[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat May 2 23:11:25 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6eb7004a by Moritz Muehlenhoff at 2026-05-03T00:11:03+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -20,6 +20,8 @@ CVE-2026-7599 (A vulnerability was detected in Dayoooun hwpx-mcp 0.2.0. This aff
 	NOT-FOR-US: Dayoooun hwpx-mcp
 CVE-2026-7598 (A security vulnerability has been detected in libssh2 up to 1.11.1. Th ...)
 	- libssh2 <unfixed>
+	[trixie] - libssh2 <no-dsa> (Minor issue)
+	[bookworm] - libssh2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/libssh2/libssh2/pull/1858
 	NOTE: https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1
 CVE-2026-7597 (A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects th ...)
@@ -1587,6 +1589,8 @@ CVE-2026-6526 (RTSP protocol dissector crash in Wireshark 4.6.0 to 4.6.4)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/work_items/21173
 CVE-2026-6525 [IEEE 802.11 protocol dissector crash]
 	- wireshark 4.6.5-1
+	[trixie] - wireshark <no-dsa> (Minor issue)
+	[bookworm] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2026-36.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/21008
 CVE-2026-6524 (MySQL protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 t ...)
@@ -1966,8 +1970,11 @@ CVE-2026-38991 (Cockpit 2.13.5 and earlier is affected by a misconfiguration wit
 	NOT-FOR-US: Cockpit-HQ/Cockpit
 CVE-2026-37555 (An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF  ...)
 	- libsndfile <unfixed> (bug #1135346)
+	[trixie] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
+	[bookworm] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/30/7
 	NOTE: CVE exists because of an incomplte fix for CVE-2022-33065.
+	NOTE: https://github.com/libsndfile/libsndfile/issues/1120
 CVE-2026-36841 (TOTOLINK N200RE V5 was discovered to contain a command injection vulne ...)
 	NOT-FOR-US: TOTOLINK
 CVE-2026-36837 (TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain ...)
@@ -4599,6 +4606,8 @@ CVE-2026-29050 (melange allows users to build apk packages using declarative pip
 	NOT-FOR-US: melange
 CVE-2026-28525 (SWUpdate contains an integer underflow vulnerability in the multipart  ...)
 	- swupdate 2025.12+dfsg-9
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/sbabic/swupdate/commit/beee2dc0feef1cfe84f1aa6fc980e104b2e47a74
 CVE-2026-27843 (A vulnerability exists inSenseLive X3050's web management interface th ...)
 	NOT-FOR-US: SenseLive
@@ -19080,6 +19089,8 @@ CVE-2026-33755 (Group-Office is an enterprise customer relationship management a
 	NOT-FOR-US: Group-Office
 CVE-2026-33750 (The brace-expansion library generates arbitrary strings containing a c ...)
 	- node-brace-expansion 2.0.3+~1.1.2-1 (bug #1132163)
+	[trixie] - node-brace-expansion <no-dsa> (Minor issue)
+	[bookworm] - node-brace-expansion <no-dsa> (Minor issue)
 	[bullseye] - node-brace-expansion <postponed> (Minor issue; DoS)
 	NOTE: https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
 	NOTE: Fixed by: https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5 (v2.0.3)


=====================================
data/dsa-needed.txt
=====================================
@@ -47,8 +47,9 @@ krb5
 --
 lcms2 (jmm)
 --
+libpng1.6
+--
 libreswan/oldstable
-  Waiting on feedback from maintainer
 --
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eb7004ad8acaf1b04e437523531b32fff498616

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eb7004ad8acaf1b04e437523531b32fff498616
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260502/f48ab62d/attachment.htm>

More information about the debian-security-tracker-commits mailing list