[Git][security-tracker-team/security-tracker][master] trixie triage

Fri Jun 19 10:01:04 BST 2026


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
19d10d90 by Moritz Muehlenhoff at 2026-06-19T11:00:43+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -215,9 +215,10 @@ CVE-2026-55742 (Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to
 CVE-2026-55741 (Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross- ...)
 	NOT-FOR-US: Cotonti
 CVE-2026-55392 (NILFS utilities through 2.3.0, fixed in commit 26efb5d, nilfs_sb_is_va ...)
-	- nilfs-tools <unfixed> (bug #1140362)
+	- nilfs-tools <unfixed> (bug #1140362; unimportant)
 	NOTE: https://github.com/nilfs-dev/nilfs-utils/issues/26
 	NOTE: Fixed by: https://github.com/nilfs-dev/nilfs-utils/commit/26efb5daff0757365101035145331b0a5a85d9d9
+	NOTE: Crash in CLI tool, no security impact
 CVE-2026-55237 (AutoGPT is a workflow automation platform for creating, deploying, and ...)
 	NOT-FOR-US: AutoGPT
 CVE-2026-55205 (Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerabil ...)
@@ -358,10 +359,12 @@ CVE-2026-9692 (Mojolicious::Sessions::Storable versions through 0.05 for Perl ge
 	NOT-FOR-US: Mojolicious::Sessions::Storable Perl module
 CVE-2026-XXXX [RUSTSEC-2026-0183]
 	- rust-git2 <unfixed>
+	[trixie] - rust-git2 <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0183.html
 	NOTE: https://github.com/rust-lang/git2-rs/pull/1250
 CVE-2026-XXXX [RUSTSEC-2026-0184]
 	- rust-git2 <unfixed>
+	[trixie] - rust-git2 <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0184.html
 	NOTE: https://github.com/rust-lang/git2-rs/pull/1254
 CVE-2026-50190
@@ -442,6 +445,7 @@ CVE-2026-48989 (Windows-MCP is an open-source project that integrates AI agents
 	NOT-FOR-US: Windows-MCP
 CVE-2026-48988 (markdown-it is a Markdown parser. Versions 14.1.1 and below contain a  ...)
 	- node-markdown-it <unfixed> (bug #1140349)
+	[trixie] - node-markdown-it <no-dsa> (Minor issue)
 	NOTE: https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq
 	NOTE: https://github.com/markdown-it/markdown-it/commit/9ce2087562c45d1e5ddd9f76b990f4b3fbe040e5 (14.2.0)
 CVE-2026-48979 (PHP Standard Library (PSL) is set of APIs covering async, collections, ...)
@@ -12766,6 +12770,7 @@ CVE-2026-41440
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/4139cf452f546b95172b3bad93714d380cd0f4ef (v11.0.1)
 CVE-2026-35563 (It was identified that the LDAP client implementation in version 2.1.7 ...)
 	- apache-directory-api <unfixed> (bug #1139171)
+	[trixie] - apache-directory-api <no-dsa> (Minor issue)
 	[bullseye] - apache-directory-api <postponed> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/06/01/2
 CVE-2026-48827 (Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -28,6 +28,9 @@ expat (aron)
 --
 fastnetmon (jmm)
 --
+ffmpeg
+  for 7.1.5
+--
 firebird3.0
 --
 firebird4.0
@@ -65,6 +68,8 @@ netty
 --
 nginx
 --
+nodejs
+--
 node-dompurify
 --
 pacemaker



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19d10d90557769b8c682f801313cd1566f2aa351

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19d10d90557769b8c682f801313cd1566f2aa351
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260619/5385749a/attachment-0001.htm>
