[Git][security-tracker-team/security-tracker][master] 6 commits: CVE-2026-23528/dask.distributed: bullseye postponed

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Sat Jan 31 14:18:34 GMT 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ca63f92e by Sylvain Beucler at 2026-01-31T15:18:13+01:00
CVE-2026-23528/dask.distributed: bullseye postponed

follow bookworm triage

- - - - -
08024649 by Sylvain Beucler at 2026-01-31T15:18:13+01:00
dla: add node-lodash

- - - - -
fe97f822 by Sylvain Beucler at 2026-01-31T15:18:16+01:00
CVE-2025-15536/opencc: bullseye postponed

follow bookworm triage

- - - - -
20fe8501 by Sylvain Beucler at 2026-01-31T15:18:18+01:00
CVE-2026-24747/pytorch: bullseye postponed

follow bookworm triage

- - - - -
4fb15b00 by Sylvain Beucler at 2026-01-31T15:18:18+01:00
dla: add tcpflow

- - - - -
a40eaefa by Sylvain Beucler at 2026-01-31T15:18:21+01:00
CVE-2025-45160/cacti: bullseye postponed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -615,6 +615,7 @@ CVE-2025-45160 (A HTML injection vulnerability exists in the file upload functio
 	- cacti <unfixed>
 	[trixie] - cacti <no-dsa> (Minor issue)
 	[bookworm] - cacti <no-dsa> (Minor issue)
+	[bullseye] - cacti <postponed> (Minor issue, reflected XSS, no JavaScript)
 	NOTE: https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32
 	TODO: check if reported upstream
 CVE-2025-15550 (birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vul ...)
@@ -1162,6 +1163,7 @@ CVE-2026-24747 (PyTorch is a Python package that provides tensor computation. Pr
 	- pytorch <unfixed>
 	[trixie] - pytorch <no-dsa> (Minor issue)
 	[bookworm] - pytorch <no-dsa> (Minor issue)
+	[bullseye] - pytorch <postponed> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p
 	NOTE: https://github.com/pytorch/pytorch/issues/163105
 	NOTE: Fixed by: https://github.com/pytorch/pytorch/commit/167ad09be5af5c52666759412a3804068c6955d1
@@ -5093,6 +5095,7 @@ CVE-2025-15536 (A weakness has been identified in BYVoid OpenCC up to 1.1.9. Thi
 	- opencc 1.1.9+ds1-4 (bug #1126286)
 	[trixie] - opencc <no-dsa> (Minor issue)
 	[bookworm] - opencc <no-dsa> (Minor issue)
+	[bullseye] - opencc <postponed> (Minor issue)
 	NOTE: https://github.com/BYVoid/OpenCC/issues/997
 	NOTE: https://github.com/BYVoid/OpenCC/pull/1005
 	NOTE: Fixed by: https://github.com/BYVoid/OpenCC/commit/345c9a50ab07018f1b4439776bad78a0d40778ec (ver.1.2.0)
@@ -5285,6 +5288,7 @@ CVE-2026-23528 (Dask distributed is a distributed task scheduler for Dask. Prior
 	- dask.distributed <unfixed>
 	[trixie] - dask.distributed <no-dsa> (Minor issue)
 	[bookworm] - dask.distributed <no-dsa> (Minor issue)
+	[bullseye] - dask.distributed <postponed> (Minor issue)
 	NOTE: https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2
 	NOTE: Fixed by: https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa (2026.1.1)
 CVE-2026-23523 (Dive is an open-source MCP Host Desktop Application that enables integ ...)


=====================================
data/dla-needed.txt
=====================================
@@ -270,6 +270,9 @@ netty (rouca)
   NOTE: 20251127: all CVEs fixed under sid (rouca)
   NOTE: 20260114: fix remaining CVE wait DSA (rouca)
 --
+node-lodash
+  NOTE: 20260131: Added by Front-Desk (Beuc)
+--
 node-tar
   NOTE: 20260121: Added by Front-Desk (pochu)
   NOTE: 20260121: also look at postponed issue (pochu)
@@ -390,6 +393,9 @@ suricata
   NOTE: 20250331: re added to fix next bunch of CVEs (ta)
   NOTE: 20250825: testing package (ta)
 --
+tcpflow
+  NOTE: 20260131: Added by Front-Desk (Beuc)
+--
 trafficserver
   NOTE: 20241120: Added by Front-Desk (Beuc)
   NOTE: 20241120: Upcoming DSA (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/622d7b47cb82e0fb864ff74e379734abdb457b02...a40eaefa2385edce367e78833f8bd9bf8ea11cb0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/622d7b47cb82e0fb864ff74e379734abdb457b02...a40eaefa2385edce367e78833f8bd9bf8ea11cb0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260131/dbff6eff/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list