[Git][security-tracker-team/security-tracker][master] 2 commits: trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jun 1 14:16:43 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b668b4ce by Moritz Muehlenhoff at 2026-06-01T15:02:19+02:00
trixie/bookworm triage

- - - - -
98fd0238 by Moritz Muehlenhoff at 2026-06-01T15:02:21+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -67,6 +67,8 @@ CVE-2026-44825
 	NOTE: https://issues.apache.org/jira/browse/SOLR-18233
 CVE-2026-8796
 	- libsereal-decoder-perl <unfixed>
+	[trixie] - libsereal-decoder-perl <no-dsa> (Minor issue)
+	[bookworm] - libsereal-decoder-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40571630/
 	NOTE: Fixed by: https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3 (Sereal-5.005)
 CVE-2026-8382 (The Advanced Custom Fields (ACF\xae) plugin for WordPress is vulnerabl ...)
@@ -389,15 +391,21 @@ CVE-2026-44640 (NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Plat
 	NOT-FOR-US: NanoMQ MQTT Broker (NanoMQ)
 CVE-2026-44422 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
 	- freerdp3 3.26.0+dfsg-1
+	[trixie] - freerdp3 <no-dsa> (Minor issue)
 	- freerdp2 <removed>
+	[bookworm] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j9q5-7g8m-jc9v
 CVE-2026-44421 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
 	- freerdp3 3.26.0+dfsg-1
+	[trixie] - freerdp3 <no-dsa> (Minor issue)
 	- freerdp2 <removed>
+	[bookworm] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff
 CVE-2026-44420 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
 	- freerdp3 3.26.0+dfsg-1
+	[trixie] - freerdp3 <no-dsa> (Minor issue)
 	- freerdp2 <removed>
+	[bookworm] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvpx-xj7r-3p3r
 CVE-2026-44287 (FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the J ...)
 	NOT-FOR-US: FastGPT
@@ -1598,6 +1606,8 @@ CVE-2026-42305
 	NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj
 CVE-2026-9828 (Deserialization of untrusted data vulnerability in QOS.CH Sarl logback ...)
 	- logback <unfixed>
+	[trixie] - logback <no-dsa> (Minor issue)
+	[bookworm] - logback <no-dsa> (Minor issue)
 	NOTE: https://logback.qos.ch/news.html#1.5.33
 CVE-2026-9818
 	REJECTED
@@ -1747,29 +1757,29 @@ CVE-2026-47674 (Hono is a Web application framework that provides support for an
 CVE-2026-47673 (Hono is a Web application framework that provides support for any Java ...)
 	NOT-FOR-US: Hono
 CVE-2026-47337 (Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible N ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47336 (Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an unin ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47335 (Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer d ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47334 (Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which in ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47333 (Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which ca ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47332 (Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which in ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47331 (Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47330 (Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which ca ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47329 (Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to val ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47328 (Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which in ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47327 (Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible N ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47326 (Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory lea ...)
-	TODO: check
+	- linux <not-affected> (Ubuntu-specific Apparmor patches/backports)
 CVE-2026-47136 (RustFS is a distributed object storage system built in Rust. Prior to  ...)
 	NOT-FOR-US: RustFS
 CVE-2026-47074 (Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (Ex ...)
@@ -1846,6 +1856,8 @@ CVE-2026-44672 (mapfish-print is a component of MapFish for printing templated c
 	NOT-FOR-US: mapfish-print
 CVE-2026-44604 (A command injection vulnerability was discovered in the `rpmuncompress ...)
 	- rpm <unfixed> (bug #1138234)
+	[trixie] - rpm <no-dsa> (Minor issue)
+	[bookworm] - rpm <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460967
 CVE-2026-44594 (esm.sh is a no-build content delivery network (CDN) for web developmen ...)
 	NOT-FOR-US: esm.sh
@@ -1889,6 +1901,8 @@ CVE-2026-42998 (An issue was discovered in OpenStack Keystone before 29.0.2. The
 	NOTE: https://security.openstack.org/ossa/OSSA-2026-015.html
 CVE-2026-42250 (bzip2 contains an off\u2011by\u2011one error in the bzip2recover utili ...)
 	- bzip2 <unfixed> (bug #1138255)
+	[trixie] - bzip2 <no-dsa> (Minor issue)
+	[bookworm] - bzip2 <no-dsa> (Minor issue)
 	NOTE: https://inbox.sourceware.org/bzip2-devel/20260528145407.293768-1-mark@klomp.org/
 	NOTE: Fixed by: https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67
 CVE-2026-41565 (CryptX versions before 0.088_001 for Perl have a stack buffer overflow ...)
@@ -5115,6 +5129,8 @@ CVE-2026-49017 (In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware en
 	NOTE: https://bugs.launchpad.net/swift/+bug/2152205
 CVE-2026-49014 (In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF  ...)
 	- gdal <unfixed>
+	[trixie] - gdal <no-dsa> (Minor issue)
+	[bookworm] - gdal <no-dsa> (Minor issue)
 	NOTE: https://github.com/OSGeo/gdal/issues/14594
 	NOTE: https://github.com/OSGeo/gdal/pull/14598
 	NOTE: https://github.com/OSGeo/gdal/commit/c49254dc6380af2f02ff43ca79e3cf7c1bc82f01
@@ -5614,7 +5630,9 @@ CVE-2026-40034 (gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before
 	TODO: check
 CVE-2026-40033 (FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in ...)
 	- freerdp3 3.26.0+dfsg-1
+	[trixie] - freerdp3 <no-dsa> (Minor issue)
 	- freerdp2 <removed>
+	[bookworm] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6r2-4hgm-m6ff
 	TODO: unclear fixing commit references, incorrect reference in CVE entry?
 CVE-2026-3660 (IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could all ...)
@@ -15925,7 +15943,9 @@ CVE-2026-33811 (When using LookupCNAME with the cgo DNS resolver, a very long CN
 	- golang-1.25 1.25.10-1
 	- golang-1.26 1.26.3-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://go-review.googlesource.com/c/go/+/767860


=====================================
data/dsa-needed.txt
=====================================
@@ -53,6 +53,8 @@ jetty12/stable
 --
 kamailio
 --
+keystone
+--
 kitty/oldstable
   No update yet or bookworm, might be too intrusive
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/12e4791584e488ab4f225164dee04db23ada58a7...98fd02388f5802fb77e2cd848dc15482948988a9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/12e4791584e488ab4f225164dee04db23ada58a7...98fd02388f5802fb77e2cd848dc15482948988a9
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260601/7bee5212/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list