[Git][security-tracker-team/security-tracker][master] lts: bullseye triage
Emilio Pozuelo Monfort (@pochu)
pochu at debian.org
Thu Jun 4 10:39:23 BST 2026
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker
Commits:
88cbb8fb by Emilio Pozuelo Monfort at 2026-06-04T11:39:02+02:00
lts: bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -229,6 +229,7 @@ CVE-2026-3276 (unicodedata.normalize() can take excessive CPU time when processi
- python3.11 <removed>
- python3.9 <removed>
- python2.7 <removed>
+ [bullseye] - python2.7 <end-of-life> (not supported in bullseye)
- pypy3 <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2026/06/03/15
NOTE: https://github.com/python/cpython/pull/149080
@@ -1775,21 +1776,27 @@ CVE-2026-0072 (In addInputMethodListener of com.android.server.inputmethod.Input
NOT-FOR-US: Android
CVE-2025-60495 (A segmentation violation in the gf_media_get_color_info function (/med ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/issues/3335
CVE-2025-60486 (A heap use-after-free in the dasher_process function (/filters/dasher. ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/issues/3314
CVE-2025-60485 (A segmentation violation in the gf_isom_apple_set_tag_ex function (/is ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/issues/3323
CVE-2025-60483 (A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_presen ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/issues/3302
CVE-2025-60481 (A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/issues/3296
CVE-2025-55664 (A heap buffer overflow in the m2tsdmx_send_packet function (filters/dm ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/issues/3310
CVE-2024-52011 (launch-editor allows users to open files with line numbers in editor f ...)
NOT-FOR-US: Node launch-editor
@@ -1815,6 +1822,7 @@ CVE-2026-47191
- kas 5.3-1
[trixie] - kas <no-dsa> (Minor issue)
[bookworm] - kas <no-dsa> (Minor issue)
+ [bullseye] - kas <no-dsa> (Minor issue)
NOTE: https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r
NOTE: Fixed by: https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5 (5.3)
CVE-2026-8341
@@ -1873,8 +1881,10 @@ CVE-2026-48827 (Path traversal vulnerability in Apache MINA SSHD bundle sshd-git
- mina2 <unfixed> (bug #1138634)
[trixie] - mina2 <no-dsa> (Minor issue)
[bookworm] - mina2 <no-dsa> (Minor issue)
+ [bullseye] - mina2 <no-dsa> (Minor issue)
- mina <removed>
[bookworm] - mina <no-dsa> (Minor issue)
+ [bullseye] - mina <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/30/1
CVE-2026-44825 (Hardcoded credentials in the Basic Authentication setup tool (bin/solr ...)
- lucene-solr <not-affected> (Only affects 9.4.0 and later)
@@ -2703,6 +2713,7 @@ CVE-2026-49214
- php-guzzlehttp-psr7 2.10.3-1 (bug #1138265)
[trixie] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
[bookworm] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
+ [bullseye] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
NOTE: https://github.com/guzzle/psr7/security/advisories/GHSA-hq7v-mx3g-29hw
CVE-2026-48998
- php-guzzlehttp-psr7 2.10.3-1 (bug #1138265)
@@ -3284,24 +3295,28 @@ CVE-2026-49130 (Music Player Daemon (MPD) before version 0.24.11 contains a CRLF
- mpd 0.24.12-1 (bug #1138215)
[trixie] - mpd <no-dsa> (Minor issue)
[bookworm] - mpd <no-dsa> (Minor issue)
+ [bullseye] - mpd <no-dsa> (Minor issue)
NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2483
NOTE: Fixed by: https://github.com/MusicPlayerDaemon/MPD/commit/855085b35c67dddeef0652e2cb3ac8cdd4f457b7 (v0.24.11)
CVE-2026-49129 (Music Player Daemon (MPD) before version 0.24.11 contains a server-sid ...)
- mpd 0.24.12-1 (bug #1138215)
[trixie] - mpd <no-dsa> (Minor issue)
[bookworm] - mpd <no-dsa> (Minor issue)
+ [bullseye] - mpd <no-dsa> (Minor issue)
NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2487
NOTE: Fixed by: https://github.com/MusicPlayerDaemon/MPD/commit/78341dd6c7b101c3feede233d4cc4f8f1fcc4bb3 (v0.24.11)
CVE-2026-49128 (Music Player Daemon (MPD) before version 0.24.11 contains a path trave ...)
- mpd 0.24.12-1 (bug #1138215)
[trixie] - mpd <no-dsa> (Minor issue)
[bookworm] - mpd <no-dsa> (Minor issue)
+ [bullseye] - mpd <no-dsa> (Minor issue)
NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2484
NOTE: Fixed by: https://github.com/MusicPlayerDaemon/MPD/commit/0b5315b9e5a42cb0e88bf46a7579bb5641543f60 (v0.24.11)
CVE-2026-49127 (Music Player Daemon (MPD) before version 0.24.11 contains a stack buff ...)
- mpd 0.24.12-1 (bug #1138215)
[trixie] - mpd <no-dsa> (Minor issue)
[bookworm] - mpd <no-dsa> (Minor issue)
+ [bullseye] - mpd <no-dsa> (Minor issue)
NOTE: https://github.com/MusicPlayerDaemon/MPD/issues/2485
NOTE: Fixed by: https://github.com/MusicPlayerDaemon/MPD/commit/59911028c020f84bc2e669da6a1ef88121301274 (v0.24.11)
CVE-2026-49095 (Improper Input Validation (CWE-20) in the Kibana Fleet agent policy ma ...)
@@ -5416,6 +5431,7 @@ CVE-2026-1248 (IBM Business Automation Workflow containers and traditionalmay le
NOT-FOR-US: IBM
CVE-2025-70116 (A NULL pointer dereference in GPAC MP4Box: when parsing certain trunca ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/issues/3345
CVE-2025-70103 (Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM im ...)
- jpeg-xl <unfixed> (bug #1138575)
@@ -7178,21 +7194,25 @@ CVE-2026-44899 (Mistune is a Python Markdown parser with renderers and plugins.
- mistune <unfixed> (bug #1138260)
[trixie] - mistune <no-dsa> (Minor issue)
[bookworm] - mistune <no-dsa> (Minor issue)
+ [bullseye] - mistune <no-dsa> (Minor issue)
NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-ccfx-mfmx-2fx9
CVE-2026-44898 (Mistune is a Python Markdown parser with renderers and plugins. Prior ...)
- mistune <unfixed> (bug #1138260)
[trixie] - mistune <no-dsa> (Minor issue)
[bookworm] - mistune <no-dsa> (Minor issue)
+ [bullseye] - mistune <no-dsa> (Minor issue)
NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-6269-cqxg-mhhv
CVE-2026-44897 (Mistune is a Python Markdown parser with renderers and plugins. Prior ...)
- mistune <unfixed> (bug #1138260)
[trixie] - mistune <no-dsa> (Minor issue)
[bookworm] - mistune <no-dsa> (Minor issue)
+ [bullseye] - mistune <no-dsa> (Minor issue)
NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-v87v-83h2-53w7
CVE-2026-44896 (Mistune is a Python Markdown parser with renderers and plugins. In 3.2 ...)
- mistune <unfixed> (bug #1138260)
[trixie] - mistune <no-dsa> (Minor issue)
[bookworm] - mistune <no-dsa> (Minor issue)
+ [bullseye] - mistune <no-dsa> (Minor issue)
NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v
CVE-2026-44895 (GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0 ...)
NOT-FOR-US: GitLab MCP Server
@@ -7220,6 +7240,7 @@ CVE-2026-44708 (Mistune is a Python Markdown parser with renderers and plugins.
- mistune <unfixed> (bug #1138260)
[trixie] - mistune <no-dsa> (Minor issue)
[bookworm] - mistune <no-dsa> (Minor issue)
+ [bullseye] - mistune <no-dsa> (Minor issue)
NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-8g87-j6q8-g93x
CVE-2026-44451 (Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the ...)
NOT-FOR-US: Lumiverse
@@ -7329,12 +7350,14 @@ CVE-2026-46740 (Mojolicious::Plugin::Statsd versions through 0.04 for Perl allow
NOT-FOR-US: Mojolicious::Plugin::Statsd Perl module
CVE-2026-9572 (A security vulnerability has been detected in GPAC up to 2.4.0. Affect ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/issues/3557
NOTE: https://github.com/gpac/gpac/commit/e79c5cbe8b3fed27f4854ec229457d30c96206f1
CVE-2026-9568 (A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected ...)
NOT-FOR-US: ThingsBoard
CVE-2026-9567 (A security flaw has been discovered in GPAC up to 2.4.0. Affected is t ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/issues/3549
NOTE: https://github.com/gpac/gpac/commit/525bf1af642c30af04e4df5345e6d798c0a4d8a1
CVE-2026-9566 (A vulnerability was identified in teableio teable up to 1.9.x. This im ...)
@@ -7624,6 +7647,7 @@ CVE-2026-41917 (OpenKM 6.3.12 contains a local file inclusion vulnerability in t
CVE-2026-41401 (libyang before 5.2.6 contains a heap use-after-free write vulnerabilit ...)
- libyang <unfixed>
[trixie] - libyang <no-dsa> (Minor issue)
+ [bullseye] - libyang <no-dsa> (Minor issue)
- libyang2 <removed>
[bookworm] - libyang2 <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc
@@ -7953,11 +7977,13 @@ CVE-2026-43828 (Default configurations of Apache Shiro send sensitive cookies in
- shiro <unfixed>
[trixie] - shiro <no-dsa> (Minor issue)
[bookworm] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/25/7
CVE-2026-43827 (Default configurations of Apache Shiro have a session fixation vulnera ...)
- shiro <unfixed>
[trixie] - shiro <no-dsa> (Minor issue)
[bookworm] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/25/6
CVE-2026-9490 (A security vulnerability has been identified in Acer Care Center where ...)
NOT-FOR-US: Acer
@@ -8263,6 +8289,7 @@ CVE-2026-48831 (Wine ships a .desktop file that registers itself as a MIME handl
- wine <unfixed>
[trixie] - wine <no-dsa> (Minor issue)
[bookworm] - wine <no-dsa> (Minor issue)
+ [bullseye] - wine <no-dsa> (Minor issue)
NOTE: https://bugs.winehq.org/show_bug.cgi?id=59767
NOTE: https://www.openwall.com/lists/oss-security/2026/05/19/1
NOTE: https://www.openwall.com/lists/oss-security/2026/05/25/1
@@ -8334,6 +8361,7 @@ CVE-2026-9365 (A vulnerability has been found in Ettercap up to 0.8.3. The affec
- ettercap <unfixed>
[trixie] - ettercap <no-dsa> (Minor issue)
[bookworm] - ettercap <no-dsa> (Minor issue)
+ [bullseye] - ettercap <no-dsa> (Minor issue)
NOTE: https://github.com/Ettercap/ettercap/issues/1306
NOTE: https://github.com/Ettercap/ettercap/pull/1307
NOTE: https://github.com/Ettercap/ettercap/commit/feeae6fa366e01a3dd9f1857ec6aae847b2ae00c
@@ -8621,6 +8649,7 @@ CVE-2026-8997 (vifm is vulnerable to a heap buffer overflow during the history m
- vifm 0.14.3-3 (bug #1137528)
[trixie] - vifm <no-dsa> (Minor issue)
[bookworm] - vifm <no-dsa> (Minor issue)
+ [bullseye] - vifm <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/vifm/vifm/commit/23063c741f15a85621fd232dfc3ac5b779f6910d
CVE-2026-8992 (An improper certificate validation vulnerability in Ivanti Secure Acce ...)
NOT-FOR-US: Ivanti
@@ -12980,6 +13009,7 @@ CVE-2026-43970 (Improper Handling of Highly Compressed Data (Data Amplification)
- erlang-cowlib <unfixed> (bug #1136649)
[trixie] - erlang-cowlib <no-dsa> (Minor issue)
[bookworm] - erlang-cowlib <no-dsa> (Minor issue)
+ [bullseye] - erlang-cowlib <no-dsa> (Minor issue)
NOTE: https://cna.erlef.org/cves/CVE-2026-43970.html
NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-43970
NOTE: https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282 (2.16.1)
@@ -15272,6 +15302,7 @@ CVE-2026-7790 (Uncontrolled Resource Consumption vulnerability in ninenines cowl
- erlang-cowlib <unfixed> (bug #1136446)
[trixie] - erlang-cowlib <no-dsa> (Minor issue)
[bookworm] - erlang-cowlib <no-dsa> (Minor issue)
+ [bullseye] - erlang-cowlib <no-dsa> (Minor issue)
NOTE: https://cna.erlef.org/cves/CVE-2026-7790.html
NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-7790
NOTE: https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369
@@ -17849,6 +17880,7 @@ CVE-2026-42150 (wlc is a Weblate command-line client using Weblate's REST API. P
- wlc 2.0.0-1 (bug #1136000)
[trixie] - wlc <no-dsa> (Minor issue)
[bookworm] - wlc <no-dsa> (Minor issue)
+ [bullseye] - wlc <no-dsa> (Minor issue)
NOTE: https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3
NOTE: https://github.com/WeblateOrg/wlc/pull/1327
NOTE: https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469 (2.0.0)
@@ -21076,6 +21108,7 @@ CVE-2026-42440 (OOM Denial of Service via Unbounded Array Allocation in Apache O
- apache-opennlp 2.5.9-1 (bug #1135782)
[trixie] - apache-opennlp <no-dsa> (Minor issue)
[bookworm] - apache-opennlp <no-dsa> (Minor issue)
+ [bullseye] - apache-opennlp <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/01/21
NOTE: https://issues.apache.org/jira/browse/OPENNLP-1821
NOTE: https://github.com/apache/opennlp/pull/1022
@@ -21195,6 +21228,7 @@ CVE-2026-42027 (Arbitrary Class Instantiation via Model Manifest in Apache OpenN
- apache-opennlp 2.5.9-1 (bug #1135782)
[trixie] - apache-opennlp <no-dsa> (Minor issue)
[bookworm] - apache-opennlp <no-dsa> (Minor issue)
+ [bullseye] - apache-opennlp <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/01/20
NOTE: https://issues.apache.org/jira/browse/OPENNLP-1820
NOTE: https://github.com/apache/opennlp/pull/1021
@@ -21226,6 +21260,7 @@ CVE-2026-40682 (XML External Entity (XXE) via Unsanitized Dictionary Parsing in
- apache-opennlp 2.5.9-1 (bug #1135782)
[trixie] - apache-opennlp <no-dsa> (Minor issue)
[bookworm] - apache-opennlp <no-dsa> (Minor issue)
+ [bullseye] - apache-opennlp <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/01/19
NOTE: https://issues.apache.org/jira/browse/OPENNLP-1819
NOTE: https://github.com/apache/opennlp/pull/1019
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88cbb8fb3c3e2183db6a9ecc3de4193c19bcbe7c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88cbb8fb3c3e2183db6a9ecc3de4193c19bcbe7c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260604/eb07d0c6/attachment.htm>
More information about the debian-security-tracker-commits
mailing list