[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Thu Mar 19 16:29:22 GMT 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
254b7048 by Moritz Muehlenhoff at 2026-03-19T17:29:00+01:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -662,10 +662,14 @@ CVE-2026-27522 (OpenClaw versions prior to 2026.2.24 contain a local media root
NOT-FOR-US: OpenClaw
CVE-2026-27459 (pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in ...)
- pyopenssl <unfixed>
+ [trixie] - pyopenssl <no-dsa> (Minor issue)
+ [bookworm] - pyopenssl <no-dsa> (Minor issue)
NOTE: https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4
NOTE: https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408 (26.0.0)
CVE-2026-27448 (pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in ...)
- pyopenssl <unfixed>
+ [trixie] - pyopenssl <no-dsa> (Minor issue)
+ [bookworm] - pyopenssl <no-dsa> (Minor issue)
NOTE: https://github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424
NOTE: https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0 (26.0.0)
CVE-2026-26004 (Sentry is a developer-first error tracking and performance monitoring ...)
@@ -1028,6 +1032,8 @@ CVE-2026-4224 (When an Expat parser with a registered ElementDeclHandler parses
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/
NOTE: https://github.com/python/cpython/issues/145986
NOTE: https://github.com/python/cpython/pull/145987
@@ -1948,6 +1954,8 @@ CVE-2026-31915 (Missing Authorization vulnerability in UX-themes Flatsome flatso
NOT-FOR-US: WordPress plugin or theme
CVE-2026-31899 (CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Pr ...)
- cairosvg <unfixed> (bug #1130748)
+ [trixie] - cairosvg <no-dsa> (Minor issue)
+ [bookworm] - cairosvg <no-dsa> (Minor issue)
NOTE: https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c
NOTE: Fixed by: https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf (2.9.0)
CVE-2026-31897 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
@@ -2294,12 +2302,13 @@ CVE-2026-32259 (ImageMagick is free and open-source software used for editing an
CVE-2026-32251 (Tolgee is an open-source localization platform. Prior to 3.166.3, the ...)
NOT-FOR-US: Tolgee
CVE-2026-32249 (Vim is an open source, command line text editor. From 9.1.0011 to befo ...)
- - vim <unfixed> (bug #1130658)
+ - vim <unfixed> (bug #1130658; unimportant)
[bookworm] - vim <not-affected> (Vulnerable code not present)
[bullseye] - vim <not-affected> (Vulnerable code not present)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r
NOTE: Introduced with: https://github.com/vim/vim/commit/d2cc51f9a1a5a30ef5d2e732f49d7f495cae24cf (v9.1.0011)
NOTE: Fixed by: https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec (v9.2.0137)
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-32248 (Parse Server is an open source backend that can be deployed to any inf ...)
NOT-FOR-US: Parse Server
CVE-2026-32247 (Graphiti is a framework for building and querying temporal context gra ...)
@@ -4782,9 +4791,11 @@ CVE-2026-3708 (A security flaw has been discovered in code-projects Simple Fligh
CVE-2026-3707 (A vulnerability was identified in MrNanko webp4j up to 1.3.x. The affe ...)
NOT-FOR-US: MrNanko webp4j
CVE-2026-3706 (A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted ...)
- - dropbear <unfixed> (bug #1130870)
+ - dropbear <unfixed> (bug #1130870; unimportant)
NOTE: https://github.com/mkj/dropbear/issues/406
NOTE: https://github.com/mkj/dropbear/pull/407
+ NOTE: No security impact:
+ NOTE: https://github.com/mkj/dropbear/issues/406#issuecomment-4064502613
CVE-2026-3705 (A vulnerability was found in code-projects Simple Flight Ticket Bookin ...)
NOT-FOR-US: code-projects
CVE-2026-3704 (A vulnerability has been found in Wavlink NU516U1 251208. This vulnera ...)
@@ -194162,6 +194173,7 @@ CVE-2026-3196
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/61679d7dcfa2dffc8fb115aa19b09e0e7cf5ea5c
CVE-2026-3195
- qemu <unfixed> (bug #1129604)
+ [trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Incomplete fix for CVE-2024-7730 not applied)
[bullseye] - qemu <not-affected> (Incomplete fix for CVE-2024-7730 not applied)
NOTE: CVE exists for an incomplete fix for CVE-2024-7730
=====================================
data/dsa-needed.txt
=====================================
@@ -34,7 +34,7 @@ gst-plugins-ugly1.0
--
incus/stable
--
-imagemagick
+imagemagick (jmm)
Bastien working on another round of updates
--
inetutils
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/254b7048a453e04cd64631d73de04a6f09fb3355
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/254b7048a453e04cd64631d73de04a6f09fb3355
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260319/73e7b8e2/attachment.htm>
More information about the debian-security-tracker-commits
mailing list