[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat May 2 10:48:17 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d3022b42 by Moritz Muehlenhoff at 2026-05-02T11:47:43+02:00
trixie/bookworm triage

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -90,6 +90,8 @@ CVE-2025-12993
 	REJECTED
 CVE-2026-42050 [Stack buffer overflow in XTileImage]
 	- imagemagick 8:7.1.2.21+dfsg1-1
+	[trixie] - imagemagick <postponed> (Minor issue, fix along with future update)
+	[bookworm] - imagemagick <postponed> (Minor issue, fix along with future update)
 	NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7mxf-ff4f-jj7p
 	NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/25980041f145afc621233a1c050291231b627c48 (7.1.2-20)
 	NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/2b4a06cdb9b5b4b8e51247be8b38ea4cbfdfb07c (6.9.13-45)
@@ -157,14 +159,20 @@ CVE-2026-42485 (AGL agl-service-can-low-level contains a stack buffer overflow i
 	NOT-FOR-US: AGL agl-service-can-low-level
 CVE-2026-42484 (A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser ...)
 	- hashcat <unfixed>
+	[trixie] - hashcat <no-dsa> (Minor issue)
+	[bookworm] - hashcat <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f
 	TODO: check upstream details
 CVE-2026-42483 (A heap-based buffer overflow in the Kerberos hash parser in hashcat v7 ...)
 	- hashcat <unfixed>
+	[trixie] - hashcat <no-dsa> (Minor issue)
+	[bookworm] - hashcat <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f
 	TODO: check upstream details
 CVE-2026-42482 (A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_h ...)
 	- hashcat <unfixed>
+	[trixie] - hashcat <no-dsa> (Minor issue)
+	[bookworm] - hashcat <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f
 	TODO: check upstream details
 CVE-2026-42481 (Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vulnerabil ...)
@@ -2576,6 +2584,8 @@ CVE-2026-7234 (A weakness has been identified in BrowserOperator browser-operato
 	NOT-FOR-US: BrowserOperator browser-operator-core
 CVE-2026-7233 (A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impa ...)
 	- mupdf <unfixed> (bug #1135372)
+	[trixie] - mupdf <no-dsa> (Minor issue)
+	[bookworm] - mupdf <no-dsa> (Minor issue)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=709328
 CVE-2026-7230 (A vulnerability was found in SourceCodester Safety Anger Pad 1.0. The  ...)
 	NOT-FOR-US: SourceCodester
@@ -16866,6 +16876,8 @@ CVE-2026-34517 (AIOHTTP is an asynchronous HTTP client/server framework for asyn
 	NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145 (v3.13.4)
 CVE-2026-34516 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp 3.13.5-1 (bug #1132582)
+	[trixie] - python-aiohttp <no-dsa> (Minor issue)
+	[bookworm] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m5qp-6w8w-w647
 	NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f (v3.13.4)
 CVE-2026-34515 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
@@ -16874,6 +16886,8 @@ CVE-2026-34515 (AIOHTTP is an asynchronous HTTP client/server framework for asyn
 	NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d (v3.13.4)
 CVE-2026-34514 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp 3.13.5-1 (bug #1132582)
+	[trixie] - python-aiohttp <no-dsa> (Minor issue)
+	[bookworm] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5
 	NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06 (v3.13.4)
 CVE-2026-34513 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
@@ -19909,6 +19923,8 @@ CVE-2026-4835 (A security vulnerability has been detected in code-projects Accou
 	NOT-FOR-US: code-projects
 CVE-2026-4833 (A weakness has been identified in Orc discount up to 3.0.1.2. This iss ...)
 	- discount <unfixed> (bug #1133003)
+	[trixie] - discount <no-dsa> (Minor issue)
+	[bookworm] - discount <no-dsa> (Minor issue)
 	[bullseye] - discount <postponed> (minor issue; local DoS)
 	NOTE: https://github.com/Orc/discount/issues/305
 	TODO: check libtext-markdown-discount-perl, ruby-rdiscount, cantor, embedding discount; check if security impact present


=====================================
data/DSA/list
=====================================
@@ -31,7 +31,7 @@
 	{CVE-2026-0396 CVE-2026-0397 CVE-2026-24028 CVE-2026-24029 CVE-2026-24030 CVE-2026-27853 CVE-2026-27854 CVE-2026-33254 CVE-2026-33257 CVE-2026-33260 CVE-2026-33593 CVE-2026-33594 CVE-2026-33595 CVE-2026-33596 CVE-2026-33597 CVE-2026-33598 CVE-2026-33599 CVE-2026-33602}
 	[trixie] - dnsdist 1.9.14-0+deb13u1
 [28 Apr 2026] DSA-6234-1 pdns-recursor - security update
-	{CVE-2026-33257 CVE-2026-33258 CVE-2026-33259 CVE-2026-33260 CVE-2026-33261 CVE-2026-33600 CVE-2026-33601}
+	{CVE-2026-33257 CVE-2026-33258 CVE-2026-33259 CVE-2026-33260 CVE-2026-33261 CVE-2026-33600 CVE-2026-33601 CVE-2026-33256 CVE-2026-33262}
 	[trixie] - pdns-recursor 5.2.9-0+deb13u1
 [28 Apr 2026] DSA-6233-1 pdns - security update
 	{CVE-2026-33257 CVE-2026-33260 CVE-2026-33608 CVE-2026-33609 CVE-2026-33610 CVE-2026-33611}


=====================================
data/dsa-needed.txt
=====================================
@@ -15,6 +15,8 @@ If needed, specify the release by adding a slash after the name of the source pa
 amd64-microcode (carnil)
   Coordinating with maintainer DSA/bookworm-pu and sync with mitgations in src:linux
 --
+botan3/stable
+--
 ceph
  for CVE-2024-47866, rest harmless
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3022b42265f75ea21d9c3e4833e49f5db277ab0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3022b42265f75ea21d9c3e4833e49f5db277ab0
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260502/425e2e6a/attachment.htm>

More information about the debian-security-tracker-commits mailing list