[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jun 8 12:26:14 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
eca927c9 by Moritz Muehlenhoff at 2026-06-08T13:25:45+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -280,6 +280,8 @@ CVE-2026-45758 (Guardrails AI is a Python framework that helps build AI applicat
 	NOT-FOR-US: Guardrails AI
 CVE-2026-45409 (Internationalized Domain Names in Applications (IDNA) for Python provi ...)
 	- python-idna <unfixed> (bug #1139164)
+	[trixie] - python-idna <no-dsa> (Minor issue)
+	[bookworm] - python-idna <no-dsa> (Minor issue)
 	NOTE: https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx
 	NOTE: Fixed by: https://github.com/kjd/idna/commit/628fef84d3eda59321c21127e73dcd873db23ead (v3.14)
 	NOTE: Fixed by: https://github.com/kjd/idna/commit/e1cb465b6376f33306a26f467d197edbcd01c4b9 (v3.15)
@@ -2633,7 +2635,10 @@ CVE-2026-10806 (A vulnerability was found in mjperpinosa stumasy. The affected e
 	NOT-FOR-US: mjperpinosa stumasy
 CVE-2026-10805 (A flaw was found in NetworkManager. This local privilege escalation vu ...)
 	- network-manager <unfixed> (bug #1139285)
+	[trixie] - network-manager <no-dsa> (Minor issue)
+	[bookworm] - network-manager <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2484613
+	NOTE: Network-manager defaults to the internal DHCP client
 CVE-2026-10804 (A vulnerability has been found in Streamlit up to 1.53.0. Impacted is  ...)
 	NOT-FOR-US: Streamlit
 CVE-2026-10803 (A flaw has been found in MLflow up to 3.10.0. This issue affects the f ...)
@@ -2854,9 +2859,13 @@ CVE-2026-45614 (OP-TEE is a Trusted Execution Environment (TEE) designed as comp
 	NOTE: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-g6qf-hwf7-mg9h
 CVE-2026-44546 (daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's par ...)
 	- python-daphne <unfixed> (bug #1138864)
+	[trixie] - python-daphne <no-dsa> (Minor issue)
+	[bookworm] - python-daphne <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/django/daphne/commit/2628b7b2e6a196afff58defee3d77671a28de631 (4.2.2)
 CVE-2026-44545 (daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayl ...)
 	- python-daphne <unfixed> (bug #1138864)
+	[trixie] - python-daphne <no-dsa> (Minor issue)
+	[bookworm] - python-daphne <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/django/daphne/commit/32f8be0fb0bf2a441085cb45e0e8f45455f0793e (4.2.2)
 CVE-2026-44281 (GLPI is a free asset and IT management software package. Starting in v ...)
 	- glpi <removed>
@@ -3406,6 +3415,8 @@ CVE-2026-10661 (A vulnerability has been found in ahujasid blender-mcp up to 763
 	NOT-FOR-US: ahujasid blender-mcp
 CVE-2026-10650 (A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue ...)
 	- libwebsockets 4.3.5-5 (bug #1139178)
+	[trixie] - libwebsockets <no-dsa> (Minor issue)
+	[bookworm] - libwebsockets <no-dsa> (Minor issue)
 	NOTE: https://github.com/biniamf/pocs/tree/main/libwebsockets_sshd-parse-ic-unbounded-alloc
 	NOTE: https://libwebsockets.org/git/libwebsockets/commit?id=3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498
 CVE-2026-10624 (A vulnerability has been found in SourceCodester Human Resource Manage ...)
@@ -3486,6 +3497,8 @@ CVE-2026-42504 (Decoding a maliciously-crafted MIME header containing many inval
 	NOTE: https://github.com/golang/go/commit/b79e0339290e14b3b2de1dc4942b8a88701ddb02 (go1.25.11)
 CVE-2026-10725 (Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP ...)
 	- libprotocol-http2-perl 1.12-2
+	[trixie] - libprotocol-http2-perl <no-dsa> (Minor issue)
+	[bookworm] - libprotocol-http2-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40751319/
 	NOTE: https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch
 CVE-2026-47774
@@ -39308,9 +39321,13 @@ CVE-2026-21413 (A heap-based buffer overflow vulnerability exists in the lossles
 	NOTE: https://github.com/LibRaw/LibRaw/commit/75ed2c12a35b765b3b6ad695cc1f044f19efe644 (0.22.1)
 CVE-2026-20911 (A heap-based buffer overflow vulnerability exists in the HuffTable::in ...)
 	- libraw 0.22.1-1 (bug #1133845)
+	[trixie] - libraw <not-affected> (Vulnerable code not present)
+	[bookworm] - libraw <not-affected> (Vulnerable code not present)
+	[bullseye] - libraw <not-affected> (Vulnerable code not present)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330
 	NOTE: https://github.com/LibRaw/LibRaw/commit/a6734e867b19d75367c05f872ac26322464e3995
 	NOTE: https://github.com/LibRaw/LibRaw/commit/5357bb5fc67ac616838fb84de67260d45987489b (0.22.1)
+	NOTE: Introduced by: https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8 (0.22.0)
 CVE-2026-20889 (A heap-based buffer overflow vulnerability exists in the x3f_thumb_loa ...)
 	- libraw 0.22.1-1 (bug #1133845)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358
@@ -41934,9 +41951,13 @@ CVE-2026-5319 (A security vulnerability has been detected in itsourcecode Payrol
 	NOT-FOR-US: itsourcecode System
 CVE-2026-5318 (A weakness has been identified in LibRaw up to 0.22.0. This impacts th ...)
 	- libraw 0.22.1-1 (bug #1132655)
+	[trixie] - libraw <not-affected> (Vulnerable code not present)
+	[bookworm] - libraw <not-affected> (Vulnerable code not present)
+	[bullseye] - libraw <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/LibRaw/LibRaw/issues/794
 	NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/a6734e867b19d75367c05f872ac26322464e3995
 	NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/5357bb5fc67ac616838fb84de67260d45987489b (0.22.1)
+	NOTE: Introduced by: https://github.com/LibRaw/LibRaw/commit/12b0e5d60c57bb795382fda8494fc45f683550b8 (0.22.0)
 CVE-2026-5317 (A security flaw has been discovered in Nothings stb up to 1.22. This a ...)
 	- libstb <unfixed> (bug #1134888)
 	[trixie] - libstb <no-dsa> (Minor issue)


=====================================
data/dsa-needed.txt
=====================================
@@ -93,6 +93,9 @@ prometheus
 python-aiohttp/oldstable
   Daniel Leidert is proposing to work on the update and provide debdiffs for bookworm and trixie
 --
+rsync
+  for regression fixes
+--
 rtpengine
   Victor Seva prepared a debdiff for trixie-security for review, bookworm-security debdiff missing
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca927c953ec30951de6464e106d1a61d32335a6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca927c953ec30951de6464e106d1a61d32335a6
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260608/a45ae41f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list