[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Mar 31 23:06:59 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f5b4b7de by Moritz Mühlenhoff at 2026-04-01T00:06:23+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -416,7 +416,11 @@ CVE-2026-XXXX [SVG Animate FUNCIRI Attribute Bypass]
NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc99e2e54eed09a2f3da88
CVE-2026-5119 (A flaw was found in libsoup. When establishing HTTPS tunnels through a ...)
- libsoup3 <unfixed> (bug #1132331)
+ [trixie] - libsoup3 <no-dsa> (Minor issue)
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <removed>
+ [trixie] - libsoup2.4 <no-dsa> (Minor issue)
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2452932
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/502
CVE-2026-5107 (A vulnerability has been found in FRRouting FRR up to 10.5.1. This aff ...)
@@ -619,7 +623,7 @@ CVE-2018-25220 (Bochs 2.6-5 contains a stack-based buffer overflow vulnerability
NOTE: Bogus CVE for bochs, this crosses no security boundary
NOTE: https://www.exploit-db.com/exploits/43979
CVE-2017-20229 (MAWK 1.3.3-17 and prior contains a stack-based buffer overflow vulnera ...)
- - mawk <undetermined>
+ NOTE: Bogus CVE assignment for mawk
NOTE: https://www.exploit-db.com/exploits/42357
CVE-2017-20228 (Flat Assembler 1.71.21 contains a stack-based buffer overflow vulnerab ...)
NOT-FOR-US: Flat Assembler
@@ -634,7 +638,7 @@ CVE-2017-20225 (TiEmu 2.08 and prior contains a stack-based buffer overflow vuln
CVE-2016-20049 (JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vul ...)
- jad <removed>
CVE-2016-20048 (iSelect 1.4.0-2+b1 contains a local buffer overflow vulnerability that ...)
- - iselect <undetermined>
+ NOTE: Bogus CVE assignment for iselect
NOTE: https://www.exploit-db.com/exploits/41076
CVE-2016-20047 (EKG Gadu 1.9~pre+r2855-3+b1 contains a local buffer overflow vulnerabi ...)
NOT-FOR-US: EKG Gadu
@@ -4835,9 +4839,13 @@ CVE-2026-0898 (An arbitrary file-write vulnerability in Pega Browser Extension (
NOT-FOR-US: Pega
CVE-2025-59490
- znuny 6.5.19-1
+ [trixie] - znuny <no-dsa> (Non-free not supported)
+ [bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/releases/znuny-lts-6-5-19
CVE-2025-52204 (A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x ...)
- znuny 6.5.19-1
+ [trixie] - znuny <no-dsa> (Non-free not supported)
+ [bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/releases/znuny-lts-6-5-19
CVE-2025-41008 (SQL injection vulnerability in Sinturno. This vulnerability allows an ...)
NOT-FOR-US: Sinturno
@@ -8171,17 +8179,23 @@ CVE-2026-4171 (A security vulnerability has been detected in CodeGenieApp server
NOT-FOR-US: CodeGenieApp serverless-express
CVE-2026-32778 (libexpat before 2.7.5 allows a NULL pointer dereference in the functio ...)
- expat 2.7.5-1 (bug #1131119)
+ [trixie] - expat <no-dsa> (Minor issue)
+ [bookworm] - expat <no-dsa> (Minor issue)
NOTE: https://github.com/libexpat/libexpat/pull/1163
NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/576b61e42feeea704253cb7c7bedb2eeb3754387
NOTE: Test: https://github.com/libexpat/libexpat/commit/d5fa769b7a7290a7e2c4a0b2287106dec9b3c030
CVE-2026-32777 (libexpat before 2.7.5 allows an infinite loop while parsing DTD conten ...)
- expat 2.7.5-1 (bug #1131118)
+ [trixie] - expat <no-dsa> (Minor issue)
+ [bookworm] - expat <no-dsa> (Minor issue)
NOTE: https://github.com/libexpat/libexpat/issues/1161
NOTE: https://github.com/libexpat/libexpat/pull/1162
NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/55cda8c7125986e17d7e1825cba413bd94a35d02
NOTE: Test: https://github.com/libexpat/libexpat/commit/a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8
CVE-2026-32776 (libexpat before 2.7.5 allows a NULL pointer dereference with empty ext ...)
- expat 2.7.5-1 (bug #1131117)
+ [trixie] - expat <no-dsa> (Minor issue)
+ [bookworm] - expat <no-dsa> (Minor issue)
NOTE: https://github.com/libexpat/libexpat/pull/1158
NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/5be25657583ea91b09025c858b4785834c20f59c
CVE-2026-32775 (libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_ ...)
@@ -12305,9 +12319,10 @@ CVE-2026-3612 (A vulnerability was determined in Wavlink WL-NU516U1 V240425. Thi
CVE-2026-3610 (A vulnerability was found in HSC Cybersecurity Mailinspector up to 5.3 ...)
NOT-FOR-US: HSC Cybersecurity Mailinspector
CVE-2026-3606 (A vulnerability has been found in Ettercap 0.8.4-Garofalo. Affected by ...)
- - ettercap <unfixed> (bug #1130273)
+ - ettercap <unfixed> (bug #1130273; unimportant)
NOTE: https://github.com/Ettercap/ettercap/issues/1297
NOTE: Fixed by: https://github.com/Ettercap/ettercap/commit/41c312d4be6f6067968a275bf66b2abd2a0ba385
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-2830 (The WP All Import \u2013 Drag & Drop Import for CSV, XML, Excel & Goog ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2593 (The Greenshift \u2013 animation and page builder blocks plugin for Wor ...)
@@ -12812,6 +12827,8 @@ CVE-2025-69534 (Python-Markdown version 3.8 contain a vulnerability where malfor
- python3.11 <removed>
- python3.9 <removed>
- pypy3 <unfixed>
+ [trixie] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 <no-dsa> (Minor issue)
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
NOTE: While reported against python-markdown, the actual issue in in Python itself
@@ -14332,6 +14349,8 @@ CVE-2026-28286 (ZimaOS is a fork of CasaOS, an operating system for Zima devices
NOT-FOR-US: ZimaOS
CVE-2026-27631 (Exiv2 is a C++ library and a command-line utility to read, write, dele ...)
- exiv2 0.28.8+dfsg-1
+ [trixie] - exiv2 <no-dsa> (Minor issue)
+ [bookworm] - exiv2 <no-dsa> (Minor issue)
[bullseye] - exiv2 <postponed> (Minor issue, OOB read / DoS)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-p2pw-7935-c73j
NOTE: https://github.com/Exiv2/exiv2/issues/3513
@@ -14340,6 +14359,8 @@ CVE-2026-27631 (Exiv2 is a C++ library and a command-line utility to read, write
NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/21d129c842212c198dd887dbaafc5ce734e9dfad (v0.28.8)
CVE-2026-27596 (Exiv2 is a C++ library and a command-line utility to read, write, dele ...)
- exiv2 0.28.8+dfsg-1
+ [trixie] - exiv2 <no-dsa> (Minor issue)
+ [bookworm] - exiv2 <no-dsa> (Minor issue)
[bullseye] - exiv2 <postponed> (Minor issue, OOB read / DoS)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-3wgv-fg4w-75x7
NOTE: https://github.com/Exiv2/exiv2/issues/3511
@@ -14390,6 +14411,8 @@ CVE-2026-26694 (code-projects Simple Student Alumni System v1.0 is vulnerale to
NOT-FOR-US: code-projects
CVE-2026-25884 (Exiv2 is a C++ library and a command-line utility to read, write, dele ...)
- exiv2 0.28.8+dfsg-1
+ [trixie] - exiv2 <no-dsa> (Minor issue)
+ [bookworm] - exiv2 <no-dsa> (Minor issue)
[bullseye] - exiv2 <postponed> (Minor issue, OOB read)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
NOTE: https://github.com/Exiv2/exiv2/pull/3462
=====================================
data/dsa-needed.txt
=====================================
@@ -21,6 +21,8 @@ ceph
cpp-httplib (jmm)
Maintainer preparing updates, waiting for feedback on bookworm status
--
+dovecot
+--
frr
--
gh/oldstable
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5b4b7def1c0c07f259da4ee60e6338581798f94
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5b4b7def1c0c07f259da4ee60e6338581798f94
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260331/ed4f3846/attachment.htm>
More information about the debian-security-tracker-commits
mailing list