[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Fri Jan 30 16:19:13 GMT 2026


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
274df599 by Moritz Muehlenhoff at 2026-01-30T17:18:59+01:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -86,6 +86,8 @@ CVE-2026-25210 (In libexpat before 2.7.4, the doContent function does not proper
 	NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/9c2d990389e6abe2e44527eeaa8b39f16fe859c7
 CVE-2026-25068 (alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit  ...)
 	- alsa-lib <unfixed> (bug #1126629)
+	[trixie] - alsa-lib <no-dsa> (Minor issue)
+	[bookworm] - alsa-lib <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40
 CVE-2026-24780 (AutoGPT is a platform that allows users to create, deploy, and manage  ...)
 	NOT-FOR-US: AutoGPT
@@ -730,6 +732,8 @@ CVE-2026-24748 (Kargo manages and automates the promotion of software artifacts.
 	NOT-FOR-US: Argo CD
 CVE-2026-24747 (PyTorch is a Python package that provides tensor computation. Prior to ...)
 	- pytorch <unfixed>
+	[trixie] - pytorch <no-dsa> (Minor issue)
+	[bookworm] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p
 	NOTE: https://github.com/pytorch/pytorch/issues/163105
 	NOTE: Fixed by: https://github.com/pytorch/pytorch/commit/167ad09be5af5c52666759412a3804068c6955d1
@@ -817,6 +821,8 @@ CVE-2026-1504 (Inappropriate implementation in Background Fetch API in Google Ch
 	[bullseye] - chromium <end-of-life> (see #1061268)
 CVE-2026-XXXX [RUSTSEC-2025-0143]
 	- rust-capnp <unfixed>
+	[trixie] - rust-capnp <no-dsa> (Minor issue)
+	[bookworm] - rust-capnp <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2025-0143.html
 	NOTE: https://github.com/capnproto/capnproto-rust/issues/605
 CVE-2025-13881
@@ -1015,16 +1021,22 @@ CVE-2026-21417 (Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0,
 	NOT-FOR-US: Dell / EMC
 CVE-2026-1489 (A flaw was found in GLib. An integer overflow vulnerability in its Uni ...)
 	- glib2.0 2.86.3-5 (bug #1126549)
+	[trixie] - glib2.0 <no-dsa> (Minor issue)
+	[bookworm] - glib2.0 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3872
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4983
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4984
 CVE-2026-1485 (A flaw was found in Glib's content type parsing logic. This buffer und ...)
 	- glib2.0 2.86.3-5 (bug #1126550)
+	[trixie] - glib2.0 <no-dsa> (Minor issue)
+	[bookworm] - glib2.0 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3871
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4980
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4981
 CVE-2026-1484 (A flaw was found in the GLib Base64 encoding routine when processing v ...)
 	- glib2.0 2.86.3-5 (bug #1126551)
+	[trixie] - glib2.0 <no-dsa> (Minor issue)
+	[bookworm] - glib2.0 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3870
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4978
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4979
@@ -1725,6 +1737,8 @@ CVE-2026-24402
 	REJECTED
 CVE-2026-24401 (Avahi is a system which facilitates service discovery on a local netwo ...)
 	- avahi <unfixed> (bug #1126342)
+	[trixie] - avahi <no-dsa> (Minor issue)
+	[bookworm] - avahi <no-dsa> (Minor issue)
 	NOTE: https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3
 	NOTE: https://github.com/avahi/avahi/issues/501
 	NOTE: Fixed by: https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524
@@ -2034,9 +2048,13 @@ CVE-2026-1299 (The  email module, specifically the "BytesGenerator" class, didn\
 	{DLA-4455-1}
 	- python3.14 <unfixed>
 	- python3.13 <unfixed>
+	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	- pypy3 <unfixed>
+	[trixie] - pypy3 <no-dsa> (Minor issue)
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/144125
 	NOTE: https://github.com/python/cpython/pull/144126
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/
@@ -3520,6 +3538,8 @@ CVE-2025-13878 (Malformed BRID/HHIT records can cause `named` to terminate unexp
 	NOTE: Fixed by: https://gitlab.isc.org/isc-projects/bind9/-/commit/7bf83f69a80bdc6094c2adee3595e28b1b3e19ea (v9.21.17)
 CVE-2025-13465 (Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype poll ...)
 	- node-lodash <unfixed> (bug #1126265)
+	[trixie] - node-lodash <no-dsa> (Minor issue)
+	[bookworm] - node-lodash <no-dsa> (Minor issue)
 	NOTE: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
 CVE-2025-12781 (When passing data to the b64decode(), standard_b64decode(), and urlsaf ...)
 	- python3.14 <unfixed>
@@ -5327,6 +5347,8 @@ CVE-2025-68438 (In Apache Airflow versions before 3.1.6, when rendered template
 CVE-2026-0988 (A flaw was found in glib. Missing validation of offset and count param ...)
 	[experimental] - glib2.0 2.87.1-1
 	- glib2.0 2.86.3-5 (bug #1125752)
+	[trixie] - glib2.0 <no-dsa> (Minor issue)
+	[bookworm] - glib2.0 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3851
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/glib/-/commit/c5766cff61ffce0b8e787eae09908ac348338e5f (2.87.1)
 CVE-2026-0980


=====================================
data/dsa-needed.txt
=====================================
@@ -62,7 +62,7 @@ php-laravel-framework/oldstable
 --
 python-aiohttp
 --
-python-django
+python-django (jmm)
 --
 python-tornado
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/274df59991b48123b57f3e59507d74a760ad3bc9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/274df59991b48123b57f3e59507d74a760ad3bc9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260130/bd5a9846/attachment-0001.htm>
