[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Mar 31 11:18:25 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c08ce78a by Moritz Muehlenhoff at 2026-03-31T12:16:43+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -383,6 +383,8 @@ CVE-2025-15036 (A path traversal vulnerability exists in the `extract_archive_to
 	NOT-FOR-US: mlflow
 CVE-2026-33691 [Whitespace padding in filenames bypasses file upload extension checks]
 	- modsecurity-crs 3.3.9-1
+	[trixie] - modsecurity-crs <no-dsa> (Minor issue)
+	[bookworm] - modsecurity-crs <no-dsa> (Minor issue)
 	NOTE: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w
 CVE-2026-XXXX [Incomplete validation of cookie attributes]
 	- python-tornado 6.5.5-1 (bug #1132367)
@@ -991,11 +993,15 @@ CVE-2026-33673 (PrestaShop is an open source e-commerce web application. Version
 	NOT-FOR-US: PrestaShop
 CVE-2026-33672 (Picomatch is a glob matcher written JavaScript. Versions prior to 4.0. ...)
 	- node-anymatch 3.1.3+~cs8.0.6-1 (bug #1132160)
+	[trixie] - node-anymatch <no-dsa> (Minor issue)
+	[bookworm] - node-anymatch <no-dsa> (Minor issue)
 	NOTE: https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p
 	NOTE: Fixed by: https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903
 	NOTE: node-anymatch provides node-picomatch
 CVE-2026-33671 (Picomatch is a glob matcher written JavaScript. Versions prior to 4.0. ...)
 	- node-anymatch 3.1.3+~cs8.0.6-1 (bug #1132160)
+	[trixie] - node-anymatch <no-dsa> (Minor issue)
+	[bookworm] - node-anymatch <no-dsa> (Minor issue)
 	NOTE: https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj
 	NOTE: Fixed by: https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d
 	NOTE: node-anymatch provides node-picomatch
@@ -2660,6 +2666,8 @@ CVE-2025-70952 (pf4j before 20c2f80 has a path traversal vulnerability in the ex
 	NOTE: Fixed by: https://github.com/pf4j/pf4j/commit/20c2f80089d1ea779e22c2de5f109a0bce4e1b14 (release-3.14.1)
 CVE-2025-70888 (An issue in mtrojnar Osslsigncode affected at v2.10 and before allows  ...)
 	- osslsigncode 2.11-1
+	[trixie] - osslsigncode <no-dsa> (Minor issue)
+	[bookworm] - osslsigncode <no-dsa> (Minor issue)
 	NOTE: https://github.com/mtrojnar/osslsigncode/issues/475
 	NOTE: https://github.com/mtrojnar/osslsigncode/pull/477
 	NOTE: Fixed by: https://github.com/mtrojnar/osslsigncode/commit/d787541107d4c7d43e411b18b209f125632718cd (2.11)
@@ -5015,6 +5023,8 @@ CVE-2026-4539 (A security flaw has been discovered in pygments up to 2.19.2. The
 	NOTE: Fixed by: https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc (2.20.0)
 CVE-2026-4538 (A vulnerability was identified in PyTorch 2.10.0. The affected element ...)
 	- pytorch <unfixed>
+	[trixie] - pytorch <no-dsa> (Minor issue)
+	[bookworm] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/pull/176791
 CVE-2026-4537 (A vulnerability was determined in Cudy TR1200 R46-2.4.15-20250721-1640 ...)
 	NOT-FOR-US: Cudy TR1200


=====================================
data/dsa-needed.txt
=====================================
@@ -56,6 +56,10 @@ lxd (jmm)
 --
 mbedtls/oldstable
 --
+netty
+--
+nghttp2
+--
 nodejs/oldstable
 --
 opennds/oldstable
@@ -76,6 +80,8 @@ python-aiohttp
 python-tornado (jmm)
   update is on seger, but autopkg regression needs to be sorted
 --
+redis
+--
 roundcube
   Maintainer proposed debdiff in #1131182 for review
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c08ce78afad51ef8ba3df84e90028bcb2a086f2a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c08ce78afad51ef8ba3df84e90028bcb2a086f2a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260331/f7a87d9b/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list