[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jun 8 10:30:16 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6e9ed035 by Moritz Muehlenhoff at 2026-06-08T11:27:26+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -542,6 +542,8 @@ CVE-2026-11333 (A security vulnerability has been detected in tittuvarghese Coll
NOT-FOR-US: tittuvarghese CollegeManagementSystem
CVE-2026-11332 (A flaw was found in ansible-core. The ansible-galaxy role install comm ...)
- ansible-core <unfixed> (bug #1139175)
+ [trixie] - ansible-core <no-dsa> (Minor issue)
+ [bookworm] - ansible-core <no-dsa> (Minor issue)
- ansible 5.4.0-1
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2485379
@@ -2352,11 +2354,15 @@ CVE-2026-8037 (OS Command Injection Remote Code Execution Vulnerability in API i
CVE-2026-7774 (tarfile.data_filter could be bypassed using crafted link entries, incl ...)
- python3.14 <unfixed>
- python3.13 <unfixed>
+ [trixie] - python3.13 <no-dsa> (Minor issue)
- python3.11 <removed>
+ [bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/06/04/9
NOTE: https://github.com/python/cpython/pull/149487
NOTE: https://github.com/python/cpython/commit/578411982c16f753f4893532510099ef665117da (main)
@@ -2527,6 +2533,8 @@ CVE-2026-41010 (ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs
NOT-FOR-US: VMware
CVE-2026-40898 (quic-go is an implementation of the QUIC protocol in Go. Prior to vers ...)
- golang-github-lucas-clemente-quic-go <unfixed> (bug #1139169)
+ [trixie] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue)
+ [bookworm] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue)
[bullseye] - golang-github-lucas-clemente-quic-go <postponed> (Limited support, minor issue)
NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9
CVE-2026-40605 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
@@ -2749,6 +2757,8 @@ CVE-2026-50219 (libexpat before 2.8.2 lacks handler call depth tracking for call
NOTE: https://github.com/libexpat/libexpat/pull/1246
CVE-2026-8829 (HTML::Entities versions before 3.84 for Perl read freed heap memory in ...)
- libhtml-parser-perl 3.83-2
+ [trixie] - libhtml-parser-perl <no-dsa> (Minor issue)
+ [bookworm] - libhtml-parser-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40702610/
NOTE: https://github.com/libwww-perl/HTML-Parser/pull/56
NOTE: Fixed by: https://github.com/libwww-perl/HTML-Parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c (3.84)
@@ -2957,6 +2967,8 @@ CVE-2026-10729 (An HTML injection vulnerability in the notification email for "S
NOT-FOR-US: Thinkst Applied Research Canarytokens
CVE-2026-10722 (A vulnerability has been found in cilium ebpf up to 0.21.0. This affec ...)
- golang-github-cilium-ebpf <unfixed> (bug #1139176)
+ [trixie] - golang-github-cilium-ebpf <no-dsa> (Minor issue)
+ [bookworm] - golang-github-cilium-ebpf <no-dsa> (Minor issue)
NOTE: https://github.com/cilium/ebpf/issues/2019
NOTE: https://github.com/cilium/ebpf/pull/2021
NOTE: Fixed by: https://github.com/cilium/ebpf/commit/533dfc82fd228bfadf42ea7180c39de7d9af47fa
@@ -2970,6 +2982,8 @@ CVE-2025-60477 (A NULL pointer dereference in the gf_filter_pid_resolve_file_tem
NOTE: https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695
CVE-2025-41259 (SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TO ...)
- swupdate 2026.05+dfsg-1
+ [trixie] - swupdate <no-dsa> (Minor issue)
+ [bookworm] - swupdate <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/sbabic/swupdate/commit/f4bd64260e233e207354d68d572b1cbc3e63689d (2026.05)
CVE-2025-15656 (Incorrect Privilege Assignment vulnerability in Mojoomla School Manage ...)
NOT-FOR-US: WordPress plugin or theme
@@ -3000,12 +3014,16 @@ CVE-2019-25720 (Dr\xe4ger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000,
CVE-2026-3276 (unicodedata.normalize() can take excessive CPU time when processing sp ...)
- python3.14 <unfixed>
- python3.13 <unfixed>
+ [trixie] - python3.13 <no-dsa> (Minor issue)
- python3.11 <removed>
+ [bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
[bullseye] - python3.9 <postponed> (Minor issue)
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/06/03/15
NOTE: https://github.com/python/cpython/pull/149080
NOTE: https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f (main)
@@ -3215,22 +3233,32 @@ CVE-2026-48019 [CRLF injection in default email rule]
NOTE: https://github.com/laravel/framework/security/advisories/GHSA-5vg9-5847-vvmq
CVE-2026-48587 (An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0 ...)
- python-django 3:5.2.15-1 (bug #1138775)
+ [trixie] - python-django <no-dsa> (Minor issue)
+ [bookworm] - python-django <no-dsa> (Minor issue)
NOTE: https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
NOTE: Fixed by: https://github.com/django/django/commit/9b62b0af71a14c657d19d95371630ba839e83d9a (5.2.15)
CVE-2026-35193 (An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0 ...)
- python-django 3:5.2.15-1 (bug #1138775)
+ [trixie] - python-django <no-dsa> (Minor issue)
+ [bookworm] - python-django <no-dsa> (Minor issue)
NOTE: https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
NOTE: Fixed by: https://github.com/django/django/commit/050a3dc276f9142067260e990e4d8d42d5e32863 (5.2.15)
CVE-2026-8404 (An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0 ...)
- python-django 3:5.2.15-1 (bug #1138775)
+ [trixie] - python-django <no-dsa> (Minor issue)
+ [bookworm] - python-django <no-dsa> (Minor issue)
NOTE: https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
NOTE: Fixed by: https://github.com/django/django/commit/366d9ae6e8d1469c04e9ebdc1bcd098fc14a3b1e (5.2.15)
CVE-2026-7666 (An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2. ...)
- python-django 3:5.2.15-1 (bug #1138775)
+ [trixie] - python-django <no-dsa> (Minor issue)
+ [bookworm] - python-django <no-dsa> (Minor issue)
NOTE: https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
NOTE: Fixed by: https://github.com/django/django/commit/4e47d2b800435bcbfd1301ef3250b9c7fb8fa670 (5.2.15)
CVE-2026-6873 (An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2. ...)
- python-django 3:5.2.15-1 (bug #1138775)
+ [trixie] - python-django <no-dsa> (Minor issue)
+ [bookworm] - python-django <no-dsa> (Minor issue)
NOTE: https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
NOTE: Fixed by: https://github.com/django/django/commit/594360cbf58be7f56eb6da96d58644297c99ef85 (5.2.15)
CVE-2026-9732 (The EmergencyWP \u2013 Dead Man's switch & legacy deliverance plugin f ...)
@@ -3528,10 +3556,11 @@ CVE-2026-4080 (The Easy Cart plugin for WordPress is vulnerable to Stored Cross-
CVE-2026-4071 (The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request ...)
NOT-FOR-US: WordPress plugin
CVE-2026-49943 (CZ.NIC BIRD Internet Routing Daemon through 2.19.0 contains a stack-ba ...)
- - bird3 <unfixed>
- - bird2 <unfixed>
- - bird <removed>
+ - bird3 <unfixed> (unimportant)
+ - bird2 <unfixed> (unimportant)
+ - bird <removed> (unimportant)
NOTE: https://www.openwall.com/lists/oss-security/2026/06/02/2
+ NOTE: Negligible security impact
CVE-2026-49782 (Missing Authorization vulnerability in Elementor Elementor Website Bui ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-49754 (Allocation of Resources Without Limits or Throttling vulnerability in ...)
@@ -3622,6 +3651,8 @@ CVE-2026-39550 (Deserialization of Untrusted Data vulnerability in Elated-Themes
NOT-FOR-US: WordPress plugin or theme
CVE-2026-38978 (transmission through 4.1.1 was found to have a clickjacking weakness i ...)
- transmission 4.1.2+dfsg-1
+ [trixie] - transmission <no-dsa> (Minor issue)
+ [bookworm] - transmission <no-dsa> (Minor issue)
NOTE: https://github.com/transmission/transmission/issues/8726
NOTE: https://github.com/transmission/transmission/pull/8747
NOTE: https://github.com/transmission/transmission/commit/6b24c1c214ec6a44fa5fdff0ce7da6b16d8ecaa8
@@ -7457,6 +7488,8 @@ CVE-2026-46107 (In the Linux kernel, the following vulnerability has been resolv
NOTE: https://git.kernel.org/linus/09a65adc7d8bbfce06392cb6d375468e2728ead5 (7.1-rc2)
CVE-2026-8643 (pip would treat console_scripts and gui_scripts as paths instead of fi ...)
- python-pip 26.1.2+dfsg-1 (bug #1138220)
+ [trixie] - python-pip <no-dsa> (Minor issue)
+ [bookworm] - python-pip <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460927
NOTE: Fixed by: https://github.com/pypa/pip/commit/8eb178480bd1a2b223f509fc430796b265158dfb
NOTE: Improvement to original fix: https://github.com/pypa/pip/pull/14001
@@ -11282,6 +11315,8 @@ CVE-2026-9359 (A vulnerability was identified in Edimax EW-7438RPn 1.28a. Affect
NOT-FOR-US: Edimax
CVE-2026-9358 (A vulnerability was determined in postcss up to 7.1.1. Affected is the ...)
- node-css-loader <unfixed> (bug #1139161)
+ [trixie] - node-css-loader <no-dsa> (Minor issue)
+ [bookworm] - node-css-loader <no-dsa> (Minor issue)
NOTE: https://gist.github.com/bx33661/581e3a38134601c04e19b4dfc9b459b9
NOTE: postcss-selector-parser embedded in node-css-loader
CVE-2026-9357 (A vulnerability was found in vBulletin 6.x. This impacts an unknown fu ...)
@@ -18542,6 +18577,8 @@ CVE-2024-0391 (The check user account lock states feature within the email OTP f
NOT-FOR-US: WSO2
CVE-2026-42304 (Twisted is an event-based framework for internet applications, support ...)
- twisted 26.4.0-1
+ [trixie] - twisted <no-dsa> (Minor issue)
+ [bookworm] - twisted <no-dsa> (Minor issue)
[bullseye] - twisted <postponed> (Minor issue, DoS)
NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4
NOTE: https://github.com/twisted/twisted/issues/12626
@@ -18873,10 +18910,14 @@ CVE-2026-8214 (A vulnerability was found in Industrial Application Software IAS
NOT-FOR-US: Industrial Application Software IAS Canias ERP
CVE-2026-8213 (A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affect ...)
- gdal 3.13.0+dfsg-1
+ [trixie] - gdal <no-dsa> (Minor issue)
+ [bookworm] - gdal <no-dsa> (Minor issue)
NOTE: https://github.com/OSGeo/gdal/issues/14399
NOTE: https://github.com/OSGeo/gdal/commit/3e04c0385630e4d42517046d9a4967dfccfeb7fd (v3.13.0RC1)
CVE-2026-8212 (A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by thi ...)
- gdal 3.13.0+dfsg-1
+ [trixie] - gdal <no-dsa> (Minor issue)
+ [bookworm] - gdal <no-dsa> (Minor issue)
NOTE: https://github.com/OSGeo/gdal/issues/14398
NOTE: https://github.com/OSGeo/gdal/commit/3e04c0385630e4d42517046d9a4967dfccfeb7fd (v3.13.0RC1)
CVE-2026-8211 (A vulnerability was detected in codelibs Fess up to 15.5.1. Affected b ...)
@@ -36406,6 +36447,7 @@ CVE-2026-1502 (CR/LF bytes were not rejected by HTTP client proxy tunnel headers
NOTE: https://github.com/python/cpython/issues/146211
NOTE: https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 (v3.15.0b1)
NOTE: https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed (v3.14.5rc1)
+ NOTE: https://github.com/python/cpython/commit/9e071c9b28c17f347f81b388a003d4eeb3c7a8dd (3.13 branch)
CVE-2025-66447 (Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1 ...)
NOT-FOR-US: Chamilo LMS
CVE-2025-5804 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
@@ -75739,6 +75781,8 @@ CVE-2025-69198 (Pterodactyl is a free, open-source game server management panel.
NOT-FOR-US: Pterodactyl
CVE-2025-68616 (WeasyPrint helps web developers to create PDF documents. Prior to vers ...)
- weasyprint <unfixed> (bug #1139189)
+ [trixie] - weasyprint <no-dsa> (Minor issue)
+ [bookworm] - weasyprint <no-dsa> (Minor issue)
NOTE: https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
CVE-2025-61684 (Quicly, an IETF QUIC protocol implementation, is susceptible to a deni ...)
NOT-FOR-US: Quicly
=====================================
data/dsa-needed.txt
=====================================
@@ -28,7 +28,7 @@ erlang
--
expat (aron)
--
-fastnetmon
+fastnetmon (jmm)
--
firebird3.0
--
@@ -106,6 +106,8 @@ runc
rust-wasmtime
for CVE-2026-34987 CVE-2026-34971, rest would also be fine to ignore
--
+sogo
+--
sympa/oldstable
--
tomcat10 (apo)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e9ed035be9a79a9c37d9090b6af7adca9ac11d1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e9ed035be9a79a9c37d9090b6af7adca9ac11d1
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260608/1e736fd6/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list