
@@ -8304,24 +8320,49 @@ CVE-2025-15044 (A vulnerability was detected in Tenda WH450 1.0.0.18. Impacted i
NOT-FOR-US: Tenda
CVE-2025-14936 (NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote ...)
- netcdf <unfixed> (bug #1123960)
+ [trixie] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
- netcdf-parallel <unfixed> (bug #1123961)
+ [trixie] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1155/
+ NOTE: https://github.com/Unidata/netcdf-c/issues/3236
CVE-2025-14935 (NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote ...)
- netcdf <unfixed> (bug #1123960)
+ [trixie] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
- netcdf-parallel <unfixed> (bug #1123961)
+ [trixie] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1154/
+ NOTE: https://github.com/Unidata/netcdf-c/issues/3236
CVE-2025-14934 (NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote ...)
- netcdf <unfixed> (bug #1123960)
+ [trixie] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
- netcdf-parallel <unfixed> (bug #1123961)
+ [trixie] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1152/
+ NOTE: https://github.com/Unidata/netcdf-c/issues/3236
CVE-2025-14933 (NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Executio ...)
- netcdf <unfixed> (bug #1123960)
+ [trixie] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
- netcdf-parallel <unfixed> (bug #1123961)
+ [trixie] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1151/
+ NOTE: https://github.com/Unidata/netcdf-c/issues/3236
CVE-2025-14932 (NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code ...)
- netcdf <unfixed> (bug #1123960)
+ [trixie] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf <postponed> (Minor issue, revisit when fixed upstream)
- netcdf-parallel <unfixed> (bug #1123961)
+ [trixie] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - netcdf-parallel <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-1153/
+ NOTE: https://github.com/Unidata/netcdf-c/issues/3236
CVE-2025-14931 (Hugging Face smolagents Remote Python Executor Deserialization of Untr ...)
NOT-FOR-US: Hugging Face smolagents
CVE-2025-14930 (Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remot ...)
@@ -18909,6 +18950,8 @@ CVE-2025-13837 (When loading a plist file, the plistlib module reads data in siz
- python3.9 <removed>
[bullseye] - python3.9 <postponed> (Minor issue)
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/issues/119342
NOTE: https://github.com/python/cpython/pull/119343
NOTE: https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70 (main)
@@ -18924,6 +18967,8 @@ CVE-2025-13836 (When reading an HTTP response from a server, if no read amount i
- python3.9 <removed>
[bullseye] - python3.9 <postponed> (Minor issue)
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/python/cpython/issues/119451
NOTE: https://github.com/python/cpython/pull/119454
=====================================
data/dsa-needed.txt
=====================================
@@ -57,6 +57,8 @@ python-aiohttp
--
python-django
--
+python-parsl/stable (jmm)
+--
python-urllib3 (carnil)
--
python-tornado
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1a24f66bf7c2435f73f203cabc9974ec5cb1b30
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1a24f66bf7c2435f73f203cabc9974ec5cb1b30
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260112/a077ad22/attachment.htm>
More information about the debian-security-tracker-commits
mailing list