[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Mar 30 22:44:06 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8938a7a5 by Moritz Muehlenhoff at 2026-03-30T23:29:10+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -392,6 +392,7 @@ CVE-2017-20226 (Mapscrn 2.0.3 contains a stack-based buffer overflow vulnerabili
NOT-FOR-US: Mapscrn
CVE-2017-20225 (TiEmu 2.08 and prior contains a stack-based buffer overflow vulnerabil ...)
- tiemu <removed>
+ [bookworm] - tiemu <ignored> (Minor issue)
NOTE: https://www.exploit-db.com/exploits/42087
CVE-2016-20049 (JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vul ...)
- jad <removed>
@@ -841,6 +842,8 @@ CVE-2026-33661 (Pay is an open-source payment SDK extension package for various
NOT-FOR-US: Pay
CVE-2026-33658 (Active Storage allows users to attach cloud and local files in Rails a ...)
- rails <unfixed> (bug #1132035)
+ [trixie] - rails <no-dsa> (Minor issue)
+ [bookworm] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
NOTE: Fixed by: https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06 (v8.1.2.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/d7da4ef03f99035fba5add8828646f1e9173549c (v8.0.4.1)
@@ -4185,48 +4188,64 @@ CVE-2026-33211 (Tekton Pipelines project provides k8s-style resources for declar
NOT-FOR-US: Tekton Pipelines project
CVE-2026-33202 (Active Storage allows users to attach cloud and local files in Rails a ...)
- rails <unfixed> (bug #1132035)
+ [trixie] - rails <no-dsa> (Minor issue)
+ [bookworm] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
NOTE: Fixed by: https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c (v8.1.2.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf (v8.0.4.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82 (v7.2.3.1)
CVE-2026-33195 (Active Storage allows users to attach cloud and local files in Rails a ...)
- rails <unfixed> (bug #1132035)
+ [trixie] - rails <no-dsa> (Minor issue)
+ [bookworm] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
NOTE: Fixed by: https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655 (v8.1.2.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348 (v8.0.4.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c (v7.2.3.1)
CVE-2026-33176 (Active Support is a toolkit of support libraries and Ruby core extensi ...)
- rails <unfixed> (bug #1132035)
+ [trixie] - rails <no-dsa> (Minor issue)
+ [bookworm] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
NOTE: Fixed by: https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb (v8.1.2.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856 (v8.0.4.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a (v7.2.3.1)
CVE-2026-33174 (Active Storage allows users to attach cloud and local files in Rails a ...)
- rails <unfixed> (bug #1132035)
+ [trixie] - rails <no-dsa> (Minor issue)
+ [bookworm] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
NOTE: Fixed by: https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a (v8.1.2.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5 (v8.0.4.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b (v7.2.3.1)
CVE-2026-33173 (Active Storage allows users to attach cloud and local files in Rails a ...)
- rails <unfixed> (bug #1132035)
+ [trixie] - rails <no-dsa> (Minor issue)
+ [bookworm] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
NOTE: Fixed by: https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0 (v8.1.2.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e (v8.0.4.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53 (v7.2.3.1)
CVE-2026-33170 (Active Support is a toolkit of support libraries and Ruby core extensi ...)
- rails <unfixed> (bug #1132035)
+ [trixie] - rails <no-dsa> (Minor issue)
+ [bookworm] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
NOTE: Fixed by: https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7 (v8.1.2.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db (v8.0.4.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb (v7.2.3.1)
CVE-2026-33169 (Active Support is a toolkit of support libraries and Ruby core extensi ...)
- rails <unfixed> (bug #1132035)
+ [trixie] - rails <no-dsa> (Minor issue)
+ [bookworm] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
NOTE: Fixed by: https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49 (v8.1.2.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11 (v8.0.4.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974 (v7.2.3.1)
CVE-2026-33168 (Action View provides conventions and helpers for building web pages wi ...)
- rails <unfixed> (bug #1132035)
+ [trixie] - rails <no-dsa> (Minor issue)
+ [bookworm] - rails <no-dsa> (Minor issue)
NOTE: https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
NOTE: Fixed by: https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d (v8.1.2.1)
NOTE: Fixed by: https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924 (v8.0.4.1)
@@ -4597,7 +4616,10 @@ CVE-2026-33347 (league/commonmark is a PHP Markdown parser. From version 2.3.0 t
NOTE: Fixed by: https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b (2.8.2)
CVE-2026-33699 (pypdf is a free and open-source pure-python PDF library. Versions prio ...)
- pypdf 6.9.2-1
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3
NOTE: https://github.com/py-pdf/pypdf/pull/3693
NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/02b1345f77fdbc006faccc301507df4fb1855413 (6.9.2)
@@ -5502,7 +5524,10 @@ CVE-2026-33124 (Frigate is a network video recorder (NVR) with realtime local ob
NOT-FOR-US: Frigate
CVE-2026-33123 (pypdf is a free and open-source pure-python PDF library. Versions prio ...)
- pypdf 6.9.2-1 (bug #1131479)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-qpxp-75px-xjcp
NOTE: https://github.com/py-pdf/pypdf/pull/3686
NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/0b5d05de59a055c132b435ee2375bc32ff04d48e (6.9.1)
@@ -6273,6 +6298,8 @@ CVE-2026-XXXX [OSSA-2026-004: Server-Side Request Forgery (SSRF) vulnerabilities
NOTE: https://www.openwall.com/lists/oss-security/2026/03/19/3
CVE-2026-3842
- qemu 1:10.2.2+ds-1
+ [trixie] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <not-affected> (Synthetic Debugging introduced in v7.1.0)
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/85af4e937016ed2f20122eb116597d1abb30c5c0 (v10.2.2)
CVE-2026-4427
@@ -9773,7 +9800,10 @@ CVE-2026-31827 (Alienbin is an anonymous code and text sharing web service. In 1
NOT-FOR-US: Alienbin
CVE-2026-31826 (pypdf is a free and open-source pure-python PDF library. Prior to 6.8. ...)
- pypdf 6.9.0-1 (bug #1130642)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-hqmh-ppp3-xvm7
NOTE: https://github.com/py-pdf/pypdf/pull/3675
NOTE: Fixed by; https://github.com/py-pdf/pypdf/commit/3c550b3196adeba1506a26e57c09c09fac75e9aa (6.8.0)
@@ -11777,10 +11807,12 @@ CVE-2025-70363 (Incorrect access control in the REST API of Ibexa & Ciril GROUP
NOT-FOR-US: Ibexa & Ciril GROUP eZ Platform / Ciril Platform
CVE-2025-69654 (A crafted JavaScript input executed with the QuickJS release 2025-09-1 ...)
- quickjs <unfixed>
+ [trixie] - quickjs <no-dsa> (Minor issue)
NOTE: https://github.com/bellard/quickjs/issues/468
NOTE: Fixed by: https://github.com/bellard/quickjs/commit/fcd33c1afa7b3028531f53cd1190a3877454f6b3
CVE-2025-69653 (A crafted JavaScript input can trigger an internal assertion failure i ...)
- quickjs <unfixed>
+ [trixie] - quickjs <no-dsa> (Minor issue)
NOTE: https://github.com/bellard/quickjs/issues/467
NOTE: Fixed by: https://github.com/bellard/quickjs/commit/1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6
CVE-2025-69652 (GNU Binutils thru 2.46 readelf contains a vulnerability that leads to ...)
@@ -12041,7 +12073,10 @@ CVE-2026-29038 (changedetection.io is a free open source web page change detecti
NOT-FOR-US: changedetection.io
CVE-2026-28804 (pypdf is a free and open-source pure-python PDF library. Prior to vers ...)
- pypdf 6.9.0-1 (bug #1130045)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-9m86-7pmv-2852
NOTE: https://github.com/py-pdf/pypdf/pull/3666
NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/648c627d2657447dfb1773412af05a0a5103b98f (6.7.5)
@@ -15271,7 +15306,10 @@ CVE-2026-27896 (The Go MCP SDK used Go's standard encoding/json.Unmarshal for JS
NOT-FOR-US: Go MCP SDK
CVE-2026-27888 (pypdf is a free and open-source pure-python PDF library. Prior to 6.7. ...)
- pypdf 6.9.0-1 (bug #1129096)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-x7hp-r3qg-r3cj
NOTE: https://github.com/py-pdf/pypdf/pull/3658
NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/7a4c8246ed48d9d328fb596942271da47b6d109c (6.7.3)
@@ -15851,7 +15889,10 @@ CVE-2026-27629 (InvenTree is an Open Source Inventory Management System. Prior t
NOT-FOR-US: InvenTree
CVE-2026-27628 (pypdf is a free and open-source pure-python PDF library. Prior to 6.7. ...)
- pypdf 6.9.0-1 (bug #1130042)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-2rw7-x74f-jg35
NOTE: https://github.com/py-pdf/pypdf/issues/3654
NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/f0a462d36971cf077d74492a348d0d06fd60ea4d (6.7.2)
@@ -17437,7 +17478,10 @@ CVE-2026-27111 (Kargo manages and automates the promotion of software artifacts.
NOT-FOR-US: Kargo
CVE-2026-27026 (pypdf is a free and open-source pure-python PDF library. Prior to 6.7. ...)
- pypdf 6.9.0-1 (bug #1128690)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
[bullseye] - pypdf2 <postponed> (minor issue; DoS)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-9mvc-8737-8j8h
NOTE: https://github.com/py-pdf/pypdf/pull/3644
@@ -17445,14 +17489,20 @@ CVE-2026-27026 (pypdf is a free and open-source pure-python PDF library. Prior t
NOTE: Issue uncovered with the fix for CVE-2025-55197
CVE-2026-27025 (pypdf is a free and open-source pure-python PDF library. Prior to 6.7. ...)
- pypdf 6.9.0-1 (bug #1128656)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
[bullseye] - pypdf2 <postponed> (minor issue; DoS)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-wgvp-vg3v-2xq3
NOTE: https://github.com/py-pdf/pypdf/pull/3646
NOTE: Fixed by: https://github.com/py-pdf/pypdf/commit/77d7b8d7cfbe8dd179858dfa42666f73fc6e57a2 (6.7.1)
CVE-2026-27024 (pypdf is a free and open-source pure-python PDF library. Prior to 6.7. ...)
- pypdf 6.9.0-1 (bug #1128654)
+ [trixie] - pypdf <no-dsa> (Minor issue)
+ [bookworm] - pypdf <no-dsa> (Minor issue)
- pypdf2 <removed>
+ [bookworm] - pypdf2 <no-dsa> (Minor issue)
[bullseye] - pypdf2 <postponed> (minor issue; DoS)
NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq
NOTE: https://github.com/py-pdf/pypdf/pull/3645
=====================================
data/dsa-needed.txt
=====================================
@@ -28,9 +28,9 @@ gh/oldstable
--
git-lfs
--
-gst-plugins-bad1.0
+gst-plugins-bad1.0 (jmm)
--
-gst-plugins-ugly1.0
+gst-plugins-ugly1.0 (jmm)
--
imagemagick/oldstable
--
@@ -104,3 +104,5 @@ valkey
NMU proposed for review by Peter Wienemann, but should ideally get some commit from maintainers and
fix in unstable.
--
+webkit2gtk (berto)
+--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8938a7a518f5e378a76f305a148b56632c4ec66a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8938a7a518f5e378a76f305a148b56632c4ec66a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260330/621759e8/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list