[Git][security-tracker-team/security-tracker][master] 2 commits: Merge changes for updates with CVEs via trixie 13.4

Sat Mar 14 09:55:52 GMT 2026


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7c324134 by Salvatore Bonaccorso at 2026-03-13T20:32:38+01:00
Merge changes for updates with CVEs via trixie 13.4

- - - - -
4533111f by Salvatore Bonaccorso at 2026-03-14T10:55:39+01:00
Merge branch 'trixie-13.4' into 'master'

Merge changes accepted for trixie 13.4 release

See merge request security-tracker-team/security-tracker!272
- - - - -


2 changed files:

- data/CVE/list
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3544,6 +3544,7 @@ CVE-2026-24696 (The WebSocket Application Programming Interface lacks restrictio
 	NOT-FOR-US: Everon OCPP Backends
 CVE-2026-23925 (An authenticated Zabbix user (User role) with template/host write perm ...)
 	- zabbix 1:7.0.22+dfsg-1
+	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
 	[bookworm] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-27567
 CVE-2026-20882 (The WebSocket Application Programming Interface lacks restrictions on  ...)
@@ -4942,7 +4943,7 @@ CVE-2025-41257 (Suprema\u2019s BioStar 2 in version 2.9.11.6 allows users to set
 	NOT-FOR-US: Suprema BioStar
 CVE-2026-2219 (It was discovered that dpkg-deb (a component of dpkg, the Debian packa ...)
 	- dpkg 1.23.6 (bug #1129722)
-	[trixie] - dpkg <no-dsa> (Minor issue; can be fixed in point release)
+	[trixie] - dpkg 1.22.22
 	[bookworm] - dpkg <no-dsa> (Minor issue; can be fixed in point release)
 	[bullseye] - dpkg <not-affected> (Vulnerable code introduced later)
 	NOTE: Introduced with: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=2c2f7066bd8c3209762762fa6905fa567b08ca5a (1.21.18)
@@ -7187,7 +7188,7 @@ CVE-2026-3206 (Improper Resource Shutdown or Release vulnerability in KrakenD, S
 	NOT-FOR-US: KrakenD
 CVE-2026-3203 (RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and ...)
 	- wireshark 4.6.4-1
-	[trixie] - wireshark <no-dsa> (Minor issue)
+	[trixie] - wireshark 4.4.14-0+deb13u1
 	[bookworm] - wireshark <no-dsa> (Minor issue)
 	[bullseye] - wireshark <postponed> (Minor issue, no PoC or any known exploit so far)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2026-07.html
@@ -7206,7 +7207,7 @@ CVE-2026-3202 (NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allow
 	NOTE: Fixed by: https://gitlab.com/wireshark/wireshark/-/commit/73d4e7eaff4b3b4323cf7e273c691ad4e19e9a40 (v4.6.4)
 CVE-2026-3201 (USB HID protocol dissector memory exhaustion in Wireshark 4.6.0 to 4.6 ...)
 	- wireshark 4.6.4-1
-	[trixie] - wireshark <no-dsa> (Minor issue)
+	[trixie] - wireshark 4.4.14-0+deb13u1
 	[bookworm] - wireshark <no-dsa> (Minor issue)
 	[bullseye] - wireshark <not-affected> (bullseye has MAX_REPORT_DESCRIPTOR_COUNT limit check)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2026-05.html
@@ -7300,7 +7301,7 @@ CVE-2026-27700 (Hono is a Web application framework that provides support for an
 	NOT-FOR-US: Hono
 CVE-2026-27699 (The `basic-ftp` FTP client library for Node.js contains a path travers ...)
 	- node-proxy-agents 0~2025070717+~cs15.2.7-1 (bug #1129093)
-	[trixie] - node-proxy-agents <no-dsa> (Minor issue, can be fixed via point release)
+	[trixie] - node-proxy-agents 0~2024040606-6+deb13u1
 	NOTE: https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
 	NOTE: https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9 (v5.2.0)
 CVE-2026-27695 (zae-limiter is a rate limiting library using the token bucket algorith ...)
@@ -12919,7 +12920,7 @@ CVE-2026-26185 (Directus is a real-time API and App dashboard for managing SQL d
 	NOT-FOR-US: Directus
 CVE-2026-26076 (ntpd-rs is a full-featured implementation of the Network Time Protocol ...)
 	- rust-ntp-proto 1.7.1-1 (bug #1127929)
-	[trixie] - rust-ntp-proto <no-dsa> (Minor issue; will be fixed via point release)
+	[trixie] - rust-ntp-proto 1.4.0-4+deb13u1
 	NOTE: https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv
 	NOTE: Fixed by: https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24 (v1.7.1)
 CVE-2026-26075 (FastGPT is an AI Agent building platform. Due to the fact that FastGPT ...)
@@ -13998,7 +13999,7 @@ CVE-2026-26013 (LangChain is a framework for building agents and LLM-powered app
 	NOT-FOR-US: LangChain
 CVE-2026-26007 (cryptography is a package designed to expose cryptographic primitives  ...)
 	- python-cryptography 46.0.5-1 (bug #1127926)
-	[trixie] - python-cryptography <no-dsa> (Minor issue; only affects binary elliptic curves, which are rarely used in real-world applications)
+	[trixie] - python-cryptography 43.0.0-3+deb13u1
 	[bookworm] - python-cryptography <no-dsa> (Minor issue; only affects binary elliptic curves, which are rarely used in real-world applications)
 	[bullseye] - python-cryptography <postponed> (Minor issue; only affects binary elliptic curves, which are rarely used in real-world applications)
 	NOTE: https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2
@@ -19147,7 +19148,7 @@ CVE-2026-24770 (RAGFlow is an open-source RAG (Retrieval-Augmented Generation) e
 CVE-2026-24765 (PHPUnit is a testing framework for PHP. A vulnerability has been disco ...)
 	{DLA-4470-1}
 	- phpunit 12.5.8-1
-	[trixie] - phpunit <no-dsa> (Minor issue; can be fixed via point release)
+	[trixie] - phpunit 11.5.19-1+deb13u1
 	[bookworm] - phpunit <no-dsa> (Minor issue; can be fixed via point release)
 	NOTE: https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p
 	NOTE: Fixed by: https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda (12.5.8, 11.5.50, 10.5.62, 9.6.33, 8.5.52)
@@ -19750,7 +19751,7 @@ CVE-2026-24489 (Gakido is a Python HTTP client focused on browser impersonation
 	NOT-FOR-US: Gakido
 CVE-2026-24486 (Python-Multipart is a streaming multipart parser for Python. Prior to  ...)
 	- python-multipart 0.0.20-1.1 (bug #1126557)
-	[trixie] - python-multipart <no-dsa> (Minor issue; will be fixed via point release)
+	[trixie] - python-multipart 0.0.20-1.1~deb13u1
 	[bookworm] - python-multipart <no-dsa> (Minor issue)
 	[bullseye] - python-multipart <postponed> (Minor issue)
 	NOTE: https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
@@ -22273,7 +22274,7 @@ CVE-2026-21969 (Vulnerability in the Oracle Agile Product Lifecycle Management f
 CVE-2026-21968 (Vulnerability in the MySQL Server product of Oracle MySQL (component:  ...)
 	- mysql-8.0 8.0.45-1 (bug #1126115)
 	- mariadb 1:11.8.5-1
-	[trixie] - mariadb <no-dsa> (Minor issue)
+	[trixie] - mariadb 11.8.6-0+deb13u1
 	[bookworm] - mariadb <no-dsa> (Minor issue)
 CVE-2026-21967 (Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hosp ...)
 	NOT-FOR-US: Oracle
@@ -22818,7 +22819,7 @@ CVE-2026-23950 (node-tar,a Tar for Node.js, has a race condition vulnerability i
 	NOTE: Only an issue on case-insensitive filesystems, which are a very poor choice for a Nodejs deployment to begin with
 CVE-2026-23949 (jaraco.context, an open-source software package that provides some use ...)
 	- jaraco.context 6.0.1-2 (bug #1126078)
-	[trixie] - jaraco.context <no-dsa> (Minor issue)
+	[trixie] - jaraco.context 6.0.1-1+deb13u1
 	[bookworm] - jaraco.context <not-affected> (Vulnerable code not present)
 	- setuptools <unfixed> (bug #1126729)
 	[trixie] - setuptools <no-dsa> (Minor issue)
@@ -24451,7 +24452,7 @@ CVE-2025-63644 (A stored cross-site scripting (XSS) vulnerability exists in pH7S
 	NOT-FOR-US: pH7Software pH7-Social-Dating-CMS
 CVE-2025-56226 (Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3 ...)
 	- libsndfile 1.2.2-4 (bug #1125674)
-	[trixie] - libsndfile <no-dsa> (Minor issue)
+	[trixie] - libsndfile 1.2.2-2+deb13u1
 	[bookworm] - libsndfile <no-dsa> (Minor issue)
 	[bullseye] - libsndfile <not-affected> (MPEG encoder introduced later)
 	NOTE: https://github.com/libsndfile/libsndfile/issues/1089
@@ -26167,7 +26168,7 @@ CVE-2026-22695 (LIBPNG is a reference library for use in applications that read,
 	NOTE: https://github.com/pnggroup/libpng/issues/778
 CVE-2026-0665 (An off-by-one error was found in QEMU's KVM Xen guest support. A malic ...)
 	- qemu 1:10.2.0+ds-2 (bug #1125423)
-	[trixie] - qemu <no-dsa> (Minor issue)
+	[trixie] - qemu 1:10.0.8+ds-0+deb13u1
 	[bookworm] - qemu <not-affected> (Vulnerable code introduced later)
 	[bullseye] - qemu <not-affected> (Vulnerable code introduced later)
 	NOTE: https://lore.kernel.org/qemu-devel/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com/
@@ -26665,7 +26666,7 @@ CVE-2025-64090 (This vulnerability allows authenticated attackers to execute com
 	NOT-FOR-US: Zenitel
 CVE-2025-56225 (fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer de ...)
 	- fluidsynth 2.4.7+dfsg-1
-	[trixie] - fluidsynth <no-dsa> (Minor issue)
+	[trixie] - fluidsynth 2.4.4+dfsg-1+deb13u2
 	[bookworm] - fluidsynth <no-dsa> (Minor issue)
 	[bullseye] - fluidsynth <postponed> (Minor issue)
 	NOTE: https://github.com/FluidSynth/fluidsynth/issues/1602
@@ -28722,14 +28723,14 @@ CVE-2025-69284 (Plane is an an open-source project management tool. In plane.io,
 CVE-2025-67269 (An integer underflow vulnerability exists in the `nextstate()` functio ...)
 	{DLA-4441-1}
 	- gpsd 3.27.5-0.1 (bug #1124799)
-	[trixie] - gpsd <no-dsa> (Minor issue)
+	[trixie] - gpsd 3.25-5+deb13u1
 	[bookworm] - gpsd <no-dsa> (Minor issue)
 	NOTE: https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md
 	NOTE: Fixed by: https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7 (release-3.27.1)
 CVE-2025-67268 (gpsd before commit dc966aa contains a heap-based out-of-bounds write v ...)
 	{DLA-4441-1}
 	- gpsd 3.27.5-0.1 (bug #1124800)
-	[trixie] - gpsd <no-dsa> (Minor issue)
+	[trixie] - gpsd 3.25-5+deb13u1
 	[bookworm] - gpsd <no-dsa> (Minor issue)
 	NOTE: https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md
 	NOTE: Fixed by: https://gitlab.com/gpsd/gpsd/-/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4 (release-3.27.1)
@@ -30794,14 +30795,14 @@ CVE-2022-50691 (MiniDVBLinux 5.4 contains a remote command execution vulnerabili
 	NOT-FOR-US: MiniDVBLinux
 CVE-2025-69195 (A flaw was found in GNU Wget2. This vulnerability, a stack-based buffe ...)
 	- wget2 2.2.0+ds-3 (bug #1124377)
-	[trixie] - wget2 <no-dsa> (Minor issue)
+	[trixie] - wget2 2.2.0+ds-1+deb13u1
 	[bookworm] - wget2 <not-affected> (Vulnerable code introduced later)
 	[bullseye] - wget2 <not-affected> (Vulnerable code introduced later)
 	NOTE: Introduced with: https://gitlab.com/gnuwget/wget2/-/commit/3dc30f5f0c6f8feae97f866c537324f821ea05d6 (v2.1.0)
 	NOTE: Fixed by: https://gitlab.com/gnuwget/wget2/-/commit/fc7fcbc00e0a2c8606d44ab216195afb3f08cc98 (v2.2.1)
 CVE-2025-69194 (A security issue was discovered in GNU Wget2 when handling Metalink do ...)
 	- wget2 2.2.0+ds-3 (bug #1124378)
-	[trixie] - wget2 <no-dsa> (Minor issue)
+	[trixie] - wget2 2.2.0+ds-1+deb13u1
 	[bookworm] - wget2 <no-dsa> (Minor issue)
 	[bullseye] - wget2 <postponed> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/gnuwget/wget2/-/commit/684be4785280fbe6b8666080bbdd87e7e5299ac5 (v2.2.1)
@@ -35156,7 +35157,7 @@ CVE-2025-34458 (wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, pr
 	NOTE: Crash in CLI tool, no security impact
 CVE-2025-34457 (wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior to ...)
 	- direwolf 1.8.1+dfsg-2 (bug #1123925)
-	[trixie] - direwolf <no-dsa> (Minor issue)
+	[trixie] - direwolf 1.7+dfsg-2+deb13u1
 	[bookworm] - direwolf <no-dsa> (Minor issue)
 	[bullseye] - direwolf <postponed> (Minor issue)
 	NOTE: https://github.com/wb2osz/direwolf/issues/617
@@ -35911,7 +35912,7 @@ CVE-2025-11774 (Improper Neutralization of Special Elements used in an OS Comman
 	NOT-FOR-US: Mitsubishi
 CVE-2025-14876 (A flaw was found in the virtio-crypto device of QEMU. A malicious gues ...)
 	- qemu 1:10.2.1+ds-1 (bug #1123670)
-	[trixie] - qemu <no-dsa> (Minor issue)
+	[trixie] - qemu 1:10.0.8+ds-0+deb13u1
 	[bookworm] - qemu <no-dsa> (Minor issue)
 	[bullseye] - qemu <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://lore.kernel.org/qemu-devel/20251214090939.408436-1-zhenwei.pi@linux.dev/T/#u
@@ -36236,7 +36237,7 @@ CVE-2025-68118 (FreeRDP is a free implementation of the Remote Desktop Protocol.
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h78c-5cjx-jw6x
 CVE-2025-68114 (Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prio ...)
 	- capstone 5.0.7-1 (bug #1123739)
-	[trixie] - capstone <no-dsa> (Minor issue)
+	[trixie] - capstone 5.0.7-1~deb13u1
 	[bookworm] - capstone <no-dsa> (Minor issue)
 	[bullseye] - capstone <postponed> (Minor issue)
 	NOTE: https://github.com/capstone-engine/capstone/security/advisories/GHSA-85f5-6xr3-q76r
@@ -36258,7 +36259,7 @@ CVE-2025-67875 (ChurchCRM is an open-source church management system. A privileg
 	NOT-FOR-US: ChurchCRM
 CVE-2025-67873 (Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prio ...)
 	- capstone 5.0.7-1 (bug #1123740)
-	[trixie] - capstone <no-dsa> (Minor issue)
+	[trixie] - capstone 5.0.7-1~deb13u1
 	[bookworm] - capstone <no-dsa> (Minor issue)
 	[bullseye] - capstone <postponed> (Minor issue)
 	NOTE: https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg
@@ -37997,7 +37998,7 @@ CVE-2025-68150 (Parse Server is an open source backend that can be deployed to a
 	NOT-FOR-US: Parse Server
 CVE-2025-68146 (filelock is a platform-independent file lock for Python. In versions p ...)
 	- python-filelock 3.20.2-1 (bug #1123510)
-	[trixie] - python-filelock <no-dsa> (Minor issue)
+	[trixie] - python-filelock 3.18.0-1+deb13u1
 	[bookworm] - python-filelock <no-dsa> (Minor issue)
 	[bullseye] - python-filelock <postponed> (Minor issue)
 	NOTE: https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f
@@ -45461,7 +45462,7 @@ CVE-2025-51682 (mJobtime 15.7.2 handles authorization on the client side, which
 	NOT-FOR-US: mJobtime
 CVE-2025-49643 (An authenticated Zabbix user (including Guest) is able to cause dispro ...)
 	- zabbix 1:7.0.22+dfsg-1 (bug #1121841)
-	[trixie] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
+	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
 	[bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	[bullseye] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	NOTE: https://support.zabbix.com/browse/ZBX-27284
@@ -45670,7 +45671,7 @@ CVE-2025-6666 (A vulnerability was determined in motogadget mo.lock Ignition Loc
 	NOT-FOR-US: motogadget mo.lock
 CVE-2025-13699 (MariaDB mariadb-dump Utility Directory Traversal Remote Code Execution ...)
 	- mariadb 1:11.8.5-1
-	[trixie] - mariadb <no-dsa> (Minor issue; requires attacker to already have access to the database)
+	[trixie] - mariadb 11.8.6-0+deb13u1
 	[bookworm] - mariadb <no-dsa> (Minor issue; requires attacker to already have access to the database)
 	- mariadb-10.5 <removed>
 	[bullseye] - mariadb-10.5 <postponed> (Minor issue; requires attacker to already have access to the database)
@@ -45706,7 +45707,7 @@ CVE-2025-66036 (Retro is an online platform providing items of vintage collectio
 	NOT-FOR-US: Retro
 CVE-2025-66034 (fontTools is a library for manipulating fonts, written in Python. In v ...)
 	- fonttools 4.61.1-1 (bug #1121605)
-	[trixie] - fonttools <no-dsa> (Minor issue)
+	[trixie] - fonttools 4.57.0-1+deb13u1
 	[bookworm] - fonttools <no-dsa> (Minor issue)
 	[bullseye] - fonttools <postponed> (Minor issue)
 	NOTE: https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
@@ -54264,7 +54265,7 @@ CVE-2023-7320 (The WooCommerce plugin for WordPress is vulnerable to Sensitive I
 	NOT-FOR-US: WordPress plugin
 CVE-2025-62727 (Starlette is a lightweight ASGI framework/toolkit. Starting in version ...)
 	- starlette 0.50.0-1 (bug #1119662)
-	[trixie] - starlette <no-dsa> (Minor issue)
+	[trixie] - starlette 0.46.1-3+deb13u1
 	[bookworm] - starlette <no-dsa> (Minor issue)
 	[bullseye] - starlette <postponed> (minor issue; DoS)
 	NOTE: https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8
@@ -62114,14 +62115,14 @@ CVE-2025-6985 (The HTMLSectionSplitter class in langchain-text-splitters version
 	NOT-FOR-US: langchain-text-splitters
 CVE-2025-61985 (ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, ...)
 	- openssh 1:10.1p1-1 (bug #1117530)
-	[trixie] - openssh <no-dsa> (Minor issue)
+	[trixie] - openssh 1:10.0p1-7+deb13u1
 	[bookworm] - openssh <no-dsa> (Minor issue)
 	[bullseye] - openssh <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/10/06/1
 	NOTE: https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0 (V_10_1_P1)
 CVE-2025-61984 (ssh in OpenSSH before 10.1 allows control characters in usernames that ...)
 	- openssh 1:10.1p1-1 (bug #1117529)
-	[trixie] - openssh <no-dsa> (Minor issue)
+	[trixie] - openssh 1:10.0p1-7+deb13u1
 	[bookworm] - openssh <no-dsa> (Minor issue)
 	[bullseye] - openssh <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/10/06/1
@@ -63389,7 +63390,7 @@ CVE-2025-49844 (Redis is an open source, in-memory database that persists on dis
 	NOTE: https://github.com/valkey-io/valkey/commit/6dd003e88feace83e55491f32376f6927896e31e
 CVE-2025-49641 (A regular Zabbix user with no permission to the Monitoring -> Problems ...)
 	- zabbix 1:7.0.22+dfsg-1 (bug #1117448)
-	[trixie] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
+	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
 	[bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	[bullseye] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	NOTE: https://support.zabbix.com/browse/ZBX-27063
@@ -63477,7 +63478,7 @@ CVE-2025-27237 (In Zabbix Agent and Agent 2 on Windows, the OpenSSL configuratio
 	NOTE: https://support.zabbix.com/browse/ZBX-27061
 CVE-2025-27236 (A regular Zabbix user can search other users in their user group via Z ...)
 	- zabbix 1:7.0.22+dfsg-1 (bug #1117448)
-	[trixie] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
+	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
 	[bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	[bullseye] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	NOTE: https://support.zabbix.com/browse/ZBX-27060
@@ -63489,7 +63490,7 @@ CVE-2025-27236 (A regular Zabbix user can search other users in their user group
 	NOTE: Fixed in: 6.0.41, 7.0.17, 7.2.11, 7.4.1
 CVE-2025-27231 (The LDAP 'Bind password' value cannot be read after saving, but a Supe ...)
 	- zabbix 1:7.0.22+dfsg-1 (bug #1117448)
-	[trixie] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
+	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
 	[bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	[bullseye] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	NOTE: https://support.zabbix.com/browse/ZBX-27062
@@ -65395,7 +65396,7 @@ CVE-2024-58040 (Crypt::RandomEncryption for Perl version 0.01 uses insecure rand
 	NOT-FOR-US: Crypt::RandomEncryption Perl module
 CVE-2025-9648 (A vulnerability in the CivetWeb library's function mg_handle_form_requ ...)
 	- civetweb 1.16+dfsg-4 (bug #1118285)
-	[trixie] - civetweb <no-dsa> (Minor issue)
+	[trixie] - civetweb 1.16+dfsg-2+deb13u1
 	[bookworm] - civetweb <no-dsa> (Minor issue)
 	[bullseye] - civetweb <postponed> (minor issue; DoS)
 	NOTE: https://github.com/civetweb/civetweb/issues/1348
@@ -72494,7 +72495,7 @@ CVE-2025-27240 (A Zabbix adminitrator can inject arbitrary SQL during the autore
 	NOTE: Fixed in 6.0.34, 6.4.19, 7.0.4
 CVE-2025-27238 (Due to a bug in Zabbix API, the hostprototype.get method lists all hos ...)
 	- zabbix 1:7.0.22+dfsg-1 (bug #1117448)
-	[trixie] - zabbix <no-dsa> (Minor issue)
+	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
 	[bookworm] - zabbix <not-affected> (Vulnerable code not present)
 	[bullseye] - zabbix <not-affected> (Vulnerable code not present)
 	NOTE: https://support.zabbix.com/browse/ZBX-26988
@@ -72521,7 +72522,7 @@ CVE-2025-27234 (Zabbix Agent 2 smartctl plugin does not properly sanitize smart.
 	NOTE: Fixed by [8/8]: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/d18935be5fadca6c85ce0a715ce85e757d1dc80b (5.0.47rc1)
 CVE-2025-27233 (Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.g ...)
 	- zabbix 1:7.0.22+dfsg-1 (bug #1117448)
-	[trixie] - zabbix <no-dsa> (Minor issue)
+	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
 	[bookworm] - zabbix <no-dsa> (Minor issue)
 	[bullseye] - zabbix <not-affected> (Vulnerable code not present, CVE-2025-27234 specific for the 5.0.x codebase)
 	NOTE: https://support.zabbix.com/browse/ZBX-26987
@@ -72712,7 +72713,7 @@ CVE-2025-56556 (An issue was discovered in Subrion CMS 4.2.1, allowing authentic
 CVE-2025-48041 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
 	{DLA-4376-1}
 	- erlang 1:27.3.4.3+dfsg-1 (bug #1115090)
-	[trixie] - erlang <no-dsa> (Minor issue)
+	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
 	[bookworm] - erlang <no-dsa> (Minor issue)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-79c4-cvv7-4qm3
 	NOTE: https://github.com/erlang/otp/pull/10157
@@ -72720,7 +72721,7 @@ CVE-2025-48041 (Allocation of Resources Without Limits or Throttling vulnerabili
 	NOTE: https://github.com/erlang/otp/commit/d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401 (OTP-26.2.5.15)
 CVE-2025-48040 (Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh ...)
 	- erlang 1:27.3.4.3+dfsg-1 (bug #1115091)
-	[trixie] - erlang <no-dsa> (Minor issue)
+	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
 	[bookworm] - erlang <no-dsa> (Minor issue)
 	[bullseye] - erlang <postponed> (Minor issue)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-h7rg-6rjg-4cph
@@ -72730,7 +72731,7 @@ CVE-2025-48040 (Uncontrolled Resource Consumption vulnerability in Erlang OTP ss
 CVE-2025-48039 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
 	{DLA-4376-1}
 	- erlang 1:27.3.4.3+dfsg-1 (bug #1115092)
-	[trixie] - erlang <no-dsa> (Minor issue)
+	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
 	[bookworm] - erlang <no-dsa> (Minor issue)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-rr5p-6856-j7h8
 	NOTE: https://github.com/erlang/otp/pull/10155
@@ -72739,7 +72740,7 @@ CVE-2025-48039 (Allocation of Resources Without Limits or Throttling vulnerabili
 CVE-2025-48038 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
 	{DLA-4376-1}
 	- erlang 1:27.3.4.3+dfsg-1 (bug #1115093)
-	[trixie] - erlang <no-dsa> (Minor issue)
+	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
 	[bookworm] - erlang <no-dsa> (Minor issue)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-pvj7-9652-7h9r
 	NOTE: https://github.com/erlang/otp/pull/10156
@@ -74539,7 +74540,7 @@ CVE-2025-57807 (ImageMagick is free and open-source software used for editing an
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/ab1bb3d8ed06d0ed6aa5038b6a74aebf53af9ccf (6.9.13-29)
 CVE-2025-7709 (An integer overflow exists in the  FTS5 https://sqlite.org/fts5.html e ...)
 	- sqlite3 3.46.1-8 (bug #1114609)
-	[trixie] - sqlite3 <no-dsa> (Minor issue)
+	[trixie] - sqlite3 3.46.1-7+deb13u1
 	[bookworm] - sqlite3 <no-dsa> (Minor issue)
 	[bullseye] - sqlite3 <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g
@@ -77067,7 +77068,7 @@ CVE-2025-56577 (An issue in Evope Core v.1.1.3.20 allows a local attacker to obt
 	NOT-FOR-US: Evope Core
 CVE-2025-55763 (Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (lates ...)
 	- civetweb 1.16+dfsg-3 (bug #1112507)
-	[trixie] - civetweb <no-dsa> (Minor issue)
+	[trixie] - civetweb 1.16+dfsg-2+deb13u1
 	[bookworm] - civetweb <no-dsa> (Minor issue)
 	[bullseye] - civetweb <postponed> (Minor issue)
 	NOTE: https://github.com/krispybyte/CVE-2025-55763
@@ -94276,7 +94277,7 @@ CVE-2024-9453 (A vulnerability was found in Red Hat OpenShift Jenkins. The beare
 	NOT-FOR-US: Red Hat OpenShift Jenkins
 CVE-2026-23553 (In the context switch logic Xen attempts to skip an IBPB in the case o ...)
 	- xen 4.20.2+37-g61ff35323e-1
-	[trixie] - xen <postponed> (Minor issue, fix along with next Xen update)
+	[trixie] - xen 4.20.2+37-g61ff35323e-0+deb13u1
 	[bookworm] - xen <postponed> (Minor issue, fix along with next Xen update)
 	[bullseye] - xen <end-of-life> (EOLed in Bullseye)
 	NOTE: https://xenbits.xen.org/xsa/advisory-479.html
@@ -94285,7 +94286,7 @@ CVE-2025-58151 [varstored: TOCTOU issues with mapped guest memory]
 	NOTE: https://xenbits.xen.org/xsa/advisory-478.html
 CVE-2025-58150 (Shadow mode tracing code uses a set of per-CPU variables to avoid cumb ...)
 	- xen 4.20.2+37-g61ff35323e-1
-	[trixie] - xen <postponed> (Minor issue, fix along with next Xen update)
+	[trixie] - xen 4.20.2+37-g61ff35323e-0+deb13u1
 	[bookworm] - xen <postponed> (Minor issue, fix along with next Xen update)
 	[bullseye] - xen <end-of-life> (EOLed in Bullseye)
 	NOTE: https://xenbits.xen.org/xsa/advisory-477.html
@@ -100942,7 +100943,7 @@ CVE-2025-4227 (An improper access control vulnerability in the  Endpoint Traffic
 	NOT-FOR-US: Palo Alto Networks
 CVE-2025-49589 (PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. A stack- ...)
 	- pcsx2 2.4.0+dfsg-1 (bug #1107756)
-	[trixie] - pcsx2 <no-dsa> (Minor issue)
+	[trixie] - pcsx2 1.6.0+dfsg-3+deb13u1
 	[bookworm] - pcsx2 <no-dsa> (Minor issue)
 	[bullseye] - pcsx2 <postponed> (Minor issue)
 	NOTE: https://github.com/PCSX2/pcsx2/security/advisories/GHSA-f494-4xf7-xj35
@@ -104352,7 +104353,7 @@ CVE-2024-12718 (Allows modifying some file metadata (e.g. last modified) with fi
 	NOTE: Fixed by: https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da (v3.12.11)
 CVE-2024-47081 (Requests is a HTTP library. Due to a URL parsing issue, Requests relea ...)
 	- requests 2.32.4+dfsg-1 (bug #1107368)
-	[trixie] - requests <postponed> (Minor issue; revisit when fixed upstream)
+	[trixie] - requests 2.32.3+dfsg-5+deb13u1
 	[bookworm] - requests <postponed> (Minor issue; revisit when fixed upstream)
 	[bullseye] - requests <postponed> (Minor issue; revisit when fixed upstream)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/06/03/9
@@ -128628,7 +128629,7 @@ CVE-2025-2589 (A vulnerability was found in code-projects Human Resource Managem
 	NOT-FOR-US: code-projects
 CVE-2025-2588 (A vulnerability has been found in Hercules Augeas 1.14.1 and classifie ...)
 	- augeas 1.14.1-1.1 (bug #1101714)
-	[trixie] - augeas <no-dsa> (Minor issue)
+	[trixie] - augeas 1.14.1-1.1~deb13u1
 	[bookworm] - augeas <no-dsa> (Minor issue)
 	[bullseye] - augeas <postponed> (Minor issue)
 	NOTE: https://github.com/hercules-team/augeas/issues/852
@@ -729470,6 +729471,7 @@ CVE-2016-1000109 (HHVM does not attempt to address RFC 3875 section 4.1.18 names
 	- hhvm 3.12.11+dfsg-1 (unimportant)
 CVE-2016-1000107 (inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1 ...)
 	- erlang 1:27.3.4.3+dfsg-1 (unimportant; bug #1115086)
+	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
 	NOTE: https://bugs.erlang.org/browse/ERL-198
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-wrj5-4mmp-gvr8
 	NOTE: Fixed by (merge): https://github.com/erlang/otp/commit/13b092a06ab9fad685890d0e963ad8095d0f31ec (OTP-28.0.4)


=====================================
data/next-point-update.txt
=====================================
@@ -1,99 +1,3 @@
-CVE-2025-68146
-	[trixie] - python-filelock 3.18.0-1+deb13u1
-CVE-2025-61984
-	[trixie] - openssh 1:10.0p1-7+deb13u1
-CVE-2025-61985
-	[trixie] - openssh 1:10.0p1-7+deb13u1
-CVE-2025-34457
-	[trixie] - direwolf 1.7+dfsg-2+deb13u1
-CVE-2025-69195
-	[trixie] - wget2 2.2.0+ds-1+deb13u1
-CVE-2025-69194
-	[trixie] - wget2 2.2.0+ds-1+deb13u1
-CVE-2025-49589
-	[trixie] - pcsx2 1.6.0+dfsg-3+deb13u1
-CVE-2025-67268
-	[trixie] - gpsd 3.25-5+deb13u1
-CVE-2025-67269
-	[trixie] - gpsd 3.25-5+deb13u1
-CVE-2026-23949
-	[trixie] - jaraco.context 6.0.1-1+deb13u1
-CVE-2025-7709
-	[trixie] - sqlite3 3.46.1-7+deb13u1
-CVE-2026-24765
-	[trixie] - phpunit 11.5.19-1+deb13u1
-CVE-2025-66034
-	[trixie] - fonttools 4.57.0-1+deb13u1
-CVE-2025-62727
-	[trixie] - starlette 0.46.1-3+deb13u1
-CVE-2026-26076
-	[trixie] - rust-ntp-proto 1.4.0-4+deb13u1
-CVE-2025-48038
-	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
-CVE-2025-48039
-	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
-CVE-2025-48040
-	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
-CVE-2025-48041
-	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
-CVE-2016-1000107
-	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u1
-CVE-2026-27699
-	[trixie] - node-proxy-agents 0~2024040606-6+deb13u1
-CVE-2026-3201
-	[trixie] - wireshark 4.4.14-0+deb13u1
-CVE-2026-3203
-	[trixie] - wireshark 4.4.14-0+deb13u1
-CVE-2025-14876
-	[trixie] - qemu 1:10.0.8+ds-0+deb13u1
-CVE-2026-0665
-	[trixie] - qemu 1:10.0.8+ds-0+deb13u1
-(CVE-2025-69209
-	[trixie] - arduino-core-avr 1.8.7+dfsg-1~deb13u1
-CVE-2025-67873
-	[trixie] - capstone 5.0.7-1~deb13u1
-CVE-2025-68114
-	[trixie] - capstone 5.0.7-1~deb13u1
-CVE-2025-27231
-	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
-CVE-2025-27233
-	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
-CVE-2025-27236
-	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
-CVE-2025-27238
-	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
-CVE-2025-49641
-	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
-CVE-2025-49643
-	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
-CVE-2026-23925
-	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
-CVE-2025-58150
-	[trixie] - xen 4.20.2+37-g61ff35323e-0+deb13u1
-CVE-2026-23553
-	[trixie] - xen 4.20.2+37-g61ff35323e-0+deb13u1
-CVE-2026-26007
-	[trixie] - python-cryptography 43.0.0-3+deb13u1
-CVE-2026-2219
-	[trixie] - dpkg 1.22.22
-CVE-2025-56226
-	[trixie] - libsndfile 1.2.2-2+deb13u1
-CVE-2025-56225
-	[trixie] - fluidsynth 2.4.4+dfsg-1+deb13u2
-CVE-2025-2588
-	[trixie] - augeas 1.14.1-1.1~deb13u1
-CVE-2025-9648
-	[trixie] - civetweb 1.16+dfsg-2+deb13u1
-CVE-2025-55763
-	[trixie] - civetweb 1.16+dfsg-2+deb13u1
-CVE-2024-47081
-	[trixie] - requests 2.32.3+dfsg-5+deb13u1
-CVE-2025-13699
-	[trixie] - mariadb 11.8.6-0+deb13u1
-CVE-2026-21968
-	[trixie] - mariadb 11.8.6-0+deb13u1
-CVE-2026-24486
-	[trixie] - python-multipart 0.0.20-1.1~deb13u1
 CVE-2026-25635
 	[trixie] - calibre 8.5.0+ds-1+deb13u2
 CVE-2026-25636



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3dc427d19fc4f1c27885df9f3be6fb3e9faa3c45...4533111f64cba717324dd5999a2348d09ed1e49e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3dc427d19fc4f1c27885df9f3be6fb3e9faa3c45...4533111f64cba717324dd5999a2348d09ed1e49e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260314/d785c8ea/attachment-0001.htm>
