[Git][security-tracker-team/security-tracker][master] Re-associate old rust-russh issues which were marked NFU

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b498644e by Salvatore Bonaccorso at 2026-06-11T23:00:36+02:00
Re-associate old rust-russh issues which were marked NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -22648,7 +22648,9 @@ CVE-2026-42192 (Plunk is an open-source email platform built on top of AWS SES.
 CVE-2026-42190 (RedwoodSDK is a server-first React framework. From version 1.0.0-beta. ...)
 	NOT-FOR-US: RedwoodSDK
 CVE-2026-42189 (Russh is a Rust SSH client & server library. Prior to version 0.60.1,  ...)
-	NOT-FOR-US: Russh
+	- rust-russh <unfixed>
+	NOTE: https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg
+	NOTE: Fixed by: https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1 (v0.60.1)
 CVE-2026-42185 (People is an application to handle users and teams, and distribute per ...)
 	NOT-FOR-US: People (suitenumerique/people)
 CVE-2026-42183 (Argo Workflows is an open source container-native workflow engine for  ...)
@@ -141516,7 +141518,9 @@ CVE-2025-54868 (LibreChat is a ChatGPT clone with additional features. In versio
 CVE-2025-54865 (Tilesheets MediaWiki Extension adds a table lookup parser function for ...)
 	NOT-FOR-US: MediaWiki Extension
 CVE-2025-54804 (Russh is a Rust SSH client & server library. In versions 0.54.0 and be ...)
-	NOT-FOR-US: russh
+	- rust-russh <not-affected> (Fixed before initial upload to Debian)
+	NOTE: https://github.com/Eugeny/russh/security/advisories/GHSA-h5rc-j5f5-3gcm
+	NOTE: Fixed by: https://github.com/Eugeny/russh/commit/0eb5e406780890e21ff71dd25d731b30676478e5 (v0.54.1)
 CVE-2025-54803 (js-toml is a TOML parser for JavaScript, fully compliant with the TOML ...)
 	NOT-FOR-US: js-toml
 CVE-2025-54802 (pyLoad is the free and open-source Download Manager written in pure Py ...)
@@ -246435,7 +246439,9 @@ CVE-2024-43411 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed
 	NOTE: Fixed by: https://github.com/ckeditor/ckeditor4/commit/e35bbadc15e2ae76e39b3fc963b851ecc0da4b28 (4.25.0-lts)
 	NOTE: Negligible security impact; feature disabled by default.
 CVE-2024-43410 (Russh is a Rust SSH client & server library. Allocating an untrusted a ...)
-	NOT-FOR-US: Russh
+	- rust-russh <not-affected> (Fixed before initial upload to Debian)
+	NOTE: https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg
+	NOTE: Fixed by: https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55 (v0.44.1)
 CVE-2024-43407 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.  ...)
 	- ckeditor <removed> (bug #1083192)
 	[bookworm] - ckeditor <no-dsa> (Minor issue)
@@ -358612,7 +358618,9 @@ CVE-2023-28115 (Snappy is a PHP library allowing thumbnail, snapshot or PDF gene
 CVE-2023-28114 (`cilium-cli` is the command line interface to install, manage, and tro ...)
 	NOT-FOR-US: cilium-cli
 CVE-2023-28113 (russh is a Rust SSH client and server library. Starting in version 0.3 ...)
-	NOT-FOR-US: russh
+	- rust-russh <not-affected> (Fixed before initial upload to Debian)
+	NOTE: https://github.com/Eugeny/russh/security/advisories/GHSA-cqvm-j2r2-hwpg
+	NOTE: Fixed by: https://github.com/Eugeny/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e (v0.36.2)
 CVE-2023-28112 (Discourse is an open-source discussion platform. Prior to version 3.1. ...)
 	NOT-FOR-US: Discourse
 CVE-2023-28111 (Discourse is an open-source discussion platform. Prior to version 3.1. ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b498644e67dca7edacf4bfbe41fe38835527e78b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b498644e67dca7edacf4bfbe41fe38835527e78b
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260611/d17b981f/attachment-0001.htm>