[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jan 21 12:04:18 GMT 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
56d98c90 by Moritz Muehlenhoff at 2026-01-21T13:03:56+01:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -392,15 +392,23 @@ CVE-2025-33233 (NVIDIA Merlin Transformers4Rec for all platforms contains a vuln
 	NOT-FOR-US: NVIDIA
 CVE-2025-33231 (NVIDIA Nsight Systems for Windows contains a vulnerability in the appl ...)
 	- nvidia-cuda-toolkit <unfixed>
+	[trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+	[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5755
 CVE-2025-33230 (NVIDIA Nsight Systems for Linux contains a vulnerability in the .run i ...)
 	- nvidia-cuda-toolkit <unfixed>
+	[trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+	[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5755
 CVE-2025-33229 (NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Ns ...)
 	- nvidia-cuda-toolkit <unfixed>
+	[trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+	[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5755
 CVE-2025-33228 (NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot reci ...)
 	- nvidia-cuda-toolkit <unfixed>
+	[trixie] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+	[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5755
 CVE-2025-33015 (IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload ...)
 	NOT-FOR-US: IBM
@@ -436,6 +444,8 @@ CVE-2025-11743 (A denial-of-service security issue in the affected product. The
 	NOT-FOR-US: Rockwell Automation
 CVE-2025-15281 (Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the ...)
 	- glibc <unfixed>
+	[trixie] - glibc <no-dsa> (Minor issue)
+	[bookworm] - glibc <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/01/20/3
 	NOTE: Inroduced with: https://sourceware.org/git/?p=glibc.git;a=commit;h=8f2ece695d8822e9ecc63ecd157e90bf17a6fe65
 	NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=80cc58ea2de214f85b0a1d902a3b668ad2ecb302
@@ -498,6 +508,7 @@ CVE-2026-23874 (ImageMagick is free and open-source software used for editing an
 	- imagemagick <unfixed>
 	NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844
 	NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/2a09644b10a5b146e0a7c63b778bd74a112ebec3 (7.1.2-13)
+	NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/fe2970bbbe02c6fe875cc2b269390a3165d57706 (6.9.13-38)
 CVE-2026-23849 (File Browser provides a file managing interface within a specified dir ...)
 	NOT-FOR-US: filebrowser
 CVE-2026-23848 (MyTube is a self-hosted downloader and player for several video websit ...)
@@ -508,6 +519,8 @@ CVE-2026-23837 (MyTube is a self-hosted downloader and player for several video
 	NOT-FOR-US: MyTube
 CVE-2026-22770 (ImageMagick is free and open-source software used for editing and mani ...)
 	- imagemagick <unfixed>
+	[bookworm] - imagemagick <not-affected> (Vulnerable code not present, specific to IM7)
+	[bullseye] - imagemagick <not-affected> (Vulnerable code not present, specific to IM7)
 	NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c
 	NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e (7.1.2-13)
 CVE-2026-22219 (Chainlit versions prior to 2.9.4 contain a server-side request forgery ...)
@@ -670,6 +683,8 @@ CVE-2026-1146 (A vulnerability has been found in SourceCodester/Patrick Mvuma Pa
 	NOT-FOR-US: SourceCodester
 CVE-2026-1145 (A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by  ...)
 	- quickjs <unfixed>
+	[trixie] - quickjs <no-dsa> (Minor issue)
+	[bookworm] - quickjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/quickjs-ng/quickjs/issues/1305
 	NOTE: https://github.com/quickjs-ng/quickjs/pull/1306
 	NOTE: https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4
@@ -755,11 +770,12 @@ CVE-2026-23525 (1Panel is an open-source, web-based control panel for Linux serv
 	NOT-FOR-US: 1Panel
 CVE-2026-1144 (A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affec ...)
 	- quickjs <unfixed>
+	[trixie] - quickjs <no-dsa> (Minor issue)
+	[bookworm] - quickjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/quickjs-ng/quickjs/issues/1301
 	NOTE: https://github.com/quickjs-ng/quickjs/issues/1302
 	NOTE: https://github.com/quickjs-ng/quickjs/pull/1303
 	NOTE: https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
-	TODO: check, if inpacts quickjs actually or only the itp'ed quickjs-ng, #1120722
 CVE-2026-1143 (A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B2020051 ...)
 	NOT-FOR-US: TOTOLINK
 CVE-2026-1142 (A security flaw has been discovered in PHPGurukul News Portal 1.0. The ...)
@@ -824,6 +840,8 @@ CVE-2026-0863 (Using string formatting and exception handling, an attacker may b
 	NOT-FOR-US: n8n
 CVE-2025-15537 (A security vulnerability has been detected in Mapnik up to 4.2.0. This ...)
 	- mapnik <unfixed>
+	[trixie] - mapnik <postponed> (Minor issue, revisit when fixed upstream)
+	[bookworm] - mapnik <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/mapnik/mapnik/issues/4543
 CVE-2025-15536 (A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vuln ...)
 	- opencc <unfixed> (unimportant)
@@ -1612,10 +1630,14 @@ CVE-2026-0992 (A flaw was found in the libxml2 library. This uncontrolled resour
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d
 CVE-2026-0990 (A flaw was found in libxml2, an XML parsing library. This uncontrolled ...)
 	- libxml2 <unfixed> (bug #1125695)
+	[trixie] - libxml2 <no-dsa> (Minor issue)
+	[bookworm] - libxml2 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1018
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1961208e958ca22f80a0b4e4c9d71cfa050aa982
 CVE-2026-0989 (A flaw was identified in the RelaxNG parser of libxml2 related to how  ...)
 	- libxml2 <unfixed> (bug #1125691)
+	[trixie] - libxml2 <no-dsa> (Minor issue)
+	[bookworm] - libxml2 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/998
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374
 CVE-2026-0976 (A flaw was found in Keycloak. This improper input validation vulnerabi ...)
@@ -3594,6 +3616,8 @@ CVE-2026-22801 (LIBPNG is a reference library for use in applications that read,
 	NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/cf155de014fc6c5cb199dd681dd5c8fb70429072
 CVE-2026-22695 (LIBPNG is a reference library for use in applications that read, creat ...)
 	- libpng1.6 <unfixed> (bug #1125443)
+	[trixie] - libpng1.6 <no-dsa> (Minor issue)
+	[bookworm] - libpng1.6 <no-dsa> (Minor issue)
 	NOTE: https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp
 	NOTE: Introduced by: https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea (v1.6.51)
 	NOTE: Fixed by: https://github.com/pnggroup/libpng/commit/e4f7ad4ea2a471776c81dda4846b7691925d9786


=====================================
data/dsa-needed.txt
=====================================
@@ -53,6 +53,8 @@ openjdk-17 (jmm)
 --
 openjdk-21/stable (jmm)
 --
+openjdk-25/stable (jmm)
+--
 opennds/oldstable
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d98c90c234e64330935d4eb4d1524cf604ed70

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d98c90c234e64330935d4eb4d1524cf604ed70
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260121/82a5c6cb/attachment.htm>

More information about the debian-security-tracker-commits mailing list