[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Mar 30 09:28:19 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1ddd3fe2 by Moritz Muehlenhoff at 2026-03-30T10:28:03+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4617,6 +4617,8 @@ CVE-2026-4540 (A vulnerability was detected in projectworlds Online Notes Sharin
 	NOT-FOR-US: Project Worlds
 CVE-2026-4539 (A security flaw has been discovered in pygments up to 2.19.2. The impa ...)
 	- pygments <unfixed> (bug #1132233)
+	[trixie] - pygments <no-dsa> (Minor issue)
+	[bookworm] - pygments <no-dsa> (Minor issue)
 	NOTE: https://github.com/pygments/pygments/issues/3058
 	NOTE: https://github.com/pygments/pygments/pull/3064
 	NOTE: Fixed by: https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc (2.20.0)
@@ -4757,7 +4759,7 @@ CVE-2019-25546 (NetAware 1.20 contains a buffer overflow vulnerability in the Sh
 CVE-2019-25545 (Terminal Services Manager 3.2.1 contains a local buffer overflow vulne ...)
 	NOT-FOR-US: Terminal Services Manager
 CVE-2019-25544 (Pidgin 2.13.0 contains a denial of service vulnerability that allows l ...)
-	TODO: check
+	NOTE: Bogus CVE assignment for Pidgin, no security impact
 CVE-2026-33250 (Freeciv21 is a free open source, turn-based, empire-building strategy  ...)
 	{DSA-6173-1}
 	- freeciv 3.2.4+ds-1 (bug #1131524)
@@ -5186,10 +5188,9 @@ CVE-2026-0609 (The Logo Slider \u2013 Logo Carousel, Logo Showcase & Client Logo
 	NOT-FOR-US: WordPress plugin
 CVE-2025-63261 (AWStats 8.0 is vulnerable to Command Injection via the open function)
 	{DLA-4509-1}
-	- awstats <unfixed> (bug #1131878)
-	[trixie] - awstats <no-dsa> (Minor issue; requires an attacker to modify awstats.conf)
-	[bookworm] - awstats <no-dsa> (Minor issue; requires an attacker to modify awstats.conf)
+	- awstats <unfixed> (bug #1131878; unimportant)
 	NOTE: https://pentest-tools.com/PTT-2025-021-Code-Execution-in-AWStats.pdf
+	NOTE: Crosses no reasonable security boundary, requires an attacker to modify awstats.conf
 CVE-2025-55988 (An issue in the component /Controllers/RestController.php of DreamFact ...)
 	NOT-FOR-US: DreamFactory Core
 CVE-2025-14037 (The Invelity Product Feeds plugin for WordPress is vulnerable to arbit ...)
@@ -6414,6 +6415,8 @@ CVE-2026-3479 (pkgutil.get_data() did not validate the resource argument as docu
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- pypy3 <unfixed>
+	[trixie] - pypy3 <no-dsa> (Minor issue)
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/
 	NOTE: https://github.com/python/cpython/issues/146121
 	NOTE: https://github.com/python/cpython/pull/146133 (3.14)
@@ -12312,6 +12315,8 @@ CVE-2026-2297 (The import hook in CPython that handles legacy *.pyc files (Sourc
 	- python3.11 <removed>
 	- python3.9 <removed>
 	- pypy3 <unfixed>
+	[trixie] - pypy3 <no-dsa> (Minor issue)
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	- python2.7 <not-affected> (PEP 578 not introduced yet)
 	NOTE: https://github.com/python/cpython/issues/145506
 	NOTE: https://github.com/python/cpython/pull/145507
@@ -34985,6 +34990,8 @@ CVE-2025-14574 (The weDocs plugin for WordPress is vulnerable to Sensitive Infor
 	NOT-FOR-US: WordPress plugin
 CVE-2025-14505 (The ECDSA implementation of the Elliptic package generates incorrect s ...)
 	- node-elliptic <unfixed> (bug #1125180)
+	[trixie] - node-elliptic <postponed> (Revisit when fixed upstream)
+	[bookworm] - node-elliptic <postponed> (Revisit when fixed upstream)
 	[bullseye] - node-elliptic <postponed> (Revisit when fixed upstream)
 	NOTE: https://github.com/indutny/elliptic/issues/321
 	NOTE: https://github.com/indutny/elliptic/pull/345



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ddd3fe2ae5bd6572c625de5b0104e396d16328a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ddd3fe2ae5bd6572c625de5b0104e396d16328a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260330/7f742a55/attachment.htm>

More information about the debian-security-tracker-commits mailing list