[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jun 1 11:34:26 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
27ac3d32 by Moritz Muehlenhoff at 2026-06-01T12:31:27+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -36,7 +36,10 @@ CVE-2026-35563
 	NOTE: https://www.openwall.com/lists/oss-security/2026/06/01/2
 CVE-2026-48827
 	- mina2 <unfixed>
+	[trixie] - mina2 <no-dsa> (Minor issue)
+	[bookworm] - mina2 <no-dsa> (Minor issue)
 	- mina <removed>
+	[bookworm] - mina <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/30/1
 CVE-2026-44825
 	- lucene-solr <not-affected> (Only affects 9.4.0 and later)
@@ -281,6 +284,8 @@ CVE-2026-46242 (In the Linux kernel, the following vulnerability has been resolv
 	NOTE: https://git.kernel.org/linus/a6dc643c69311677c574a0f17a3f4d66a5f3744b (7.1-rc1)
 CVE-2026-8594 (Text::LineFold versions through 2019.001 for Perl duplicate the output ...)
 	- libunicode-linebreak-perl <unfixed>
+	[trixie] - libunicode-linebreak-perl <no-dsa> (Minor issue)
+	[bookworm] - libunicode-linebreak-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40542383/
 	NOTE: Patch: https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch
 CVE-2026-48711
@@ -1292,18 +1297,26 @@ CVE-2026-49299 (In OpenStack Neutron before 28.0.1, the tagging controller enfor
 	NOTE: https://security.openstack.org/ossa/OSSA-2026-016.html
 CVE-2026-49130 (Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injec ...)
 	- mpd <unfixed> (bug #1138215)
+	[trixie] - mpd <no-dsa> (Minor issue)
+	[bookworm] - mpd <no-dsa> (Minor issue)
 	NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2483
 	NOTE: Fixed by: https://github.com/MusicPlayerDaemon/MPD/commit/855085b35c67dddeef0652e2cb3ac8cdd4f457b7 (v0.24.11)
 CVE-2026-49129 (Music Player Daemon (MPD) before version 0.24.11 contains a server-sid ...)
 	- mpd <unfixed> (bug #1138215)
+	[trixie] - mpd <no-dsa> (Minor issue)
+	[bookworm] - mpd <no-dsa> (Minor issue)
 	NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2487
 	NOTE: Fixed by: https://github.com/MusicPlayerDaemon/MPD/commit/78341dd6c7b101c3feede233d4cc4f8f1fcc4bb3 (v0.24.11)
 CVE-2026-49128 (Music Player Daemon (MPD) before version 0.24.11 contains a path trave ...)
 	- mpd <unfixed> (bug #1138215)
+	[trixie] - mpd <no-dsa> (Minor issue)
+	[bookworm] - mpd <no-dsa> (Minor issue)
 	NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2484
 	NOTE: Fixed by: https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60 (v0.24.11)
 CVE-2026-49127 (Music Player Daemon (MPD) before version 0.24.11 contains a stack buff ...)
 	- mpd <unfixed> (bug #1138215)
+	[trixie] - mpd <no-dsa> (Minor issue)
+	[bookworm] - mpd <no-dsa> (Minor issue)
 	NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2485
 	NOTE: Fixed by: https://github.com/MusicPlayerDaemon/MPD/commit/59911028c020f84bc2e669da6a1ef88121301274 (v0.24.11)
 CVE-2026-49095 (Improper Input Validation (CWE-20) in the Kibana Fleet agent policy ma ...)
@@ -2774,6 +2787,8 @@ CVE-2026-48095
 	NOTE: https://securitylab.github.com/advisories/GHSL-2026-140_7-Zip/
 CVE-2026-48863
 	- libsolv 0.7.38-1
+	[trixie] - libsolv <no-dsa> (Minor issue)
+	[bookworm] - libsolv <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460975
 	NOTE: Fixed by: https://github.com/openSUSE/libsolv/commit/44f8c085045b1f771641091bbb2b810d12cff9e8 (0.7.38)
 CVE-2026-9712 (When creating an export through the pretix API, API clients are  retur ...)
@@ -5117,15 +5132,23 @@ CVE-2026-44900 (epa4all-client is the Java Client for epa4all / ePA 3.0 in the T
 	NOT-FOR-US: epa4all-client
 CVE-2026-44899 (Mistune is a Python Markdown parser with renderers and plugins. Prior  ...)
 	- mistune <unfixed> (bug #1138260)
+	[trixie] - mistune <no-dsa> (Minor issue)
+	[bookworm] - mistune <no-dsa> (Minor issue)
 	NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-ccfx-mfmx-2fx9
 CVE-2026-44898 (Mistune is a Python Markdown parser with renderers and plugins. Prior  ...)
 	- mistune <unfixed> (bug #1138260)
+	[trixie] - mistune <no-dsa> (Minor issue)
+	[bookworm] - mistune <no-dsa> (Minor issue)
 	NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv
 CVE-2026-44897 (Mistune is a Python Markdown parser with renderers and plugins. Prior  ...)
 	- mistune <unfixed> (bug #1138260)
+	[trixie] - mistune <no-dsa> (Minor issue)
+	[bookworm] - mistune <no-dsa> (Minor issue)
 	NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-v87v-83h2-53w7
 CVE-2026-44896 (Mistune is a Python Markdown parser with renderers and plugins. In 3.2 ...)
 	- mistune <unfixed> (bug #1138260)
+	[trixie] - mistune <no-dsa> (Minor issue)
+	[bookworm] - mistune <no-dsa> (Minor issue)
 	NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v
 CVE-2026-44895 (GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0 ...)
 	NOT-FOR-US: GitLab MCP Server
@@ -5992,14 +6015,22 @@ CVE-2026-7766 (Kenik Camera management Panel is vulnerable to Path Traversal vul
 CVE-2026-5223 (Cargo incorrectly handled symlinks inside of crate tarballs downloaded ...)
 	- cargo <removed>
 	- rust-cargo 0.91.0-3
+	[trixie] - rust-cargo <no-dsa> (Minor issue)
+	[bookworm] - rust-cargo <no-dsa> (Minor issue)
 	- rustc 1.95.0+dfsg1-2
+	[trixie] - rustc <no-dsa> (Minor issue)
+	[bookworm] - rustc <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8
 	NOTE: https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
 	NOTE: https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577
 CVE-2026-5222 (Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-p ...)
 	- cargo <removed>
 	- rust-cargo 0.91.0-3
+	[trixie] - rust-cargo <no-dsa> (Minor issue)
+	[bookworm] - rust-cargo <no-dsa> (Minor issue)
 	- rustc 1.95.0+dfsg1-2
+	[trixie] - rustc <no-dsa> (Minor issue)
+	[bookworm] - rustc <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s
 	NOTE: https://blog.rust-lang.org/2026/05/25/cve-2026-5222/
 	NOTE: https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27ac3d323de1d4ee263f1eee921411a105ff4f77

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27ac3d323de1d4ee263f1eee921411a105ff4f77
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260601/226203a4/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list