[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Mar 18 15:04:20 GMT 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8c94d019 by Moritz Muehlenhoff at 2026-03-18T16:04:00+01:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -116,6 +116,8 @@ CVE-2026-28673 (xiaoheiFS is a self-hosted financial and operational system for
NOT-FOR-US: xiaoheiFS
CVE-2026-28500 (Open Neural Network Exchange (ONNX) is an open standard for machine le ...)
- onnx <unfixed>
+ [trixie] - onnx <no-dsa> (Minor issue)
+ [bookworm] - onnx <no-dsa> (Minor issue)
NOTE: https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m
CVE-2026-28499 (LeafKit is a templating language with Swift-inspired syntax. Prior to ...)
NOT-FOR-US: LeafKit
@@ -1817,6 +1819,8 @@ CVE-2026-32142 (Shopware is an open commerce platform. /api/_info/config route e
NOT-FOR-US: Shopware
CVE-2026-32141 (flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() f ...)
- node-flatted 3.4.1~ds-1
+ [trixie] - node-flatted <no-dsa> (Minor issue)
+ [bookworm] - node-flatted <no-dsa> (Minor issue)
NOTE: https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f
NOTE: https://github.com/WebReflection/flatted/pull/88
NOTE: Fixedby: https://github.com/WebReflection/flatted/commit/7774aae45d3775c842abe9d071fd009171a5fc0c (v3.4.0)
@@ -2755,6 +2759,8 @@ CVE-2026-31815 (Unicorn adds modern reactive component functionality to your Dja
NOT-FOR-US: Django Unicorn
CVE-2026-31812 (Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC ...)
- rust-quinn-proto 0.11.14-1
+ [trixie] - rust-quinn-proto <no-dsa> (Minor issue)
+ [bookworm] - rust-quinn-proto <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0037.html
NOTE: https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98
NOTE: https://github.com/quinn-rs/quinn/pull/2558
@@ -9437,6 +9443,7 @@ CVE-2026-26283 (ImageMagick is free and open-source software used for editing an
NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/8b47529f22404853d22205583087add01ea9fae8 (6.9.13-39)
CVE-2026-26198 (Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0 ...)
- ormar 0.23.0-1 (bug #1129259)
+ [bookworm] - ormar <no-dsa> (Minor issue)
NOTE: https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr
NOTE: Fixed by: https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16 (0.23.0)
CVE-2026-26066 (ImageMagick is free and open-source software used for editing and mani ...)
@@ -123710,8 +123717,8 @@ CVE-2024-58036 (Net::Dropbox::API 1.9 and earlier for Perl uses the rand() funct
NOTE: https://lists.security.metacpan.org/cve-announce/msg/28504518/
CVE-2024-57868 (Web::API 2.8 and earlier for Perl uses the rand() function as the defa ...)
- libweb-api-perl <unfixed> (bug #1102148)
- [trixie] - libweb-api-perl <no-dsa> (Minor issue)
- [bookworm] - libweb-api-perl <no-dsa> (Minor issue)
+ [trixie] - libweb-api-perl <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - libweb-api-perl <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libweb-api-perl <postponed> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/28503730/
CVE-2025-30473 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -30,6 +30,10 @@ gh/oldstable
--
git-lfs
--
+gst-plugins-bad1.0
+--
+gst-plugins-ugly1.0
+--
incus/stable
--
imagemagick
@@ -54,6 +58,8 @@ lxd
--
mbedtls/oldstable
--
+nodejs/oldstable
+--
node-tar
Daniel Leidert proposed to work on {bookworm,trixie}-security updates, but maintainers should be involved
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c94d019f961e8214cea569c0161abfc1c38a847
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c94d019f961e8214cea569c0161abfc1c38a847
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260318/5d66bf01/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list