[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage

Wed Mar 18 13:30:49 GMT 2026


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
751f39ec by Moritz Muehlenhoff at 2026-03-18T14:25:18+01:00
bookworm/trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -253,7 +253,11 @@ CVE-2026-4295 (Improper trust boundary enforcement in Kiro IDE before version 0.
 	NOT-FOR-US: Amazon
 CVE-2026-4271 (A flaw was found in libsoup, a library for handling HTTP requests. Thi ...)
 	- libsoup3 <unfixed>
+	[trixie] - libsoup3 <no-dsa> (Minor issue)
+	[bookworm] - libsoup3 <no-dsa> (Minor issue)
 	- libsoup2.4 <removed>
+	[trixie] - libsoup2.4 <no-dsa> (Minor issue)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/496
 CVE-2026-4208 (The extension fails to properly reset the generated MFA code after suc ...)
 	NOT-FOR-US: TYPO3 (core or extensions)
@@ -1108,6 +1112,8 @@ CVE-2025-15060 (claude-hovercraft executeClaudeCode Command Injection Remote Cod
 	NOT-FOR-US: claude-hovercraft executeClaudeCode
 CVE-2026-4111 (A flaw was identified in the RAR5 archive decompression logic of the l ...)
 	- libarchive <unfixed> (bug #1130753)
+	[trixie] - libarchive <no-dsa> (Minor issue)
+	[bookworm] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/pull/2877
 	NOTE: Testcase: https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4
 	NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168
@@ -1401,6 +1407,7 @@ CVE-2026-32328 (Cross-Site Request Forgery (CSRF) vulnerability in shufflehound
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-32314 (Yamux is a stream multiplexer over reliable, ordered connections such  ...)
 	- rust-yamux 0.13.10+ds-1 (bug #1130752)
+	[trixie] - rust-yamux <no-dsa> (Minor issue)
 	NOTE: https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338
 	NOTE: Fixed by: https://github.com/libp2p/rust-yamux/commit/ac71745226b99191249bbbb0420aceba052c150c
 CVE-2026-32313 (xmlseclibs is a library written in PHP for working with XML Encryption ...)
@@ -1454,6 +1461,7 @@ CVE-2026-31864 (JumpServer is an open source bastion host and an operation and m
 	NOT-FOR-US: JumpServer
 CVE-2026-31814 (Yamux is a stream multiplexer over reliable, ordered connections such  ...)
 	- rust-yamux 0.13.9+ds-1
+	[trixie] - rust-yamux <no-dsa> (Minor issue)
 	NOTE: https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7
 	NOTE: Fixed by: https://github.com/libp2p/rust-yamux/commit/b1aae09d60c0bd6a5915a5448f4e8cbc5174db53 (yamux-v0.13.9)
 CVE-2026-31806 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
@@ -1475,6 +1483,8 @@ CVE-2026-30914 (SFTPGo is an open source, event-driven file transfer solution. I
 	- sftpgo <itp> (bug #1050829)
 CVE-2026-30853 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
 	- calibre 9.5.0+ds+~0.10.5-1
+	[trixie] - calibre <no-dsa> (Minor issue)
+	[bookworm] - calibre <no-dsa> (Minor issue)
 	NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-7mp7-rfrg-542x
 CVE-2026-2888 (The Formidable Forms plugin for WordPress is vulnerable to an authoriz ...)
 	NOT-FOR-US: WordPress plugin
@@ -2683,6 +2693,8 @@ CVE-2026-3903 (The Modular DS: Monitor, update, and backup multiple websites plu
 	NOT-FOR-US: WordPress plugin
 CVE-2026-3884 (Versions of the package spin.js before 3.0.0 are vulnerable to Cross-s ...)
 	- libjs-spin.js <unfixed>
+	[trixie] - libjs-spin.js <no-dsa> (Minor issue)
+	[bookworm] - libjs-spin.js <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-SPINJS-15445079
 	NOTE: Fixed by: https://github.com/fgnass/spin.js/commit/1f63d33b74e5919e7fe24bf97eca96a346535f6f
 CVE-2026-3826 (IFTOP developed by WellChoose has a Local File Inclusion vulnerability ...)
@@ -4030,17 +4042,29 @@ CVE-2026-25604 (In AWS Auth manager, the origin of the SAML authentication has b
 	NOT-FOR-US: Apache Airflow AWS Auth Manager
 CVE-2026-3632 (A flaw was found in libsoup, a library used by applications to send ne ...)
 	- libsoup3 <unfixed> (bug #1130499)
+	[trixie] - libsoup3 <no-dsa> (Minor issue)
+	[bookworm] - libsoup3 <no-dsa> (Minor issue)
 	- libsoup2.4 <removed>
+	[trixie] - libsoup2.4 <no-dsa> (Minor issue)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2445127
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/483
 CVE-2026-3633 (A flaw was found in libsoup. A remote attacker, by controlling the met ...)
 	- libsoup3 <unfixed> (bug #1130500)
+	[trixie] - libsoup3 <no-dsa> (Minor issue)
+	[bookworm] - libsoup3 <no-dsa> (Minor issue)
 	- libsoup2.4 <removed>
+	[trixie] - libsoup2.4 <no-dsa> (Minor issue)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2445128
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/484
 CVE-2026-3634 (A flaw was found in libsoup. An attacker controlling the value used to ...)
 	- libsoup3 <unfixed> (bug #1130501)
+	[trixie] - libsoup3 <no-dsa> (Minor issue)
+	[bookworm] - libsoup3 <no-dsa> (Minor issue)
 	- libsoup2.4 <removed>
+	[trixie] - libsoup2.4 <no-dsa> (Minor issue)
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2445129
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/485
 	NOTE: Duplicate/Overlapping issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/486
@@ -193603,6 +193627,8 @@ CVE-2024-20082 (In Modem, there is a possible memory corruption due to a missing
 	NOT-FOR-US: Mediatek
 CVE-2026-3196
 	- qemu <unfixed> (bug #1129605)
+	[trixie] - qemu <no-dsa> (Minor issue)
+	[bookworm] - qemu <no-dsa> (Minor issue)
 	NOTE: https://lore.kernel.org/qemu-devel/20260220-virtio-snd-series-v1-0-207c4f7200a2@linaro.org/
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/61679d7dcfa2dffc8fb115aa19b09e0e7cf5ea5c
 CVE-2026-3195


=====================================
data/dsa-needed.txt
=====================================
@@ -30,9 +30,13 @@ gh/oldstable
 --
 git-lfs
 --
+incus/stable
+--
 imagemagick
   Bastien working on another round of updates
 --
+inetutils
+--
 isc-kea/oldstable
 --
 jackson-core
@@ -40,10 +44,14 @@ jackson-core
 libreswan/oldstable
   Waiting on feedback from maintainer
 --
+libyaml-syck-perl (carnil)
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+lxd
+--
 mbedtls/oldstable
 --
 node-tar
@@ -52,6 +60,8 @@ node-tar
 opennds/oldstable
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
+openssh
+--
 pdfminer (carnil)
   Required followup for CVE-2025-64512 as original fix was incomplete.
 --
@@ -76,6 +86,8 @@ runc
 smb4k/oldstable
   Inrusive to backport chnges to 3.1.7-1, queried maintainer for opinion on ignoring update
 --
+snapd/stable (carnil)
+--
 spip
   David Prevot proposed followup update for last DSA to address issue introduced in 4.4.10
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/751f39ec9948161f778763ddf0300ffd5cde5cc0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/751f39ec9948161f778763ddf0300ffd5cde5cc0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260318/5ea8f891/attachment-0001.htm>
