[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jun 1 09:10:23 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c5f2efa6 by Moritz Muehlenhoff at 2026-06-01T10:10:12+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -264,9 +264,13 @@ CVE-2026-47187
NOTE: Fixed by: https://github.com/libfuse/sshfs/commit/bcd132f17ccf1b8592a229df797c9b08883fec26 (sshfs-3.7.6)
CVE-2026-9516 [BOM-shift PV-corruption SIGABRT]
- libcpanel-json-xs-perl 4.41-1 (bug #1138273)
+ [trixie] - libcpanel-json-xs-perl <no-dsa> (Minor issue)
+ [bookworm] - libcpanel-json-xs-perl <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a36caba51dc12a2917fe50285d1ffaa7b (4.41)
CVE-2026-9334 [dupkeys_as_arrayref type confusion]
- libcpanel-json-xs-perl 4.41-1 (bug #1138273)
+ [trixie] - libcpanel-json-xs-perl <no-dsa> (Minor issue)
+ [bookworm] - libcpanel-json-xs-perl <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2 (4.41)
CVE-2026-XXXX [Attacker-controlled heap out-of-bounds write in libvncclient Tight decoder]
- libvncserver <unfixed> (bug #1138253)
@@ -1235,7 +1239,11 @@ CVE-2026-6816 (An access bypass vulnerability in Drupal TFA Basic Plugins allows
NOT-FOR-US: Drupal core and addons
CVE-2026-6324 (A flaw was found in libsoup. A remote attacker could exploit an unsign ...)
- libsoup3 <unfixed> (bug #1138213)
+ [trixie] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <removed>
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/508
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/517
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/96ac392b444d01bd5de1d1276b187c3ed49d048c (3.7.1)
@@ -1506,19 +1514,19 @@ CVE-2026-47753
[trixie] - incus <not-affected> (Vulnerable code not resent)
NOTE: https://github.com/lxc/incus/pull/3425
NOTE: https://github.com/lxc/incus/security/advisories/GHSA-8g7m-96c8-8wwc
-CVE-2026-47734
+CVE-2026-47734 [dulwich: Unbounded memory allocation in receive-pack from crafted thin packs]
- dulwich 1.2.5-1
NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-xrvj-v92f-53gj
-CVE-2026-47712
+ NOTE: https://github.com/jelmer/dulwich/commit/f860ca489d63624ae6d7c7945fbbd19018b8125c (dulwich-1.2.5)
+CVE-2026-47712 [dulwich: Commit subjects not sanitized in porcelain.format_patch]
- dulwich 1.2.5-1
NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-555p-6grf-mh7f
-CVE-2026-42563
+CVE-2026-42563 [dulwich: Command Injection via Merge Driver Path]
- dulwich 1.2.5-1
NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf
CVE-2026-42305
- - dulwich 1.2.5-1
+ - dulwich <not-affected> (Windows-specific)
NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj
- TODO: check, Windows only, or as well just NTFS filesystems?
CVE-2026-9828 (Deserialization of untrusted data vulnerability in QOS.CH Sarl logback ...)
- logback <unfixed>
NOTE: https://logback.qos.ch/news.html#1.5.33
@@ -2909,6 +2917,8 @@ CVE-2026-47118 (Agent Zero before version 1.15 contains a path traversal vulnera
NOT-FOR-US: Agent Zero
CVE-2026-47104 (libusb before version 1.0.30 contains a one-byte out-of-bounds read vu ...)
- libusb-1.0 2:1.0.30-1
+ [trixie] - libusb-1.0 <no-dsa> (Minor issue)
+ [bookworm] - libusb-1.0 <no-dsa> (Minor issue)
NOTE: https://github.com/libusb/libusb/issues/1813
NOTE: https://github.com/libusb/libusb/pull/1814
NOTE: https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231 (v1.0.30-rc2)
@@ -3307,6 +3317,8 @@ CVE-2026-2030 (The WPBakery Page Builder Addons by Livemesh plugin for WordPress
NOT-FOR-US: WordPress plugin
CVE-2026-23679 (libusb before version 1.0.30 contains a NULL pointer dereference vulne ...)
- libusb-1.0 2:1.0.30-1
+ [trixie] - libusb-1.0 <no-dsa> (Minor issue)
+ [bookworm] - libusb-1.0 <no-dsa> (Minor issue)
NOTE: https://github.com/libusb/libusb/issues/1813
NOTE: https://github.com/libusb/libusb/pull/1814
NOTE: https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231 (v1.0.30-rc2)
@@ -6486,6 +6498,8 @@ CVE-2026-9011 (The Ditty \u2013 Responsive News Tickers, Sliders, and Lists plug
NOT-FOR-US: WordPress plugin
CVE-2026-8997 (vifm is vulnerable to a heap buffer overflow during the history merge ...)
- vifm 0.14.3-3 (bug #1137528)
+ [trixie] - vifm <no-dsa> (Minor issue)
+ [bookworm] - vifm <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/vifm/vifm/commit/23063c741f15a85621fd232dfc3ac5b779f6910d
CVE-2026-8992 (An improper certificate validation vulnerability in Ivanti Secure Acce ...)
NOT-FOR-US: Ivanti
=====================================
data/dsa-needed.txt
=====================================
@@ -24,6 +24,8 @@ ceph (carnil)
--
cups
--
+erlang
+--
expat
--
fastnetmon
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5f2efa6749649919494cd690a21d6005313aeb4
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5f2efa6749649919494cd690a21d6005313aeb4
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260601/1c0ab42f/attachment.htm>
More information about the debian-security-tracker-commits
mailing list