[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon May 4 13:04:20 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0d8e7816 by Moritz Muehlenhoff at 2026-05-04T14:03:44+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -84,21 +84,33 @@ CVE-2026-5335 (The Magic Export & Import WordPress plugin before 1.2.0 stores ex
 	NOT-FOR-US: WordPress plugin
 CVE-2026-43864 (mutt before 2.3.2 has a show_sig_summary NULL pointer dereference.)
 	- mutt <unfixed>
+	[trixie] - mutt <no-dsa> (Minor issue)
+	[bookworm] - mutt <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/muttmua/mutt/-/commit/ebfa2969042d89303d15334193fcc32866c8a8df (mutt-2-3-2-rel)
 CVE-2026-43863 (mutt before 2.3.2 has an infinite loop in data_object_to_stream in cry ...)
 	- mutt <unfixed>
+	[trixie] - mutt <no-dsa> (Minor issue)
+	[bookworm] - mutt <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/muttmua/mutt/-/commit/fdc04a171777327218a1e78db504926c388b48c4 (mutt-2-3-2-rel)
 CVE-2026-43862 (In mutt before 2.3.2, the imap_auth_gss security level is mishandled.)
 	- mutt <unfixed>
+	[trixie] - mutt <no-dsa> (Minor issue)
+	[bookworm] - mutt <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/muttmua/mutt/-/commit/f547a849cdacb512800a5f477c27de217e1c8151 (mutt-2-3-2-rel)
 CVE-2026-43861 (mutt before 2.3.2 does not check for '\0' in url_pct_decode.)
 	- mutt <unfixed>
+	[trixie] - mutt <no-dsa> (Minor issue)
+	[bookworm] - mutt <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/muttmua/mutt/-/commit/12f54fe3b61f761c096fe95e95d5e3072af00ed2 (mutt-2-3-2-rel)
 CVE-2026-43860 (mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for  ...)
 	- mutt <unfixed>
+	[trixie] - mutt <no-dsa> (Minor issue)
+	[bookworm] - mutt <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/muttmua/mutt/-/commit/834c5a2ed0479e51e8662a31caed129f136f4805 (mutt-2-3-2-rel)
 CVE-2026-43859 (mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMA ...)
 	- mutt <unfixed>
+	[trixie] - mutt <no-dsa> (Minor issue)
+	[bookworm] - mutt <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/muttmua/mutt/-/commit/834c5a2ed0479e51e8662a31caed129f136f4805 (mutt-2-3-2-rel)
 CVE-2026-42370 (A stack overflow vulnerability exists in the WebCam Server Login funct ...)
 	NOT-FOR-US: GeoVision
@@ -1599,6 +1611,8 @@ CVE-2026-5174 (Improper input validation vulnerability in Progress Software MOVE
 	NOT-FOR-US: Progress Software
 CVE-2026-5080 (Dancer::Session::Abstract versions through 1.3522 for Perl generates s ...)
 	- libdancer-perl <unfixed> (bug #1135322)
+	[trixie] - libdancer-perl <no-dsa> (Minor issue)
+	[bookworm] - libdancer-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39488574/
 CVE-2026-4670 (Authentication bypass by primary weakness vulnerability in Progress So ...)
 	NOT-FOR-US: Progress Software
@@ -2869,6 +2883,8 @@ CVE-2026-41526 (In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to
 	NOTE: Fixed by: https://invent.kde.org/frameworks/kcoreaddons/-/commit/447250fb061d6a866eeef9ae3c21b627244b198a (v6.25.0)
 CVE-2026-41525 (KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with A ...)
 	- dolphin 4:26.04.0-1
+	[trixie] - dolphin <no-dsa> (Minor issue)
+	[bookworm] - dolphin <no-dsa> (Minor issue)
 	NOTE: https://kde.org/info/security/advisory-20260427-2.txt
 	NOTE: Fixed by: https://invent.kde.org/system/dolphin/-/commit/4a4da5f73899cdd2a1ef111194e79a620eed7716 (v26.03.80)
 CVE-2026-40980 (In Spring AI, a malicious PDF file can be crafted that triggers the al ...)
@@ -3295,6 +3311,8 @@ CVE-2026-42379 (Insertion of Sensitive Information Into Sent Data vulnerability
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-41635 (Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, o ...)
 	- mina2 <unfixed> (bug #1135167)
+	[trixie] - mina2 <no-dsa> (Minor issue)
+	[bookworm] - mina2 <no-dsa> (Minor issue)
 	- mina <removed>
 	NOTE: https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm
 CVE-2026-41467 (ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scri ...)
@@ -3311,7 +3329,8 @@ CVE-2026-41462 (ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated
 	NOT-FOR-US: ProjeQtor
 CVE-2026-41409 (The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() ...)
 	- mina2 <unfixed> (bug #1135347)
-	[bookworm] - mina2 <not-affected> (Incomplete fix for CVE-2024-52046 not applied)
+	[trixie] - mina2 <no-dsa> (Minor issue)
+	[bookworm] - mina2 <no-dsa> (Minor issue)
 	- mina <not-affected> (Incomplete fix for CVE-2024-52046 not applied)
 	NOTE: https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9
 	NOTE: Issue exists because of an incomplete fix for CVE-2024-52046
@@ -13933,6 +13952,7 @@ CVE-2026-32289 (Context was not properly tracked across template branches for JS
 	- golang-1.26 1.26.2-1
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -13945,6 +13965,7 @@ CVE-2026-32288 (tar.Reader can allocate an unbounded amount of memory when readi
 	- golang-1.26 1.26.2-1
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -13957,6 +13978,7 @@ CVE-2026-32283 (If one side of the TLS connection sends multiple key update mess
 	- golang-1.26 1.26.2-1
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -13969,6 +13991,7 @@ CVE-2026-32282 (On Linux, if the target of Root.Chmod is replaced with a symlink
 	- golang-1.26 1.26.2-1
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -13981,6 +14004,7 @@ CVE-2026-32281 (Validating certificate chains which use policies is unexpectedly
 	- golang-1.26 1.26.2-1
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -13994,6 +14018,7 @@ CVE-2026-32280 (During chain building, the amount of work that is done is not co
 	- golang-1.26 1.26.2-1
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -14021,6 +14046,7 @@ CVE-2026-27144 (The compiler is meant to unwrap pointers which are the operands
 	- golang-1.26 1.26.2-1
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -14034,6 +14060,7 @@ CVE-2026-27143 (Arithmetic over induction variables in loops were not correctly
 	- golang-1.26 1.26.2-1
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -14047,6 +14074,7 @@ CVE-2026-27140 (SWIG file names containing 'cgo' and well-crafted payloads could
 	- golang-1.26 1.26.2-1
 	- golang-1.25 1.25.9-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -31126,6 +31154,7 @@ CVE-2026-27139 (On Unix platforms, when listing the contents of a directory usin
 	- golang-1.26 1.26.1-1
 	- golang-1.25 1.25.8-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
@@ -31150,6 +31179,7 @@ CVE-2026-27142 (Actions which insert URLs into the content attribute of HTML met
 	- golang-1.26 1.26.1-1
 	- golang-1.25 1.25.8-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>


=====================================
data/dsa-needed.txt
=====================================
@@ -37,6 +37,8 @@ git-lfs/oldstable
 --
 gnutls28 (carnil)
 --
+haproxy
+--
 isc-kea/oldstable
 --
 jackson-core (apo)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d8e7816c441ee47991bf99200e34f0d30519cdd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d8e7816c441ee47991bf99200e34f0d30519cdd
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260504/82f3b632/attachment.htm>

More information about the debian-security-tracker-commits mailing list