[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sun Mar 29 20:13:20 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
dcec973b by security tracker role at 2026-03-29T19:13:14+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,66 @@
-CVE-2026-23400 [rust_binder: call set_notification_done() without proc lock]
+CVE-2026-5046 (A flaw has been found in Tenda FH1201 1.2.0.14(408). Affected is the f ...)
+ TODO: check
+CVE-2026-5045 (A vulnerability was detected in Tenda FH1201 1.2.0.14(408). This impac ...)
+ TODO: check
+CVE-2026-5044 (A security vulnerability has been detected in Belkin F9K1122 1.00.33. ...)
+ TODO: check
+CVE-2026-5043 (A weakness has been identified in Belkin F9K1122 1.00.33. The impacted ...)
+ TODO: check
+CVE-2026-5042 (A security flaw has been discovered in Belkin F9K1122 1.00.33. The aff ...)
+ TODO: check
+CVE-2026-5041 (A vulnerability was identified in code-projects Chamber of Commerce Me ...)
+ TODO: check
+CVE-2026-5037 (A vulnerability was determined in mxml up to 4.0.4. This issue affects ...)
+ TODO: check
+CVE-2026-5036 (A vulnerability was found in Tenda 4G06 04.06.01.29. This vulnerabilit ...)
+ TODO: check
+CVE-2026-34005 (In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 ...)
+ TODO: check
+CVE-2026-33575 (OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials ...)
+ TODO: check
+CVE-2026-33574 (OpenClaw before 2026.3.8 contains a path traversal vulnerability in th ...)
+ TODO: check
+CVE-2026-33573 (OpenClaw before 2026.3.11 contains an authorization bypass vulnerabili ...)
+ TODO: check
+CVE-2026-33572 (OpenClaw before 2026.2.17 creates session transcript JSONL files with ...)
+ TODO: check
+CVE-2026-32987 (OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed ...)
+ TODO: check
+CVE-2026-32980 (OpenClaw before 2026.3.13 reads and buffers Telegram webhook request b ...)
+ TODO: check
+CVE-2026-32979 (OpenClaw before 2026.3.11 contains an approval integrity vulnerability ...)
+ TODO: check
+CVE-2026-32978 (OpenClaw before 2026.3.11 contains an approval integrity vulnerability ...)
+ TODO: check
+CVE-2026-32975 (OpenClaw before 2026.3.12 contains a weak authorization vulnerability ...)
+ TODO: check
+CVE-2026-32974 (OpenClaw before 2026.3.12 contains an authentication bypass vulnerabil ...)
+ TODO: check
+CVE-2026-32973 (OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerabil ...)
+ TODO: check
+CVE-2026-32972 (OpenClaw before 2026.3.11 contains an authorization bypass vulnerabili ...)
+ TODO: check
+CVE-2026-32924 (OpenClaw before 2026.3.12 contains an authorization bypass vulnerabili ...)
+ TODO: check
+CVE-2026-32923 (OpenClaw before 2026.3.11 contains an authorization bypass vulnerabili ...)
+ TODO: check
+CVE-2026-32922 (OpenClaw before 2026.3.11 contains a privilege escalation vulnerabilit ...)
+ TODO: check
+CVE-2026-32919 (OpenClaw before 2026.3.11 contains an authorization bypass vulnerabili ...)
+ TODO: check
+CVE-2026-32918 (OpenClaw before 2026.3.11 contains a session sandbox escape vulnerabil ...)
+ TODO: check
+CVE-2026-32915 (OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerabi ...)
+ TODO: check
+CVE-2026-32914 (OpenClaw before 2026.3.12 contains an insufficient access control vuln ...)
+ TODO: check
+CVE-2026-0562 (A critical security vulnerability in parisneo/lollms versions up to 2. ...)
+ TODO: check
+CVE-2026-0560 (A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/ ...)
+ TODO: check
+CVE-2026-0558 (A vulnerability in parisneo/lollms, up to and including version 2.2.0, ...)
+ TODO: check
+CVE-2026-23400 (In the Linux kernel, the following vulnerability has been resolved: r ...)
- linux 6.19.10-1
[trixie] - linux <not-affected> (Vulnerable code not present)
[bookworm] - linux <not-affected> (Vulnerable code not present)
@@ -843,6 +905,7 @@ CVE-2026-3650 (A memory leak exists in the Grassroots DICOM library (GDCM). The
CVE-2026-1556 (Information disclosure in the file URI processing of File (Field) Path ...)
- drupal7 <removed>
CVE-2026-33542 (Incus is a system container and virtual machine manager. Prior to vers ...)
+ {DSA-6184-1}
- incus 6.0.6-2
- lxd <removed>
NOTE: https://github.com/lxc/incus/pull/3092
@@ -854,11 +917,13 @@ CVE-2026-33711 (Incus is a system container and virtual machine manager. Incus p
NOTE: Kernel hardening with fs.protected_symlinks protects against exploiting
NOTE: the issue.
CVE-2026-33743 (Incus is a system container and virtual machine manager. Prior to vers ...)
+ {DSA-6184-1}
- incus 6.0.6-2
- lxd <not-affected> (Vulnerable code not present)
NOTE: https://github.com/lxc/incus/pull/3092
NOTE: https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3
CVE-2026-33897 (Incus is a system container and virtual machine manager. Prior to vers ...)
+ {DSA-6184-1}
- incus 6.0.6-2
- lxd <not-affected> (Vulnerable code not present)
NOTE: https://github.com/lxc/incus/pull/3092
@@ -3085,22 +3150,27 @@ CVE-2026-3836
- dnf5 <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2445770
CVE-2026-21717
+ {DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#hashdos-in-v8-cve-2026-21717---medium
NOTE: Fixed by: https://github.com/nodejs/node/commit/af5c144ebcf9814ef5dc74555bbdcd2a4cb20a12 (v20.20.2)
CVE-2026-21716
+ {DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#cve-2024-36137-patch-bypass---filehandlechmodchown-cve-2026-21716---low
NOTE: Fixed by: https://github.com/nodejs/node/commit/012330956669e06864a674917de352d2d69ff51c (v20.20.2)
CVE-2026-21715
+ {DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#permission-model-bypass-in-realpathsyncnative-allows-file-existence-disclosure-cve-2026-21715---low
NOTE: Fixed by: https://github.com/nodejs/node/commit/00830712bc623ba04b08856462a56b79e29f5cc3 (v20.20.2)
CVE-2026-21714
+ {DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#memory-leak-in-nodejs-http2-server-via-window_update-on-stream-0-leads-to-resource-exhaustion-cve-2026-21714---medium
NOTE: Fixed by: https://github.com/nodejs/node/commit/a0c73425da4c95fbcf6c13b7fe8921301290b8e6 (v20.20.2)
CVE-2026-21713
+ {DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#timing-side-channel-in-hmac-verification-via-memcmp-in-crypto_hmaccc-leads-to-potential-mac-forgery-cve-2026-21713---medium
NOTE: Fixed by: https://github.com/nodejs/node/commit/cfb51fa9ce1da2a8c810ec35bcc7c000f8c94faf (v20.20.2)
@@ -3111,6 +3181,7 @@ CVE-2026-21711
- nodejs <not-affected> (Vulnerable code not present)
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#nodejs-permission-model-bypass-uds-server-bindlisten-works-without---allow-net-cve-2026-21711---medium
CVE-2026-21710
+ {DSA-6183-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#denial-of-service-via-__proto__-header-name-in-reqheadersdistinct-uncaught-typeerror-crashes-nodejs-process-cve-2026-21710---high
NOTE: Fixed by: https://github.com/nodejs/node/commit/00ad47a28eb2e3dc0ff5610d58c53341acf3cf8d (v20.20.2)
@@ -5545,6 +5616,7 @@ CVE-2026-32938 (SiYuan is a personal knowledge management system. In versions 3.
CVE-2026-32937 (free5GC is an open source 5G core network. free5GC CHF prior to versio ...)
NOT-FOR-US: Free5GC
CVE-2026-32935 (phpseclib is a PHP secure communications library. Projects using versi ...)
+ {DSA-6187-1 DSA-6186-1 DSA-6185-1}
- php-phpseclib3 3.0.50-1 (bug #1131482)
- php-phpseclib 2.0.52-1 (bug #1131483)
- phpseclib 1.0.27-1 (bug #1131484)
@@ -8547,6 +8619,7 @@ CVE-2026-28792 (Tina is a headless content management system. Prior to 2.1.8 , t
CVE-2026-28791 (Tina is a headless content management system. Prior to 2.1.7, a path t ...)
NOT-FOR-US: Tina CMS (different from src:tina)
CVE-2026-28384 (An improper sanitization of the compression_algorithm parameter in Can ...)
+ {DSA-6184-1}
- incus 6.0.6-1
- lxd <removed>
NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-4rmf-rcp8-2r9g
@@ -10370,7 +10443,7 @@ CVE-2026-2922 (GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execu
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d88688c8ae0c58e39d3c6757353f338afe615f7e (1.24 branch)
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/18519ccebb07b9e88c2c2ec2f0b747bfe7d7fe2f (1.24 branch)
CVE-2026-2921 (GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerab ...)
- {DSA-6167-1}
+ {DSA-6167-1 DLA-4514-1}
- gst-plugins-base1.0 1.28.1-1
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0004.html
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/66d1f79c78b573db714434cf08e7531bed4f4473 (main)
@@ -23628,17 +23701,21 @@ CVE-2026-24050 (Zulip is an open-source team collaboration tool. From 5.0 to bef
CVE-2026-23989 (REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bu ...)
NOT-FOR-US: REVA
CVE-2026-23741 (Asterisk is an open source private branch exchange and telephony toolk ...)
+ {DLA-4515-1}
- asterisk 1:22.8.2+dfsg+~cs6.15.60671435-1 (bug #1127438)
NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3
CVE-2026-23740 (Asterisk is an open source private branch exchange and telephony toolk ...)
+ {DLA-4515-1}
- asterisk 1:22.8.2+dfsg+~cs6.15.60671435-1 (bug #1127438)
NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c
CVE-2026-23739 (Asterisk is an open source private branch exchange and telephony toolk ...)
+ {DLA-4515-1}
- asterisk 1:22.8.2+dfsg+~cs6.15.60671435-1 (unimportant; bug #1127438)
NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42
NOTE: Asterisk does ot allow untrusted or user-supplied XML to be used but upstream
NOTE: fixed the issue as a future hardening measure.
CVE-2026-23738 (Asterisk is an open source private branch exchange and telephony toolk ...)
+ {DLA-4515-1}
- asterisk 1:22.8.2+dfsg+~cs6.15.60671435-1 (bug #1127438)
NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh
CVE-2026-23633 (Gogs is an open source self-hosted Git service. In version 0.13.3 and ...)
@@ -33014,7 +33091,7 @@ CVE-2025-55132 (A flaw in Node.js's permission model allows a file's access and
NOTE: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#fsfutimes-bypasses-read-only-permission-model-cve-2025-55132---low
NOTE: Fixed by: https://github.com/nodejs/node/commit/14fbbb510c6d62b4510e3f48ee801807d9a5fbab (v20.20.0)
CVE-2026-21637 (A flaw in Node.js TLS error handling allows remote attackers to crash ...)
- {DSA-6166-1}
+ {DSA-6183-1 DSA-6166-1}
- nodejs 22.22.2+dfsg+~cs22.19.15-1
NOTE: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#tls-pskalpn-callback-exceptions-bypass-error-handlers-causing-dos-and-fd-leak-cve-2026-21637---medium
NOTE: Fixed by: https://github.com/nodejs/node/commit/85f73e7057e9badf6e7713f7440769375cdb5df5 (v20.20.0)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcec973b6ebe1b52176c23d1ecdfb904e3f0dddf
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcec973b6ebe1b52176c23d1ecdfb904e3f0dddf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260329/c64434d9/attachment.htm>
More information about the debian-security-tracker-commits
mailing list