[Git][security-tracker-team/security-tracker][master] trixie triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Jun 23 21:25:23 BST 2026



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c4b6f9ff by Moritz Muehlenhoff at 2026-06-23T22:25:09+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3780,6 +3780,7 @@ CVE-2026-53612 [Local Privilege Escalation via TOCTOU in mount(8) hook_owner.c c
 	NOTE: Fixed by: https://github.com/util-linux/util-linux/commit/d0c5adaeb3a3d823aba1377794de8f009b8152cc (v2.42.2)
 CVE-2026-36849 [Denial of Service via large SamplesPerPixel tag]
 	- tiff 4.7.1-3 (bug #1140300)
+	[trixie] - tiff <ignored> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/06/17/1
 	NOTE: https://gitlab.com/libtiff/libtiff/-/work_items/781
 	NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/eedba405d3695b52faae65994c5904f228eca0bf
@@ -5159,6 +5160,7 @@ CVE-2026-XXXX [SSLMate go-pkcs12: Authentication bypass in Decode functions]
 	NOTE: Fixed by: https://github.com/SSLMate/go-pkcs12/commit/03c441f6b0267f695ca02464133c0b373bf4dd55 (v0.7.2)
 CVE-2026-49452
 	- weasyprint 69.0-1
+	[trixie] - weasyprint <no-dsa> (Minor issue)
 	NOTE: https://www.courtbouillon.org/blog/00067-weasyprint-69/
 	NOTE: https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-jhhc-3hcp-qhm5
 CVE-2026-54413 (driftregion iso14229 through 0.9.0 contains an integer underflow and d ...)
@@ -9219,6 +9221,7 @@ CVE-2026-43972 (Origin Validation Error vulnerability in ninenines gun (gun_http
 	NOT-FOR-US: gun
 CVE-2026-43966 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Reque ...)
 	- rabbitmq-server <unfixed>
+	[trixie] - rabbitmq-server <no-dsa> (Minor issue)
 	NOTE: Appears to be bundled in rabbitmq-server
 	NOTE: https://cna.erlef.org/cves/CVE-2026-43966.html
 	NOTE: https://github.com/ninenines/cowboy/commit/f77cb9b5e730e300fffb551db1ba5d1c4ed878ef
@@ -17792,6 +17795,7 @@ CVE-2026-44902 (opentelemetry-js is the OpenTelemetry JavaScript Client. Prior t
 	NOT-FOR-US: opentelemetry-js
 CVE-2026-44839 (RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1 ...)
 	- rabbitmq-server 4.3.0-2
+	[trixie] - rabbitmq-server <no-dsa> (Minor issue)
 	NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-fh5r-jpm3-fjwp
 CVE-2026-44838 (RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2 ...)
 	- rabbitmq-server <not-affected> (Vulnerable code never in Debian released version)
@@ -83780,6 +83784,7 @@ CVE-2026-24055 (Langfuse is an open source large language model engineering plat
 	NOT-FOR-US: Langfuse
 CVE-2026-24049 (wheel is a command line tool for manipulating Python wheel files, as d ...)
 	- wheel 0.46.3-1 (bug #1126274)
+	[trixie] - wheel <no-dsa> (Minor issue)
 	[bookworm] - wheel <not-affected> (Vulnerable code introduced later)
 	[bullseye] - wheel <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx


=====================================
data/dsa-needed.txt
=====================================
@@ -44,6 +44,7 @@ kitty
   Maintainer proposed debdiff for review in https://bugs.debian.org/1139898#15
 --
 libheif
+  possibly best to move to 1.23.0
 --
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4b6f9ff1b2f7e46c15bab71ec5d0317bc99eb7e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4b6f9ff1b2f7e46c15bab71ec5d0317bc99eb7e
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260623/c1f568cf/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list