[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jan 12 17:44:47 GMT 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
438747e0 by Moritz Muehlenhoff at 2026-01-12T18:44:10+01:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -49,6 +49,8 @@ CVE-2025-68493 (Missing XML Validation vulnerability in Apache Struts, Apache St
 	NOTE: https://cwiki.apache.org/confluence/display/WW/S2-069
 CVE-2025-15506 (A vulnerability was found in AcademySoftwareFoundation OpenColorIO up  ...)
 	- opencolorio <unfixed>
+	[trixie] - opencolorio <no-dsa> (Minor issue)
+	[bookworm] - opencolorio <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228
 	NOTE: https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231
 CVE-2026-0841 (A vulnerability was detected in UTT \u8fdb\u53d6 520W 1.7.7-180627. Af ...)
@@ -636,6 +638,7 @@ CVE-2026-21891 (ZimaOS is a fork of CasaOS, an operating system for Zima devices
 	NOT-FOR-US: ZimaOS
 CVE-2026-21885 (Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Min ...)
 	- miniflux 2.2.16-1
+	[trixie] - miniflux <no-dsa> (Minor issue)
 	NOTE: https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp
 	NOTE: Fixed by: https://github.com/miniflux/v2/commit/6c83e8c477b4d476aee5fbb87e47472c9ded01de (v2.2.16)
 CVE-2026-21876 (The OWASP core rule set (CRS) is a set of generic attack detection rul ...)
@@ -4270,9 +4273,13 @@ CVE-2025-62753 (Improper Control of Filename for Include/Require Statement in PH
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-61594 (URI is a module providing classes to handle Uniform Resource Identifie ...)
 	- ruby3.3 <unfixed> (bug #1124379)
+	[trixie] - ruby3.3 <no-dsa> (Minor issue)
 	- ruby3.1 <removed>
+	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
 	- rubygems <unfixed>
+	[trixie] - rubygems <no-dsa> (Minor issue)
+	[bookworm] - rubygems <no-dsa> (Minor issue)
 	NOTE: https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/
 	NOTE: Fixed by: https://github.com/ruby/uri/commit/5cec76b9e8777764344fd4aee140e309ad207b68 (v1.0.4)
 	NOTE: Fixed by: https://github.com/ruby/uri/commit/6c6449e15ffae7027bfe83134f0419f682e0b1ad (v1.0.4)
@@ -9821,6 +9828,8 @@ CVE-2025-68118 (FreeRDP is a free implementation of the Remote Desktop Protocol.
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h78c-5cjx-jw6x
 CVE-2025-68114 (Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prio ...)
 	- capstone <unfixed> (bug #1123739)
+	[trixie] - capstone <no-dsa> (Minor issue)
+	[bookworm] - capstone <no-dsa> (Minor issue)
 	NOTE: https://github.com/capstone-engine/capstone/security/advisories/GHSA-85f5-6xr3-q76r
 	NOTE: Fixed by: https://github.com/capstone-engine/capstone/commit/2c7797182a1618be12017d7d41e0b6581d5d529e (next)
 CVE-2025-68112 (ChurchCRM is an open-source church management system. In versions prio ...)
@@ -9839,6 +9848,8 @@ CVE-2025-67875 (ChurchCRM is an open-source church management system. A privileg
 	NOT-FOR-US: ChurchCRM
 CVE-2025-67873 (Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prio ...)
 	- capstone <unfixed> (bug #1123740)
+	[trixie] - capstone <no-dsa> (Minor issue)
+	[bookworm] - capstone <no-dsa> (Minor issue)
 	NOTE: https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg
 	NOTE: Fixed by: https://github.com/capstone-engine/capstone/commit/cbef767ab33b82166d263895f24084b75b316df3 (next)
 CVE-2025-67794 (An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 before  ...)
@@ -18356,6 +18367,8 @@ CVE-2025-66409 (ESF-IDF is the Espressif Internet of Things (IOT) Development Fr
 	NOT-FOR-US: ESF-IDF
 CVE-2025-66399 (Cacti is an open source performance and fault management framework. Pr ...)
 	- cacti 1.2.30+ds1-1
+	[trixie] - cacti <no-dsa> (Minor issue)
+	[bookworm] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf
 CVE-2025-65896 (SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows at ...)
 	NOT-FOR-US: long2ice assyncmy
@@ -21038,6 +21051,8 @@ CVE-2025-5092 (Multiple plugins and/or themes for WordPress are vulnerable to St
 	NOT-FOR-US: WordPress plugin
 CVE-2025-58181 (SSH servers parsing GSSAPI authentication requests do not validate the ...)
 	- golang-go.crypto 1:0.45.0-1 (bug #1121092)
+	[trixie] - golang-go.crypto <no-dsa> (Minor issue)
+	[bookworm] - golang-go.crypto <no-dsa> (Minor issue)
 	[bullseye] - golang-go.crypto <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA?pli=1
 	NOTE: https://github.com/golang/go/issues/76363
@@ -21046,6 +21061,8 @@ CVE-2025-4042
 	REJECTED
 CVE-2025-47914 (SSH Agent servers do not validate the size of messages when processing ...)
 	- golang-go.crypto 1:0.45.0-1 (bug #1121091)
+	[trixie] - golang-go.crypto <no-dsa> (Minor issue)
+	[bookworm] - golang-go.crypto <no-dsa> (Minor issue)
 	[bullseye] - golang-go.crypto <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA?pli=1
 	NOTE: https://github.com/golang/go/issues/76364


=====================================
data/dsa-needed.txt
=====================================
@@ -15,6 +15,9 @@ If needed, specify the release by adding a slash after the name of the source pa
 amd64-microcode (carnil)
   Coordinating with maintainer DSA/bookworm-pu and sync with mitgations in src:linux
 --
+ceph
+ for CVE-2024-47866, rest harmless
+--
 cpp-httplib
   Maintainer preparing updates, waiting for feedback on bookworm status
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/438747e0785c5c9932e3cc4748dec26d4c32a842

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/438747e0785c5c9932e3cc4748dec26d4c32a842
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260112/112150ba/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list