[Git][security-tracker-team/security-tracker][master] trixie triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
84c9a8dd by Moritz Muehlenhoff at 2026-06-13T00:18:26+02:00
trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7324,6 +7324,7 @@ CVE-2026-48594 (Improper Handling of Highly Compressed Data (Data Amplification)
 	- elixir-tesla <itp> (bug #960541)
 CVE-2026-47265 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp 3.14.0-1 (bug #1138780)
+	[trixie] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg
 	NOTE: https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478 (v3.14.0)
 CVE-2026-47201 (authentik is an open-source identity provider. Prior to versions 2025. ...)
@@ -7365,6 +7366,7 @@ CVE-2026-35049 (wire-ios is an iOS client for the Wire secure messaging applicat
 	NOT-FOR-US: wire-ios
 CVE-2026-34993 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp 3.14.0-1 (bug #1138781)
+	[trixie] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8
 	NOTE: https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00 (v3.14.0)
 CVE-2026-34077 (React Router is a router for React. In versions 7.7.0 through 7.13.1,  ...)
@@ -9291,7 +9293,9 @@ CVE-2026-48527 (HAX CMS helps manage microsite universe with PHP or NodeJs backe
 	NOT-FOR-US: HAX CMS
 CVE-2026-48501 (GitHub CLI (gh) is GitHub\u2019s official command line tool. Prior to  ...)
 	- golang-github-cli-go-gh-v2 <unfixed>
+	[trixie] - golang-github-cli-go-gh-v2 <no-dsa> (Minor issue)
 	- golang-github-cli-go-gh <unfixed>
+	[trixie] - golang-github-cli-go-gh <no-dsa> (Minor issue)
 	NOTE: https://github.com/cli/cli/security/advisories/GHSA-8xvp-7hj6-mcj9
 CVE-2026-47745 (Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admi ...)
 	NOT-FOR-US: Shopper
@@ -17372,7 +17376,7 @@ CVE-2026-31379 (Improper Neutralization of Input During Web Page Generation ('Cr
 CVE-2026-31378 (Improper Input Validation vulnerability in Apache OFBiz.  This issue a ...)
 	NOT-FOR-US: Apache software not packaged in Debian
 CVE-2026-31072 (The JSONSerializer and CBORSerializer in APScheduler (all versions inc ...)
-	- apscheduler <unfixed>
+	- apscheduler <not-affected> (Affected serialisers introduced in 4.0)
 	NOTE: https://gist.github.com/nedlir/11fb77f35a59cbba73392a086b02a9c6
 CVE-2026-31071 (API endpoints in LalanaChami Pharmacy Management System (commit 5c3d02 ...)
 	NOT-FOR-US: LalanaChami Pharmacy Management System
@@ -46158,6 +46162,7 @@ CVE-2026-34520 (AIOHTTP is an asynchronous HTTP client/server framework for asyn
 CVE-2026-34519 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
 	{DLA-4613-1}
 	- python-aiohttp 3.13.5-1 (bug #1132582)
+	[trixie] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w
 	NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b (v3.13.4)
 CVE-2026-34518 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
@@ -46170,6 +46175,7 @@ CVE-2026-34518 (AIOHTTP is an asynchronous HTTP client/server framework for asyn
 CVE-2026-34517 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
 	{DLA-4613-1}
 	- python-aiohttp 3.13.5-1 (bug #1132582)
+	[trixie] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j
 	NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145 (v3.13.4)
 CVE-2026-34516 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
@@ -46218,6 +46224,7 @@ CVE-2026-2475 (IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM
 CVE-2026-22815 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
 	{DLA-4613-1}
 	- python-aiohttp 3.13.5-1 (bug #1132582)
+	[trixie] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5
 	NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36 (v3.13.4)
 CVE-2026-21767 (HCL BigFix Platform is affected byinsufficient authentication. The app ...)
@@ -55466,6 +55473,7 @@ CVE-2026-32837 (miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae
 	NOTE: https://github.com/mackron/miniaudio/issues/1101
 CVE-2026-32836 (dr_libsdr_flac.h version 0.13.3 and earlier (fixed in commits fefced4, ...)
 	- libchdr <unfixed>
+	[trixie] - libchdr <no-dsa> (Minor issue)
 	NOTE: qtads, dosbox-x and love bundle a copy, but these are standalone end user apps, so no security impact
 	NOTE: https://github.com/mackron/dr_libs/issues/298
 	NOTE: https://github.com/mackron/dr_libs/commit/663239a3d0460c33bd5b6e5166edcb404e3df676



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84c9a8dd07c43552159b15bcaa0d30e5e6d3a66f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84c9a8dd07c43552159b15bcaa0d30e5e6d3a66f
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260612/a399a7e4/attachment.htm>