[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sun Jun 14 19:34:58 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
07af49bd by Moritz Muehlenhoff at 2026-06-14T20:34:49+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1325,6 +1325,7 @@ CVE-2026-10733 (GitLab has remediated an issue in GitLab CE/EE affecting all ver
NOT-FOR-US: GitLab (used to be packaged in the Debian archive as src:gitlab, but never in a stable release)
CVE-2026-10142 (kafka-python prior to 2.3.2 contains a denial-of-service vulnerability ...)
- python-kafka 2.0.2-12 (bug #1139878)
+ [trixie] - python-kafka <no-dsa> (Minor issue)
NOTE: https://github.com/dpkp/kafka-python/pull/3019
NOTE: https://github.com/dpkp/kafka-python/pull/3026
NOTE: Fixed by: https://github.com/dpkp/kafka-python/commit/6e4831444f972d169cdd11f5c8d50333cea3f19b (3.0.0)
@@ -1390,6 +1391,7 @@ CVE-2022-48575 (A person with access to a Mac may be able to bypass Login Window
NOT-FOR-US: Apple
CVE-2026-10143 (kafka-python prior to 2.3.2 contains a denial-of-service vulnerability ...)
- python-kafka 2.0.2-12 (bug #1139822)
+ [trixie] - python-kafka <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2487722
NOTE: https://github.com/dpkp/kafka-python/pull/3019
NOTE: https://github.com/dpkp/kafka-python/pull/3026
@@ -7632,6 +7634,7 @@ CVE-2026-46244 (In the Linux kernel, the following vulnerability has been resolv
NOTE: https://git.kernel.org/linus/b6a91f68ebfed9c38e0e9150f58a9b85da07181c (7.1-rc5)
CVE-2026-48019 [CRLF injection in default email rule]
- php-laravel-framework <unfixed> (bug #1139631)
+ [trixie] - php-laravel-framework <no-dsa> (Minor issue)
NOTE: https://github.com/laravel/framework/security/advisories/GHSA-5vg9-5847-vvmq
CVE-2026-48587 (An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0 ...)
- python-django 3:5.2.15-1 (bug #1138775)
@@ -9480,6 +9483,7 @@ CVE-2026-9334 (Cpanel::JSON::XS versions before 4.41 for Perl allow type confusi
NOTE: Fixed by: https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2 (4.41)
CVE-2026-XXXX [Attacker-controlled heap out-of-bounds write in libvncclient Tight decoder]
- libvncserver <unfixed> (bug #1138253)
+ [trixie] - libvncserver <no-dsa> (Minor issue)
NOTE: https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8
CVE-2026-9831 (A race condition in the shared Extreme Platform ONE IAM Gateway API-ke ...)
NOT-FOR-US: Extreme Networks
@@ -12062,6 +12066,7 @@ CVE-2026-44886 (Pi.Alert is a WIFI / LAN intruder detector with web service moni
CVE-2026-44724 (systeminformation is a System and OS information library for node.js. ...)
- node-systeminformation <not-affected> (Fixed before initial upload to Debian)
- jupyterlab 4.0.11+ds5+~cs11.25.27-1
+ [trixie] - jupyterlab <no-dsa> (Minor issue)
NOTE: node-systeminformation split from jupyterlab
CVE-2026-44720 (OpenLearnX is an open-source, decentralized learning and assessment pl ...)
NOT-FOR-US: OpenLearnX
@@ -12407,6 +12412,7 @@ CVE-2026-45022 (go-git is an extensible git implementation library written in pu
NOTE: https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp
CVE-2026-44988 (LibVNCClient is a library for easy implementation of a VNC client. In ...)
- libvncserver 0.9.15+dfsg-5 (bug #1138174)
+ [trixie] - libvncserver <no-dsa> (Minor issue)
NOTE: https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58
NOTE: https://github.com/LibVNC/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1
CVE-2026-44972 (GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 ...)
@@ -26585,6 +26591,7 @@ CVE-2026-42509 (Improper Neutralization of Input During Web Page Generation ('Cr
NOT-FOR-US: Apache software not packaged in Debian
CVE-2026-42503 (gopls by default communicates via pipe. However, -port and -listen fla ...)
- gopls <unfixed> (bug #1138256)
+ [trixie] - gopls <no-dsa> (Minor issue)
NOTE: https://github.com/golang/go/issues/79211
NOTE: https://go-review.googlesource.com/c/tools/+/774381/
NOTE: Fixed by: https://github.com/golang/tools/commit/90abdab4cf0af205d3d2212c73526b58c97d0bf6 (gopls/v0.22.0-pre.2)
@@ -28718,6 +28725,7 @@ CVE-2026-38669 (wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when crea
NOT-FOR-US: cCMS
CVE-2026-37461 (An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) o ...)
- gobgp 4.4.0-1
+ [trixie] - gobgp <no-dsa> (Minor issue)
[bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: https://github.com/osrg/gobgp/commit/362cce3e325f56e7a4f792ccb9689b3bdda9e682 (v4.4.0)
NOTE: https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d (v4.4.0)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07af49bd4a1a084b0f0d0ba70b75d93f234efcaa
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07af49bd4a1a084b0f0d0ba70b75d93f234efcaa
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260614/c791110e/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list