[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon May 4 16:53:06 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b29a400d by Moritz Muehlenhoff at 2026-05-04T17:51:55+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -424,6 +424,8 @@ CVE-2026-7583 (A flaw has been found in Open5GS up to 2.7.7. This issue affects
- open5gs <itp> (bug #1094791)
CVE-2026-7582 (A vulnerability was detected in AcademySoftwareFoundation OpenImageIO ...)
- openimageio <unfixed> (bug #1135382)
+ [trixie] - openimageio <no-dsa> (Minor issue)
+ [bookworm] - openimageio <no-dsa> (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5131
NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/94ec2deec3e3bf2f2e2ff84d008e27425d626fe2
CVE-2026-7581 (A security vulnerability has been detected in alexta69 MeTube up to 20 ...)
@@ -3449,6 +3451,7 @@ CVE-2026-25710
NOT-FOR-US: plasma-login-manager
CVE-2026-41682
- pupnp 1:1.14.31-1
+ [trixie] - pupnp <no-dsa> (Minor issue)
NOTE: https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58
NOTE: https://github.com/pupnp/pupnp/commit/58021a7600876c77403e2e06eb19d21efc196d21 (release-1.14.31)
CVE-2026-7106 (The Highland Software Custom Role Manager plugin for WordPress is vuln ...)
@@ -3529,6 +3532,8 @@ CVE-2026-7058 (A vulnerability has been found in 666ghj MiroFish up to 0.1.2. Th
NOT-FOR-US: 666ghj MiroFish
CVE-2026-42371 (uriparser before 1.0.1 has numeric truncation in text range comparison ...)
- uriparser <unfixed> (bug #1135109)
+ [trixie] - uriparser <no-dsa> (Minor issue)
+ [bookworm] - uriparser <no-dsa> (Minor issue)
NOTE: https://github.com/uriparser/uriparser/pull/298
NOTE: Fixed by: https://github.com/uriparser/uriparser/commit/2b014fad9ee69b0676a0a891ea21c7c3e8902f25 (uriparser-1.0.1)
NOTE: Fixed by: https://github.com/uriparser/uriparser/commit/47bab9f00c4b6ad93bbe7f8571a4aff16476dfd2 (uriparser-1.0.1)
@@ -3887,39 +3892,63 @@ CVE-2026-42095 (bookserver in KDE Arianna before 26.04.1 allows attackers to rea
NOTE: https://invent.kde.org/graphics/arianna/-/commit/3cd56fce103ab62887c5592827d78a1197cd926a
CVE-2026-42044 (Axios is a promise based HTTP client for the browser and Node.js. From ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23
CVE-2026-42043 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7
CVE-2026-42042 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-xx6v-rp6x-q39c
CVE-2026-42041 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63
CVE-2026-42040 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw
CVE-2026-42039 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9
CVE-2026-42038 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm
CVE-2026-42037 (Axios is a promise based HTTP client for the browser and Node.js. From ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77
CVE-2026-42036 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99
CVE-2026-42035 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9
CVE-2026-42034 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx
CVE-2026-42033 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
- node-axios 1.15.2-1 (bug #1134878)
+ [trixie] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf
CVE-2026-41907 (uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to ...)
- node-uuid 14.0.0+~11.0.0-1
@@ -3992,6 +4021,7 @@ CVE-2026-41321 (@astrojs/cloudflare is an SSR adapter for use with Cloudflare Wo
CVE-2026-41140 (Poetry is a dependency manager for Python. Prior to 2.3.4, the extract ...)
- poetry <unfixed>
[trixie] - poetry <not-affected> (Trixie ships Python 3.13)
+ [bookworm] - poetry <no-dsa> (Minor issue)
NOTE: https://github.com/python-poetry/poetry/security/advisories/GHSA-73h3-mf4w-8647
NOTE: Fixed by: https://github.com/python-poetry/poetry/commit/47e97340cae50d3698aac858732788861ba8dd1f (main)
NOTE: Fixed by: https://github.com/python-poetry/poetry/commit/e512e7fc5557251c7c9c59d0029506e77db1ea18 (2.3.4)
@@ -12354,38 +12384,56 @@ CVE-2026-5959 (A security flaw has been discovered in GL.iNet GL-RM1, GL-RM10, G
NOT-FOR-US: GL.iNet
CVE-2026-5445 (An out-of-bounds read vulnerability exists in the `DecodeLookupTable` ...)
- orthanc 1.12.10+dfsg-4 (bug #1133182)
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://kb.cert.org/vuls/id/536588
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
CVE-2026-5444 (A heap buffer overflow vulnerability exists in the PAM image parsing l ...)
- orthanc 1.12.10+dfsg-4 (bug #1133182)
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://kb.cert.org/vuls/id/536588
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
CVE-2026-5443 (A heap buffer overflow vulnerability exists during the decoding of `PA ...)
- orthanc 1.12.10+dfsg-4 (bug #1133182)
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://kb.cert.org/vuls/id/536588
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
CVE-2026-5442 (A heap buffer overflow vulnerability exists in the DICOM image decoder ...)
- orthanc 1.12.10+dfsg-4 (bug #1133182)
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://kb.cert.org/vuls/id/536588
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
CVE-2026-5441 (An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` fu ...)
- orthanc 1.12.10+dfsg-4 (bug #1133182)
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://kb.cert.org/vuls/id/536588
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
CVE-2026-5440 (A memory exhaustion vulnerability exists in the HTTP server due to unb ...)
- orthanc 1.12.10+dfsg-4 (bug #1133182)
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://kb.cert.org/vuls/id/536588
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
CVE-2026-5439 (A memory exhaustion vulnerability exists in ZIP archive processing. Or ...)
- orthanc 1.12.10+dfsg-4 (bug #1133182)
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://kb.cert.org/vuls/id/536588
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
CVE-2026-5438 (A gzip decompression bomb vulnerability exists when Orthanc processes ...)
- orthanc 1.12.10+dfsg-4 (bug #1133182)
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://kb.cert.org/vuls/id/536588
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
CVE-2026-5437 (An out-of-bounds read vulnerability exists in `DicomStreamReader` duri ...)
- orthanc 1.12.10+dfsg-4 (bug #1133182)
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://kb.cert.org/vuls/id/536588
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/5ce108190752
CVE-2026-5329 (Rapid7 Velociraptor versions prior to 0.76.2contain an improper input ...)
@@ -16880,6 +16928,8 @@ CVE-2026-34593 (Ash Framework is a declarative, extensible framework for buildin
NOT-FOR-US: Ash Framework
CVE-2026-34591 (Poetry is a dependency manager for Python. From version 1.4.0 to befor ...)
- poetry <unfixed> (bug #1132609)
+ [trixie] - poetry <no-dsa> (Minor issue)
+ [bookworm] - poetry <no-dsa> (Minor issue)
NOTE: https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp
NOTE: https://github.com/python-poetry/poetry/pull/10792
NOTE: Fixed by: https://github.com/python-poetry/poetry/commit/e068177d1bfef65de4c55cf71c36de27057f10e7 (2.3.3)
@@ -17337,6 +17387,8 @@ CVE-2026-34514 (AIOHTTP is an asynchronous HTTP client/server framework for asyn
NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06 (v3.13.4)
CVE-2026-34513 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
- python-aiohttp 3.13.5-1 (bug #1132582)
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
+ [bookworm] - python-aiohttp <no-dsa> (Minor issue)
NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92
NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98 (v3.13.4)
CVE-2026-34456 (Reviactyl is an open-source game server management panel built using L ...)
@@ -38443,6 +38495,8 @@ CVE-2025-15585 (Fileflows versions before 25.05.2 are affected by an authenticat
CVE-2025-15581 (Orthanc versions before 1.12.10 are affected by an authorisation logic ...)
{DLA-4494-1}
- orthanc 1.12.10+dfsg-1
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://projectblack.io/blog/orthanc-1-12-9-user-impersonation/#exploitation
NOTE: https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252
CVE-2025-15041 (The BackWPup \u2013 WordPress Backup & Restore Plugin plugin for WordP ...)
@@ -169522,6 +169576,8 @@ CVE-2025-1058 (CWE-494: Download of Code Without Integrity Check vulnerability e
NOT-FOR-US: Schneider Electric
CVE-2025-0896 (Orthanc server prior to version 1.5.8 does not enable basic authentica ...)
- orthanc 1.5.8+dfsg-1
+ [trixie] - orthanc <no-dsa> (Minor issue)
+ [bookworm] - orthanc <no-dsa> (Minor issue)
NOTE: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-037-02
NOTE: Exact fixing commit is unknown so far
CVE-2025-0837 (The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scr ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -58,6 +58,8 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more 6.1.y versions
--
+lxd/oldstable (jmm)
+--
mbedtls/oldstable
--
mimetex/oldstable
@@ -71,6 +73,8 @@ nodejs/oldstable (jmm)
opennds/oldstable
pinged maintainer, but no reply yet. should most probably be bumped to 10.x
--
+openvpn
+--
openvswitch
Maintainer proposed updates via security, but issue affects only FTP algo and
needs to be explicitly enabled, check for assessment DSA/no-dsa first
@@ -80,6 +84,8 @@ pdfminer (carnil)
--
php-laravel-framework/oldstable
--
+prosody
+--
pyjwt (jmm)
Jochen Sprickerhof posted debdiffs for review
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29a400dc2ceec067da3e11d29f7b48abb23893e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29a400dc2ceec067da3e11d29f7b48abb23893e
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260504/1cb82dd3/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list