[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Mar 29 14:03:28 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
51f23ebd by Moritz Muehlenhoff at 2026-03-29T14:46:32+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -594,9 +594,13 @@ CVE-2026-33280 (Hidden functionality issue exists in BUFFALO Wi-Fi router produc
 	NOT-FOR-US: BUFFALO
 CVE-2026-33206 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
 	- calibre 9.6.0+ds+~0.10.5-1
+	[trixie] - calibre <no-dsa> (Minor issue)
+	[bookworm] - calibre <no-dsa> (Minor issue)
 	NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-h3p4-m74f-43g6
 CVE-2026-33205 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
 	- calibre 9.6.0+ds+~0.10.5-1
+	[trixie] - calibre <no-dsa> (Minor issue)
+	[bookworm] - calibre <no-dsa> (Minor issue)
 	NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-4926-v9px-wv7v
 CVE-2026-33045 (Home Assistant is open source home automation software that puts local ...)
 	NOT-FOR-US: Home Assistant
@@ -874,9 +878,10 @@ CVE-2026-4897 (A flaw was found in polkit. A local user can exploit this by prov
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2451739
 	TODO: check upstream details
 CVE-2026-4887 (A flaw was found in GIMP. This issue is a heap buffer over-read in GIM ...)
-	- gimp 3.2.0-1
+	- gimp 3.2.0-1 (unimportant)
 	NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/15960
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gimp/-/commit/aabce89271a9943a43bda9225aa43fc524f1c8a4 (GIMP_3_2_0)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2026-4877 (A security flaw has been discovered in itsourcecode Payroll Management ...)
 	NOT-FOR-US: itsourcecode System
 CVE-2026-4876 (A vulnerability was identified in itsourcecode Free Hotel Reservation  ...)
@@ -5062,8 +5067,12 @@ CVE-2026-4519 (The webbrowser.open() API would accept leading dashes in the URL
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- jython <unfixed>
+	[trixie] - jython <no-dsa> (Minor issue)
+	[bookworm] - jython <no-dsa> (Minor issue)
 	[bullseye] - jython <end-of-life> (EOL in bullseye LTS)
 	- pypy3 <unfixed>
+	[trixie] - pypy3 <no-dsa> (Minor issue)
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
 	NOTE: https://github.com/python/cpython/issues/143930
 	NOTE: https://github.com/python/cpython/pull/143931
@@ -8410,6 +8419,8 @@ CVE-2026-3059 (SGLang's multimodal generation module is vulnerable to unauthenti
 	NOT-FOR-US: sgl-project sglang
 CVE-2026-32274 (Black is the uncompromising Python code formatter. Prior to 26.3.1, Bl ...)
 	- black 26.3.1-1 (bug #1130657)
+	[trixie] - black <no-dsa> (Minor issue)
+	[bookworm] - black <no-dsa> (Minor issue)
 	NOTE: https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
 	NOTE: https://github.com/psf/black/pull/5038
 	NOTE: Fixed by: https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d (26.3.1)
@@ -13400,12 +13411,16 @@ CVE-2026-24103 (A buffer overflow vulnerability was discovered in goform/formSet
 	NOT-FOR-US: Tenda
 CVE-2026-22891 (A heap-based buffer overflow vulnerability exists in the Intan CLP par ...)
 	- biosig <unfixed> (bug #1130889)
+	[trixie] - biosig <no-dsa> (Minor issue)
+	[bookworm] - biosig <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2026-2361
 	NOTE: Fixed by: https://sourceforge.net/p/biosig/code/ci/3002bdc6f46225a4e76caefdd2444276e6c5b0a7/ (v3.9.3)
 CVE-2026-22886 (OpenMQ exposes a TCP-based management service (imqbrokerd) that by def ...)
 	NOT-FOR-US: OpenMQ
 CVE-2026-20777 (A heap-based buffer overflow vulnerability exists in the Nicolet WFT p ...)
 	- biosig <unfixed> (bug #1130889)
+	[trixie] - biosig <no-dsa> (Minor issue)
+	[bookworm] - biosig <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2026-2362
 	NOTE: Fixed by: https://sourceforge.net/p/biosig/code/ci/abe197c3627256ef3615a2d2f808ded069e1df4b/ (v3.9.3)
 CVE-2026-1265 (IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnera ...)
@@ -13429,6 +13444,8 @@ CVE-2025-66363 (An issue was discovered in LBS in Samsung Mobile Processor Exyno
 	NOT-FOR-US: Samsung
 CVE-2025-64736 (An out-of-bounds read vulnerability exists in the ABF parsing function ...)
 	- biosig <unfixed> (bug #1130889)
+	[trixie] - biosig <no-dsa> (Minor issue)
+	[bookworm] - biosig <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2323
 	NOTE: Fixed by: https://sourceforge.net/p/biosig/code/ci/718741c09e0b065b8ad0ebf66128a44899554930/ (v3.9.3)
 CVE-2025-63912 (Cohesity TranZman Migration Appliance Release 4.0 Build 14614 was disc ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f23ebd89ada9881ab8a89a8d2d566e4690c77f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51f23ebd89ada9881ab8a89a8d2d566e4690c77f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260329/5fb2c8e4/attachment.htm>

More information about the debian-security-tracker-commits mailing list