[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
76b3332c by Moritz Muehlenhoff at 2026-05-01T16:00:07+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -17781,6 +17781,8 @@ CVE-2026-33935 (MyTube is a self-hosted downloader and player for several video
 	NOT-FOR-US: MyTube
 CVE-2026-33916 (Handlebars provides the power necessary to let users build semantic te ...)
 	- node-handlebars 3:4.7.9-1 (bug #1132141)
+	[trixie] - node-handlebars <no-dsa> (Minor issue)
+	[bookworm] - node-handlebars <no-dsa> (Minor issue)
 	[bullseye] - node-handlebars <ignored> (workarround exist and fix break old applications)
 	NOTE: https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
 	NOTE: https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 (v4.7.9)
@@ -29167,9 +29169,13 @@ CVE-2026-28678 (DSA Study Hub is an interactive educational web application. Pri
 	NOT-FOR-US: DSA Study Hub
 CVE-2026-24308 (Improper handling of configuration values in ZKConfig in Apache ZooKee ...)
 	- zookeeper 3.9.5-1 (bug #1130497)
+	[trixie] - zookeeper <no-dsa> (Minor issue)
+	[bookworm] - zookeeper <no-dsa> (Minor issue)
 	NOTE: https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr
 CVE-2026-24281 (Hostname verification in Apache ZooKeeper ZKTrustManager falls back to ...)
 	- zookeeper 3.9.5-1 (bug #1130496)
+	[trixie] - zookeeper <no-dsa> (Minor issue)
+	[bookworm] - zookeeper <no-dsa> (Minor issue)
 	NOTE: https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2
 CVE-2026-3352 (The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code I ...)
 	NOT-FOR-US: WordPress plugin
@@ -42165,9 +42171,7 @@ CVE-2020-37124 (B64dec 1.1.2 contains a buffer overflow vulnerability that allow
 CVE-2020-37123 (Pinger 1.0 contains a remote code execution vulnerability that allows  ...)
 	NOT-FOR-US: Pinger
 CVE-2020-37121 (CODE::BLOCKS 16.01 contains a buffer overflow vulnerability that allow ...)
-	- codeblocks <undetermined>
-	NOTE: https://www.exploit-db.com/exploits/48344
-	NOTE: check, unclear upstream status and inpact
+	NOTE: Bogus CVE assignment for CVE-2020-37038
 CVE-2020-37120 (Rubo DICOM Viewer 2.0 contains a buffer overflow vulnerability in the  ...)
 	NOT-FOR-US: Rubo DICOM Viewer
 CVE-2020-37119 (Nsauditor 3.0.28 and 3.2.1.0 contains a buffer overflow vulnerability  ...)
@@ -44288,15 +44292,11 @@ CVE-2020-37042 (Frigate Professional 3.36.0.9 contains a local buffer overflow v
 CVE-2020-37041 (OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the st ...)
 	NOT-FOR-US: OpenCTI
 CVE-2020-37040 (Code Blocks 17.12 contains a local buffer overflow vulnerability that  ...)
-	- codeblocks <undetermined>
-	NOTE: https://www.exploit-db.com/exploits/48594
-	TODO: check, might be Windows specific issue
+	NOTE: Bogus CVE assignment for CVE-2020-37038
 CVE-2020-37039 (Frigate 2.02 contains a denial of service vulnerability that allows at ...)
 	NOT-FOR-US: Frigate
 CVE-2020-37038 (Code Blocks 20.03 contains a denial of service vulnerability that allo ...)
-	- codeblocks <undetermined>
-	NOTE: https://www.exploit-db.com/exploits/48617
-	TODO: check, possibly just DoS of application and unimportant
+	NOTE: Bogus CVE assignment for CVE-2020-37038
 CVE-2020-37036 (RM Downloader 2.50.60 contains a local buffer overflow vulnerability i ...)
 	NOT-FOR-US: RM Downloader
 CVE-2020-37035 (e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in  ...)
@@ -44711,9 +44711,7 @@ CVE-2020-37013 (Audio Playback Recorder 3.2.2 contains a local buffer overflow v
 CVE-2020-37012 (Tea LaTex 1.0 contains a remote code execution vulnerability that allo ...)
 	NOT-FOR-US: Tea LaTex
 CVE-2020-37011 (Gnome Fonts Viewer 3.34.0 contains a heap corruption vulnerability tha ...)
-	- gnome-font-viewer <undetermined>
-	NOTE: https://www.exploit-db.com/exploits/48803
-	TODO: check, unclear upstream status. Doesn't reproduce with the version in trixie
+	NOTE: Bogus CVE assignment for gnome-font-viewer, crash in CLI tool
 CVE-2020-37010 (BearShare Lite 5.2.5 contains a buffer overflow vulnerability in the A ...)
 	NOT-FOR-US: BearShare Lite
 CVE-2020-37009 (MedDream PACS Server 6.8.3.751 contains an authenticated remote code e ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -40,6 +40,8 @@ gnutls28
 --
 imagemagick (jmm)
 --
+incus/stable (jmm)
+--
 isc-kea/oldstable
 --
 jackson-core (apo)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b3332c3008fcdc6e8a9b7b07bc78ecb98deb2d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b3332c3008fcdc6e8a9b7b07bc78ecb98deb2d
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260501/085bdabb/attachment-0001.htm>