[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f76b5994 by Moritz Muehlenhoff at 2026-03-29T21:40:41+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -154,7 +154,7 @@ CVE-2018-25222 (SC v7.16 contains a stack-based buffer overflow vulnerability th
 CVE-2018-25221 (EChat Server 3.1 contains a buffer overflow vulnerability in the chat. ...)
 	NOT-FOR-US: EChat Server
 CVE-2018-25220 (Bochs 2.6-5 contains a stack-based buffer overflow vulnerability that  ...)
-	- bochs <undetermined>
+	NOTE: Bogus CVE for bochs, this crosses no security boundary
 	NOTE: https://www.exploit-db.com/exploits/43979
 CVE-2017-20229 (MAWK 1.3.3-17 and prior contains a stack-based buffer overflow vulnera ...)
 	- mawk <undetermined>
@@ -5716,6 +5716,8 @@ CVE-2026-32747 (SiYuan is a personal knowledge management system. In versions 3.
 	NOT-FOR-US: SiYuan
 CVE-2026-32711 (pydicom is a pure Python package for working with DICOM files. Version ...)
 	- pydicom <unfixed> (bug #1131492)
+	[trixie] - pydicom <no-dsa> (Minor issue)
+	[bookworm] - pydicom <no-dsa> (Minor issue)
 	NOTE: https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28
 	NOTE: Fixed by: https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585e82 (v3.0.2)
 CVE-2026-32697 (SuiteCRM is an open-source, enterprise-ready Customer Relationship Man ...)
@@ -11468,6 +11470,8 @@ CVE-2026-29064 (Zarf is an Airgap Native Packager Manager for Kubernetes. From v
 	NOT-FOR-US: Zarf
 CVE-2026-29063 (Immutable.js provides many Persistent Immutable data structures. Prior ...)
 	- node-immutable 4.3.8-1
+	[trixie] - node-immutable <no-dsa> (Minor issue)
+	[bookworm] - node-immutable <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/immutable-js/immutable-js/commit/faeb58b0cc71ed351dc51f672a95ae21bc859ef5 (v4.3.8)
 	NOTE: Fixed by: https://github.com/immutable-js/immutable-js/commit/94bcd3c79972db4afffd8d1e5aab415880098b05 (v4.3.8)
 	NOTE: Fixed by: https://github.com/immutable-js/immutable-js/commit/6e2cf1cfe6137e72dfa48fc2cfa8f4d399d113f9 (v3.8.3)
@@ -17908,6 +17912,8 @@ CVE-2026-26995
 	REJECTED
 CVE-2026-26994 (uTLS is a fork of crypto/tls, created to customize ClientHello for fin ...)
 	- golang-refraction-networking-utls <unfixed> (bug #1129011)
+	[trixie] - golang-refraction-networking-utls <no-dsa> (Minor issue)
+	[bookworm] - golang-refraction-networking-utls <no-dsa> (Minor issue)
 	[bullseye] - golang-refraction-networking-utls <ignored> (Limited support, no binaries built with it)
 	NOTE: https://github.com/refraction-networking/utls/security/advisories/GHSA-pmc3-p9hx-jq96
 	NOTE: Fixed by: https://github.com/refraction-networking/utls/commit/f8892761e2a4d29054264651d3a86fda83bc83f9 (v1.7.0)


=====================================
data/dsa-needed.txt
=====================================
@@ -69,6 +69,8 @@ pdfminer (carnil)
 --
 php-laravel-framework/oldstable
 --
+pyasn1 (carnil)
+--
 python-aiohttp
 --
 python-tornado (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f76b5994cfd015d2652495c18a716f1241e63da4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f76b5994cfd015d2652495c18a716f1241e63da4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260329/0bd6457c/attachment-0001.htm>