[Git][security-tracker-team/security-tracker][master] trixie triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jun 22 22:09:19 BST 2026



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fc3929b2 by Moritz Muehlenhoff at 2026-06-22T23:08:07+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -59,9 +59,10 @@ CVE-2026-56423 (MISP Core contained broken access-control checks in the bulk del
 CVE-2026-56422 (Multiple MISP core controllers and model capture paths accepted client ...)
 	NOT-FOR-US: MISP
 CVE-2026-56109 (The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 c ...)
-	- alsa-lib <unfixed>
+	- alsa-lib <unfixed> (unimportant)
 	NOTE: https://lore.kernel.org/alsa-devel/CAGt8pqBU0p2voB+qHxWGcNJrKHAcBhAyHUUBPLBN-Yj_SiV6MQ@mail.gmail.com/
 	NOTE: Fixed by: https://github.com/alsa-project/alsa-lib/commit/536dd6f8affdf5197c12a63a71c92a70b2833cc0 (v1.2.16.1)
+	NOTE: Doesn't cross any meaningful security boundary
 CVE-2026-56104 (Chainlit before 2.10.1 contains a session hijacking vulnerability that ...)
 	NOT-FOR-US: Chainlit
 CVE-2026-55602 (http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 un ...)
@@ -601,6 +602,7 @@ CVE-2026-9375 (urllib3 version 2.6.3 is vulnerable to a decompression bomb bypas
 	NOTE: Relates to the fix for CVE-2025-66471.
 CVE-2026-9265 (Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OO ...)
 	- libcrypt-openssl-pkcs12-perl 1.96-1 (bug #1140426)
+	[trixie] - libcrypt-openssl-pkcs12-perl <no-dsa> (Minor issue)
 	NOTE: https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/55
 	NOTE: Fixed by: https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/a7bd2f319fa8aab8177b3d767ea06dd85ceb3173 (v1.96)
 CVE-2026-56216 (Capgo before 12.128.2 contains a scope escalation vulnerability in the ...)
@@ -9173,30 +9175,48 @@ CVE-2026-11447 (A security flaw has been discovered in GL.iNet GL-MT3000 up to 4
 CVE-2026-44173 (MariaDB server is a community developed fork of MySQL server. From ver ...)
 	- mariadb 1:11.8.8-1
 	NOTE: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.7
+	NOTE: https://github.com/MariaDB/server/security/advisories/GHSA-667j-m53j-wpmc
+	NOTE: https://jira.mariadb.org/browse/MDEV-39493
 CVE-2026-44172 (MariaDB server is a community developed fork of MySQL server. In versi ...)
 	- mariadb 1:11.8.8-1
 	NOTE: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.7
+	NOTE: https://github.com/MariaDB/server/security/advisories/GHSA-pv9p-5w55-55jm
+	NOTE: https://jira.mariadb.org/browse/CONC-819
 CVE-2026-44171 (MariaDB server is a community developed fork of MySQL server. From ver ...)
 	- mariadb 1:11.8.8-1
 	NOTE: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.7
+	NOTE: https://github.com/MariaDB/server/security/advisories/GHSA-9pjh-5hhw-65v9
+	NOTE: https://jira.mariadb.org/browse/MDEV-39408
 CVE-2026-44170 (MariaDB server is a community developed fork of MySQL server. From ver ...)
-	- mariadb 1:11.8.8-1
+	- mariadb <not-affected> (Windows-specific)
 	NOTE: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.7
+	NOTE: https://github.com/MariaDB/server/security/advisories/GHSA-f835-cfjq-wf73
+	NOTE: https://jira.mariadb.org/browse/MDEV-39289
 CVE-2026-44169 (MariaDB server is a community developed fork of MySQL server. From ver ...)
 	- mariadb 1:11.8.8-1
 	NOTE: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.7
+	NOTE: https://github.com/MariaDB/server/security/advisories/GHSA-22xq-vq3f-87x2
+	NOTE: https://jira.mariadb.org/browse/MDEV-39288
 CVE-2026-44168 (MariaDB server is a community developed fork of MySQL server. From ver ...)
 	- mariadb 1:11.8.8-1
 	NOTE: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.7
+	NOTE: https://github.com/MariaDB/server/security/advisories/GHSA-vwf7-w26c-9w5h
+	NOTE: https://jira.mariadb.org/browse/MDEV-39413
 CVE-2026-48165 (MariaDB server is a community developed fork of MySQL server. From ver ...)
 	- mariadb 1:11.8.8-1
 	NOTE: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.8
+	NOTE: https://github.com/MariaDB/server/security/advisories/GHSA-7v3p-h23x-8hwv
+	NOTE: https://jira.mariadb.org/browse/MDEV-39676
 CVE-2026-48163 (MariaDB server is a community developed fork of MySQL server. From ver ...)
 	- mariadb 1:11.8.8-1
 	NOTE: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.8
+	NOTE: https://github.com/MariaDB/server/security/advisories/GHSA-rpgv-q6gv-684r
+	NOTE: https://jira.mariadb.org/browse/MDEV-39648
 CVE-2026-49261 (MariaDB server is a community developed fork of MySQL server. Versions ...)
 	- mariadb 1:11.8.8-1
 	NOTE: https://mariadb.com/docs/release-notes/community-server/11.8/11.8.8
+	NOTE: https://github.com/MariaDB/server/security/advisories/GHSA-3p3m-4x7c-p4pw
+	NOTE: https://jira.mariadb.org/browse/MDEV-39721
 CVE-2025-15646
 	- libhtml-gumbo-perl 0.18-5 (bug #1104789)
 	[bookworm] - libhtml-gumbo-perl <no-dsa> (Minor issue; to be fixed in point release)
@@ -14301,6 +14321,7 @@ CVE-2026-44285 (FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1,
 	NOT-FOR-US: FastGPT
 CVE-2026-42500 (Decoding a paletted BMP file with an out-of-range palette index result ...)
 	- golang-golang-x-image 0.42.0-1 (bug #1138257)
+	[trixie] - golang-golang-x-image <no-dsa> (Minor issue)
 	[bullseye] - golang-golang-x-image <no-dsa> (Minor issue)
 	NOTE: https://github.com/golang/go/issues/79576
 	NOTE: https://go-review.googlesource.com/c/image/+/781500


=====================================
data/dsa-needed.txt
=====================================
@@ -51,6 +51,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+mariadb
+--
 netty
 --
 nginx



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc3929b2e954718700289b5600b8926c51b30065

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc3929b2e954718700289b5600b8926c51b30065
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260622/aaa02e03/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list