[Git][security-tracker-team/security-tracker][master] bookworm/trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Mar 31 10:14:12 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ae9ae85a by Moritz Muehlenhoff at 2026-03-31T11:14:01+02:00
bookworm/trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1344,10 +1344,14 @@ CVE-2026-33945 (Incus is a system container and virtual machine manager. Incus i
NOTE: https://github.com/lxc/incus/security/advisories/GHSA-q4q8-7f2j-9h9f
CVE-2026-4926 (Impact: A bad regular expression is generated any time you have multi ...)
- node-path-to-regexp 8.4.0-1 (bug #1132020)
+ [trixie] - node-path-to-regexp <no-dsa> (Minor issue)
+ [bookworm] - node-path-to-regexp <no-dsa> (Minor issue)
NOTE: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f
NOTE: Fixed by: https://github.com/pillarjs/path-to-regexp/commit/22a967901afc8b2b42eefe456faa7b6773dcc415 (v8.4.0)
CVE-2026-4923 (Impact: When using multiple wildcards, combined with at least one par ...)
- node-path-to-regexp 8.4.0-1 (bug #1132020)
+ [trixie] - node-path-to-regexp <no-dsa> (Minor issue)
+ [bookworm] - node-path-to-regexp <no-dsa> (Minor issue)
NOTE: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7
NOTE: Fixed by: https://github.com/pillarjs/path-to-regexp/commit/48646547da685c1ccb76a95fe23373975a91e200 (v8.4.0)
CVE-2026-4897 (A flaw was found in polkit. A local user can exploit this by providing ...)
@@ -5891,10 +5895,14 @@ CVE-2026-4428 (A logic error in CRL distribution point validation in AWS-LC befo
NOT-FOR-US: Amazon
CVE-2026-4395 (Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9988
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/ddc177b669cff9d3c7e1b51751f9df73062b872a (v5.9.0-stable)
CVE-2026-4159 (1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length e ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9945
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/d37b51c3cef6897e117364ab8b1a257e52a634c0 (v5.9.0-stable)
CVE-2026-4136 (The Membership Plugin \u2013 Restrict Content plugin for WordPress is ...)
@@ -5905,21 +5913,31 @@ CVE-2026-3948
REJECTED
CVE-2026-3849 (Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Confi ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9737
CVE-2026-3549 (Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9817
CVE-2026-3547 (Out-of-bounds read in ALPN parsing due to incomplete validation. wolfS ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9859
NOTE: https://github.com/wolfSSL/wolfssl/pull/9860
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/9d3cc6e30c778b124002cc45b7974d718b6649fd (v5.9.0-stable)
CVE-2026-3230 (Missing required cryptographic step in the TLS 1.3 client HelloRetryRe ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9754
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/f810dc2a017b0e95f755740cb37c8884345c4de7 (v5.9.0-stable)
CVE-2026-3229 (An integer overflow vulnerability existed in the static function wolfs ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9827
CVE-2026-33410 (Discourse is an open-source discussion platform. Versions prior to 202 ...)
NOT-FOR-US: Discourse
@@ -6499,20 +6517,28 @@ CVE-2026-3658 (The Appointment Booking Calendar \u2014 Simply Schedule Appointme
NOT-FOR-US: WordPress plugin
CVE-2026-3580 (In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_ ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9855
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/71226b68b69404206c74694715f11bb6630750dc (v5.9.0-stable)
CVE-2026-3579 (wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time soft ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9855
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/71226b68b69404206c74694715f11bb6630750dc (v5.9.0-stable)
CVE-2026-3548 (Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9628/
NOTE: https://github.com/wolfSSL/wolfssl/pull/9873/
CVE-2026-3511 (Improper Restriction of XML External Entity Reference vulnerability in ...)
NOT-FOR-US: Slovensko.Digital Autogram
CVE-2026-3503 (Protection mechanism failure in wolfCrypt post-quantum implementations ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9734
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/65a1a6887747949ed148d8be3350b86ecff24fbc (v5.9.0-stable)
CVE-2026-3029 (A path traversal and arbitrary file write vulnerability exist in the e ...)
@@ -6547,10 +6573,14 @@ CVE-2026-30402 (An issue in wgcloud v.2.3.7 and before allows a remote attacker
NOT-FOR-US: wgcloud
CVE-2026-2646 (A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_S ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9748
NOTE: https://github.com/wolfSSL/wolfssl/pull/9949
CVE-2026-2645 (In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 serv ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9694
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/8902afdcea1a277011f31788a9899c6c8e225eca (v5.9.0-stable)
CVE-2026-27070 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -6593,10 +6623,14 @@ CVE-2026-21788 (HCL Connections is vulnerable to a cross-site scripting attack w
NOT-FOR-US: HCL
CVE-2026-1005 (Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacke ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9571
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/ca7899429844e8bd3824fe92a709978b51f750c4 (v5.9.0-stable)
CVE-2026-0819 (A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 Signed ...)
- wolfssl 5.9.0-0.1
+ [trixie] - wolfssl <no-dsa> (Minor issue)
+ [bookworm] - wolfssl <no-dsa> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/pull/9630
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/9c7b58656541e8d31876d7ccd2cd38140b8ffb79 (v5.9.0-stable)
CVE-2025-71260 (BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a d ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -104,5 +104,8 @@ valkey
NMU proposed for review by Peter Wienemann, but should ideally get some commit from maintainers and
fix in unstable.
--
+vim
+ for CVE-2026-34714, rest is harmless
+--
webkit2gtk (berto)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae9ae85ab5df8d5e4b11f0dc6d0cdc2b91c636ef
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae9ae85ab5df8d5e4b11f0dc6d0cdc2b91c636ef
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260331/67cce69d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list