[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Thu Jan 15 13:03:42 GMT 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ccffe5b3 by Moritz Muehlenhoff at 2026-01-15T14:02:31+01:00
trixie/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -27,15 +27,18 @@ CVE-2026-0961 (BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.
NOTE: https://www.wireshark.org/security/wnpa-sec-2026-01.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20880
CVE-2026-0960 (HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 all ...)
- - wireshark <unfixed>
+ - wireshark <unfixed> (unimportant)
NOTE: https://www.wireshark.org/security/wnpa-sec-2026-04.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20944
+ NOTE: Hang in CLI tool, no security impact
CVE-2026-0959 (IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4 ...)
- wireshark <unfixed>
NOTE: https://www.wireshark.org/security/wnpa-sec-2026-02.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20939
CVE-2026-0861 (Passing too large an alignment to the memalign suite of functions (mem ...)
- glibc <unfixed>
+ [trixie] - glibc <no-dsa> (Minor issue)
+ [bookworm] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=33796
CVE-2026-0601 (A reflected cross-site scripting vulnerability exists in Nexus Reposit ...)
NOT-FOR-US: Sonatype
@@ -73,39 +76,57 @@ CVE-2026-23477 (Rocket.Chat is an open-source, secure, fully customizable commun
NOT-FOR-US: Rocket.Chat
CVE-2026-22859 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36
CVE-2026-22858 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896
CVE-2026-22857 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8
CVE-2026-22856 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv
CVE-2026-22855 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9
CVE-2026-22854 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf
CVE-2026-22853 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch
CVE-2026-22852 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4
CVE-2026-22851 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
+ [trixie] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
+ [bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8g87-6pvc-wh99
CVE-2026-22820 (Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race con ...)
NOT-FOR-US: Outray openSource ngrok alternative
@@ -153,8 +174,10 @@ CVE-2025-71021 (Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflo
NOT-FOR-US: Tenda
CVE-2025-70968 (FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE( ...)
- freeimage <unfixed>
+ [trixie] - freeimage <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - freeimage <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/MiracleWolf/FreeimageCrash/tree/main
- TODO: check details
+ NOTE: FreeImageRe fork is not affected, underlying code has reworked memory management
CVE-2025-70747 (Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in t ...)
NOT-FOR-US: Tenda
CVE-2025-67835 (Paessler PRTG Network Monitor before 25.4.114 allows Denial-of-Service ...)
@@ -175,6 +198,8 @@ CVE-2025-63644 (A stored cross-site scripting (XSS) vulnerability exists in pH7S
NOT-FOR-US: pH7Software pH7-Social-Dating-CMS
CVE-2025-56226 (Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3 ...)
- libsndfile <unfixed>
+ [trixie] - libsndfile <no-dsa> (Minor issue)
+ [bookworm] - libsndfile <no-dsa> (Minor issue)
NOTE: https://github.com/libsndfile/libsndfile/issues/1089
NOTE: Fixed by: https://github.com/libsndfile/libsndfile/commit/d9a35ea0d5c64c19dd635ae578e0028df8f66d6a
CVE-2025-37185 (Vulnerabilities in the web-based management interface of EdgeConnect S ...)
@@ -1728,6 +1753,7 @@ CVE-2026-22695 (LIBPNG is a reference library for use in applications that read,
NOTE: https://github.com/pnggroup/libpng/issues/778
CVE-2026-0665 [qemu: Heap off-by-one in KVM Xen PHYSDEVOP_map_pirq]
- qemu 1:10.2.0+ds-2 (bug #1125423)
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code introduced later)
[bullseye] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://lore.kernel.org/qemu-devel/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com/
@@ -1750,11 +1776,15 @@ CVE-2026-22252 (LibreChat is a ChatGPT clone with additional features. Prior to
NOT-FOR-US: LibreChat
CVE-2026-22251 (wlc is a Weblate command-line client using Weblate's REST API. Prior t ...)
- wlc <unfixed> (bug #1125441)
+ [trixie] - wlc <no-dsa> (Minor issue)
+ [bookworm] - wlc <no-dsa> (Minor issue)
NOTE: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766
NOTE: https://github.com/WeblateOrg/wlc/pull/1098
NOTE: Fixed by: https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797 (1.17.0)
CVE-2026-22250 (wlc is a Weblate command-line client using Weblate's REST API. Prior t ...)
- wlc <unfixed> (bug #1125440)
+ [trixie] - wlc <no-dsa> (Minor issue)
+ [bookworm] - wlc <no-dsa> (Minor issue)
NOTE: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh
NOTE: https://github.com/WeblateOrg/wlc/pull/1097
NOTE: Fixed by: https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3 (1.17.0)
@@ -1779,16 +1809,22 @@ CVE-2025-68472 (MindsDB is a platform for building artificial intelligence from
NOT-FOR-US: MindsDB
CVE-2025-68471 (Avahi is a system which facilitates service discovery on a local netwo ...)
- avahi <unfixed> (bug #1125419)
+ [trixie] - avahi <no-dsa> (Minor issue)
+ [bookworm] - avahi <no-dsa> (Minor issue)
NOTE: https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg
NOTE: https://github.com/avahi/avahi/issues/678
NOTE: Fixed by: https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1
CVE-2025-68468 (Avahi is a system which facilitates service discovery on a local netwo ...)
- avahi <unfixed> (bug #1125418)
+ [trixie] - avahi <no-dsa> (Minor issue)
+ [bookworm] - avahi <no-dsa> (Minor issue)
NOTE: https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52
NOTE: https://github.com/avahi/avahi/issues/683
NOTE: Fixed by: https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a
CVE-2025-68276 (Avahi is a system which facilitates service discovery on a local netwo ...)
- avahi <unfixed> (bug #1125417)
+ [trixie] - avahi <no-dsa> (Minor issue)
+ [bookworm] - avahi <no-dsa> (Minor issue)
NOTE: https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc
NOTE: https://github.com/avahi/avahi/pull/806
NOTE: Fixed by: https://github.com/avahi/avahi/commit/2d48e42d44a183f26a4d12d1f5d41abb9b7c6355
@@ -1986,6 +2022,8 @@ CVE-2026-22697 (CryptoLib provides a software-only solution using the CCSDS Spac
NOT-FOR-US: NASA CryptoLib
CVE-2026-22693 (HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null poi ...)
- harfbuzz 12.3.0-4 (bug #1125189)
+ [trixie] - harfbuzz <no-dsa> (Minor issue)
+ [bookworm] - harfbuzz <no-dsa> (Minor issue)
NOTE: https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
NOTE: Fixed by: https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae
CVE-2026-22691 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
@@ -20333,6 +20371,7 @@ CVE-2025-63872 (DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, wh
CVE-2025-61727 (An excluded subdomain constraint in a certificate chain does not restr ...)
- golang-1.25 <unfixed> (bug #1121847)
- golang-1.24 <unfixed> (bug #1121848)
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
@@ -20344,6 +20383,7 @@ CVE-2025-61727 (An excluded subdomain constraint in a certificate chain does not
CVE-2025-61729 (Within HostnameError.Error(), when constructing an error string, there ...)
- golang-1.25 <unfixed> (bug #1121847)
- golang-1.24 <unfixed> (bug #1121848)
+ [trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccffe5b3b526b7290e42ae172108ffc7dd845ea9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccffe5b3b526b7290e42ae172108ffc7dd845ea9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260115/f78bb6e4/attachment.htm>
More information about the debian-security-tracker-commits
mailing list