[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sat Jun 13 19:41:01 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
520609b4 by Moritz Muehlenhoff at 2026-06-13T20:36:51+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -927,9 +927,10 @@ CVE-2026-52860 (Vim is an open source, command line text editor. Prior to versio
NOTE: https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468
NOTE: Fixed by: https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2 (v9.2.0597)
CVE-2026-52859 (Vim is an open source, command line text editor. Prior to version 9.2. ...)
- - vim <unfixed> (bug #1139729)
+ - vim <unfixed> (bug #1139729; unimportant)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-47gw-8gc3-mgcm
NOTE: Fixed by: https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19 (v9.2.0565)
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-52858 (Vim is an open source, command line text editor. Prior to version 9.2. ...)
- vim <unfixed> (bug #1139728)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c
@@ -1319,6 +1320,7 @@ CVE-2026-53693 (A stored cross-site scripting vulnerability existed in MISPBSimV
NOT-FOR-US: MISP
CVE-2026-53689 (libnfs through 6.0.2 before 55c18ea does not validate a string size, l ...)
- libnfs <unfixed> (bug #1139731)
+ [trixie] - libnfs <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/sahlberg/libnfs/commit/55c18ea33a83d667f79f0ef209c96895795c729f
CVE-2026-53476 (A flaw was found in assisted-migration-agent. An unauthenticated attac ...)
NOT-FOR-US: kubev2v/assisted-migration-agent
@@ -3335,6 +3337,7 @@ CVE-2026-24315 (SAP Fiori Launchpad allows attackers to craft malicious URLs tha
NOT-FOR-US: SAP
CVE-2026-11623 (A security vulnerability has been detected in tmux up to 3.6a. Affecte ...)
- tmux <unfixed>
+ [trixie] - tmux <no-dsa> (Minor issue)
[bullseye] - tmux <postponed> (minor issue; hard to exploit)
NOTE: https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03 (3.7-rc)
CVE-2026-11621 (A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This im ...)
@@ -6555,6 +6558,7 @@ CVE-2026-50593 (Graphite before 1.3.15 has an integer underflow and resultant ou
NOTE: Fixed by: https://github.com/silnrsi/graphite/commit/ad78c6b7319909e1540c1b134e115ced03417866 (1.3.15)
CVE-2026-49837
- gobgp 4.6.0-1
+ [trixie] - gobgp <no-dsa> (Minor issue)
[bullseye] - gobgp <postponed> (Limited support)
NOTE: https://github.com/osrg/gobgp/security/advisories/GHSA-gjrg-jjr3-56cm
CVE-2026-8916 (Out-of-bounds write vulnerability in Samsung Open Source rlottie allow ...)
@@ -6633,6 +6637,7 @@ CVE-2026-49771 (Improper Neutralization of Special Elements used in an SQL Comma
NOT-FOR-US: WordPress plugin or theme
CVE-2026-49510 (Integer overflow or wraparound vulnerability in Samsung Open Source rl ...)
- rlottie <unfixed> (bug #1138921)
+ [trixie] - rlottie <no-dsa> (Minor issue)
NOTE: https://github.com/Samsung/rlottie/pull/592
CVE-2026-49204 (Leftover debug modules contain fixed credentials for internal AWS Cogn ...)
NOT-FOR-US: Acer
@@ -7142,6 +7147,7 @@ CVE-2026-39107 (A Cross Site Scripting vulnerability exists in the Kimi AI v1.0
NOT-FOR-US: Kimi AI
CVE-2026-37462 (An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/b ...)
- gobgp 4.4.0-1
+ [trixie] - gobgp <no-dsa> (Minor issue)
[bullseye] - gobgp <postponed> (Limited support)
NOTE: https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d (v4.4.0)
CVE-2026-37460 (Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) ...)
@@ -29262,6 +29268,7 @@ CVE-2026-43504 (An issue was discovered in Prosody before 0.12.6 and 1.0.0 throu
NOTE: https://hg.prosody.im/trunk/rev/4bbb17445ed9
CVE-2026-43003 (An issue was discovered in OpenStack ironic-python-agent 1.0.0 through ...)
- ironic-python-agent <unfixed> (bug #1135646)
+ [trixie] - ironic-python-agent <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/ironic-python-agent/+bug/2148310
CVE-2026-43001 (An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/ ...)
{DSA-6331-1 DLA-4611-1}
@@ -55160,6 +55167,7 @@ CVE-2026-26945 (Dell Integrated Dell Remote Access Controller 9, 14G versions pr
NOT-FOR-US: Dell / EMC
CVE-2026-26740 (Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attack ...)
- giflib 6.1.3-1 (bug #1131368)
+ [trixie] - giflib <no-dsa> (Minor issue)
NOTE: https://github.com/zakkanijia/POC/blob/main/giflib/giftool/giflib_giftool_gce_len_heap_oobwrite_disclosure.md
NOTE: https://sourceforge.net/p/giflib/bugs/199/
NOTE: https://sourceforge.net/p/giflib/bugs/201/
@@ -59055,6 +59063,7 @@ CVE-2026-23907 (This issue affects the ExtractEmbeddedFiles example inApache PD
NOTE: https://lists.apache.org/thread/gyfq5tcrxfv7rx0z2yyx4hb3h53ndffw
CVE-2026-23868 (Giflib contains a double-free vulnerability that is the result of a sh ...)
- giflib 6.1.3-1 (bug #1130495)
+ [trixie] - giflib <no-dsa> (Minor issue)
NOTE: https://www.facebook.com/security/advisories/cve-2026-23868
NOTE: https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106/tree/gifalloc.c?diff=5146815377b7395944cb683a08c43eee3f631eb7
CVE-2026-23674 (Improper resolution of path equivalence in Windows MapUrlToZone allows ...)
@@ -63146,9 +63155,10 @@ CVE-2026-28420 (Vim is an open source, command line text editor. Prior to versio
NOTE: https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg
NOTE: Fixed by: https://github.com/vim/vim/commit/bb6de2105b160e729c340631435cd62f3e69bd32 (v9.2.0076)
CVE-2026-28419 (Vim is an open source, command line text editor. Prior to version 9.2. ...)
- - vim 2:9.2.0119-1 (bug #1129429)
+ - vim 2:9.2.0119-1 (bug #1129429; unimportant)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv
NOTE: Fixed by: https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812812d580c7879f4a0 (v9.2.0075)
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-28416 (Gradio is an open-source Python package designed for quick prototyping ...)
NOT-FOR-US: Gradio
CVE-2026-28415 (Gradio is an open-source Python package designed for quick prototyping ...)
@@ -295516,8 +295526,8 @@ CVE-2024-28563 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0
NOTE: https://sourceforge.net/p/freeimage/bugs/364/
CVE-2024-28562 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...)
- freeimage <unfixed> (bug #1068461)
- [trixie] - freeimage <no-dsa> (Revisit when fixed upstream)
- [bookworm] - freeimage <no-dsa> (Revisit when fixed upstream)
+ [trixie] - freeimage <postponed> (Revisit when fixed upstream)
+ [bookworm] - freeimage <postponed> (Revisit when fixed upstream)
[bullseye] - freeimage <no-dsa> (Revisit when fixed upstream)
NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909
NOTE: https://sourceforge.net/p/freeimage/bugs/363/
=====================================
data/dsa-needed.txt
=====================================
@@ -77,6 +77,11 @@ rust-wasmtime
sogo
Peter Wienemann proposed debdiff for review
--
+squid
+--
+vim
+ some of the issues seem worth fixing
+--
xrdp
--
xorg-server (carnil)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/520609b4d1f2e8e6b0baff158d6ba462c19ebcb5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/520609b4d1f2e8e6b0baff158d6ba462c19ebcb5
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260613/01f02b84/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list