[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Jan 16 13:28:56 GMT 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ab3f8247 by Moritz Muehlenhoff at 2026-01-16T14:28:30+01:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -611,10 +611,15 @@ CVE-2026-0962 (SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 a
 	- wireshark <unfixed> (bug #1125690)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2026-03.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20945
+	NOTE: Fixed by: https://gitlab.com/wireshark/wireshark/-/commit/55ec8b3db4968c97115f014fb5974206cdf57454
 CVE-2026-0961 (BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12  ...)
 	- wireshark <unfixed> (bug #1125690)
+	[bookworm] - wireshark <not-affected> (Vulnerable code not present)
+	[bullseye] - wireshark <not-affected> (Vulnerable code not present)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2026-01.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20880
+	NOTE: Fixed by: https://gitlab.com/wireshark/wireshark/-/commit/516ba22c34bd62468c2967ac476146bc03482679
+	NOTE: Introduced by: https://gitlab.com/wireshark/wireshark/-/commit/4e8603b60438650fe3329d5a0a0e8ff0bc96b08c (v4.3.0)
 CVE-2026-0960 (HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 all ...)
 	- wireshark <unfixed> (bug #1125690; unimportant)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2026-04.html
@@ -622,8 +627,12 @@ CVE-2026-0960 (HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.
 	NOTE: Hang in CLI tool, no security impact
 CVE-2026-0959 (IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4 ...)
 	- wireshark <unfixed> (bug #1125690)
+	[bookworm] - wireshark <not-affected> (Vulnerable code not present)
+	[bullseye] - wireshark <not-affected> (Vulnerable code not present)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2026-02.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20939
+	NOTE: Fixed by: https://gitlab.com/wireshark/wireshark/-/commit/4b48ee36f1829d6d3d009bf9871af523ce8e3ace
+	NOTE: Introduced by: https://gitlab.com/wireshark/wireshark/-/commit/23bc2d48bb8267eac471091d03b633cbab37c973 (v4.1.0)
 CVE-2026-0861 (Passing too large an alignment to the memalign suite of functions (mem ...)
 	- glibc <unfixed> (bug #1125678)
 	[trixie] - glibc <no-dsa> (Minor issue)
@@ -2623,6 +2632,7 @@ CVE-2026-22704 (HAX CMS helps manage microsite universe with PHP or NodeJs backe
 	NOT-FOR-US: HAX CMS
 CVE-2026-22703 (Cosign provides code signing and transparency for containers and binar ...)
 	- cosign <unfixed>
+	[trixie] - cosign <no-dsa> (Minor issue)
 	NOTE: https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m
 	NOTE: https://github.com/sigstore/cosign/pull/4623
 	NOTE: Fixed by: https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176 (v3.0.4)
@@ -149883,11 +149893,10 @@ CVE-2024-50623 (In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and L
 CVE-2024-50616 (Ironman PowerShell Universal 5.x before 5.0.12 allows an authenticated ...)
 	NOT-FOR-US: Ironman PowerShell Universal
 CVE-2024-50615 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/digit,  ...)
-	- tinyxml2 10.1.0+dfsg-1 (bug #1088814)
-	[bookworm] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
+	- tinyxml2 10.1.0+dfsg-1 (bug #1088814; unimportant)
 	NOTE: https://github.com/leethomason/tinyxml2/issues/997
 	NOTE: Fixed by: https://github.com/leethomason/tinyxml2/pull/1009 (10.1.0)
+	NOTE: Negligible security impact
 CVE-2024-50614 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/16, tha ...)
 	- tinyxml2 <unfixed> (bug #1088813)
 	[trixie] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)


=====================================
data/dsa-needed.txt
=====================================
@@ -84,5 +84,7 @@ tomcat11/stable (apo)
 --
 usbmuxd (corsac)
 --
+wireshark
+--
 zabbix/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3f824743611ffec111972f6eb8c831a10408c6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab3f824743611ffec111972f6eb8c831a10408c6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260116/148e76f3/attachment.htm>

More information about the debian-security-tracker-commits mailing list