[Git][security-tracker-team/security-tracker][master] 5 commits: CVE-2026-32700/ruby-devise: bullseye ignored

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Wed Mar 25 09:00:36 GMT 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c58ba900 by Sylvain Beucler at 2026-03-25T09:37:16+01:00
CVE-2026-32700/ruby-devise: bullseye ignored

- - - - -
83edc162 by Sylvain Beucler at 2026-03-25T09:39:02+01:00
CVE-2026-28500/onnx: follow bookworm triage

- - - - -
17c299b6 by Sylvain Beucler at 2026-03-25T09:40:35+01:00
CVE-2026-31899/cairosvg: bullseye postponed

- - - - -
0b896671 by Sylvain Beucler at 2026-03-25T09:53:56+01:00
CVE-2026-3884/libjs-spin.js: bullseye postponed

- - - - -
0da2fcbb by Sylvain Beucler at 2026-03-25T10:00:07+01:00
CVE-2026-32141,CVE-2026-33228/node-flatted: follow bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1838,6 +1838,7 @@ CVE-2026-33228 (flatted is a circular JSON parser. Prior to version 3.4.2, the p
 	- node-flatted 3.4.2~ds-1 (bug #1131462)
 	[trixie] - node-flatted <no-dsa> (Minor issue)
 	[bookworm] - node-flatted <no-dsa> (Minor issue)
+	[bullseye] - node-flatted <postponed> (Minor issue)
 	NOTE: https://github.com/WebReflection/flatted/security/advisories/GHSA-rf6f-7fwh-wjgh
 	NOTE: Fixed by: https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802 (v3.4.2)
 CVE-2026-33226 (Budibase is a low code platform for creating internal tools, workflows ...)
@@ -3197,6 +3198,7 @@ CVE-2026-32703 (OpenProject is an open-source, web-based project management soft
 CVE-2026-32700 (Devise is an authentication solution for Rails based on Warden. Prior  ...)
 	- ruby-devise <removed>
 	[bookworm] - ruby-devise <ignored> (Minor issue)
+	[bullseye] - ruby-devise <ignored> (Minor issue, ruby-devise* removed from Debian)
 	NOTE: https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc
 	NOTE: https://github.com/heartcombo/devise/issues/5783
 	NOTE: https://github.com/heartcombo/devise/pull/5784
@@ -3785,6 +3787,7 @@ CVE-2026-28500 (Open Neural Network Exchange (ONNX) is an open standard for mach
 	- onnx <unfixed> (bug #1131209)
 	[trixie] - onnx <no-dsa> (Minor issue)
 	[bookworm] - onnx <no-dsa> (Minor issue)
+	[bullseye] - onnx <postponed> (Minor issue)
 	NOTE: https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m
 CVE-2026-28499 (LeafKit is a templating language with Swift-inspired syntax. Prior to  ...)
 	NOT-FOR-US: LeafKit
@@ -5121,6 +5124,7 @@ CVE-2026-31899 (CairoSVG is an SVG converter based on Cairo, a 2D graphics libra
 	- cairosvg <unfixed> (bug #1130748)
 	[trixie] - cairosvg <no-dsa> (Minor issue)
 	[bookworm] - cairosvg <no-dsa> (Minor issue)
+	[bullseye] - cairosvg <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c
 	NOTE: Fixed by: https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf (2.9.0)
 CVE-2026-31897 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
@@ -5513,9 +5517,10 @@ CVE-2026-32141 (flatted is a circular JSON parser. Prior to 3.4.0, flatted's par
 	- node-flatted 3.4.1~ds-1
 	[trixie] - node-flatted <no-dsa> (Minor issue)
 	[bookworm] - node-flatted <no-dsa> (Minor issue)
+	[bullseye] - node-flatted <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f
 	NOTE: https://github.com/WebReflection/flatted/pull/88
-	NOTE: Fixedby: https://github.com/WebReflection/flatted/commit/7774aae45d3775c842abe9d071fd009171a5fc0c (v3.4.0)
+	NOTE: Fixed by: https://github.com/WebReflection/flatted/commit/7774aae45d3775c842abe9d071fd009171a5fc0c (v3.4.0)
 CVE-2026-32140 (Dataease is an open source data visualization analysis tool. Prior to  ...)
 	NOT-FOR-US: DataEase
 CVE-2026-32139 (Dataease is an open source data visualization analysis tool. In DataEa ...)
@@ -6408,6 +6413,7 @@ CVE-2026-3884 (Versions of the package spin.js before 3.0.0 are vulnerable to Cr
 	- libjs-spin.js <unfixed> (bug #1131449)
 	[trixie] - libjs-spin.js <no-dsa> (Minor issue)
 	[bookworm] - libjs-spin.js <no-dsa> (Minor issue)
+	[bullseye] - libjs-spin.js <postponed> (Minor issue, hard to trigger)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-SPINJS-15445079
 	NOTE: Fixed by: https://github.com/fgnass/spin.js/commit/1f63d33b74e5919e7fe24bf97eca96a346535f6f
 CVE-2026-3826 (IFTOP developed by WellChoose has a Local File Inclusion vulnerability ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5496473c9bce3309eb10db4612af6668e9f45d28...0da2fcbb4e6dfbd8383a0bd78514d96d9f1774d7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5496473c9bce3309eb10db4612af6668e9f45d28...0da2fcbb4e6dfbd8383a0bd78514d96d9f1774d7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260325/e87e8cc8/attachment.htm>

More information about the debian-security-tracker-commits mailing list