[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed May 6 12:49:43 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3cb302cb by Moritz Muehlenhoff at 2026-05-06T13:47:39+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -815,11 +815,15 @@ CVE-2026-42151 (Prometheus is an open-source monitoring system and time series d
 	NOTE: https://github.com/prometheus/prometheus/pull/18590
 CVE-2026-42146 (CImg Library is a C++ library for image processing. Prior to commit c3 ...)
 	- cimg <unfixed> (bug #1135778)
+	[trixie] - cimg <no-dsa> (Minor issue)
+	[bookworm] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv
 	NOTE: https://github.com/GreycLab/CImg/issues/477
 	NOTE: Fixed by: https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3 (v3.7.5)
 CVE-2026-42144 (CImg Library is a C++ library for image processing. Prior to commit 4c ...)
 	- cimg <unfixed> (bug #1135778)
+	[trixie] - cimg <no-dsa> (Minor issue)
+	[bookworm] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/GreycLab/CImg/security/advisories/GHSA-4663-63fm-44gc
 	NOTE: https://github.com/GreycLab/CImg/issues/478
 	NOTE: Fixed by: https://github.com/GreycLab/CImg/commit/4ca26bce4d8c61fcd1507d5f9401b9fb1222c27d (v3.7.5)
@@ -3913,6 +3917,8 @@ CVE-2026-6706 (Improper  access control in the vault documentation feature in De
 	NOT-FOR-US: Devolutions
 CVE-2026-6238 (The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the  ...)
 	- glibc <unfixed> (bug #1135231)
+	[trixie] - glibc <no-dsa> (Minor issue)
+	[bookworm] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=34069
 	NOTE: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0012
 CVE-2026-5944 (An improper access control vulnerability exists in the Cisco Intersigh ...)
@@ -3927,6 +3933,8 @@ CVE-2026-5779 (An insecure direct object reference (IDOR) vulnerability in MphRx
 	NOT-FOR-US: MphRx Minerva
 CVE-2026-5435 (The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the  ...)
 	- glibc <unfixed> (bug #1135230)
+	[trixie] - glibc <no-dsa> (Minor issue)
+	[bookworm] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=34033
 	NOTE: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0011
 CVE-2026-4911 (The Booking Package plugin for WordPress is vulnerable to Price Manipu ...)
@@ -20255,9 +20263,11 @@ CVE-2026-4988 (A security flaw has been discovered in Open5GS 2.7.6. This issue
 CVE-2026-4987 (The SureForms \u2013 Contact Form, Payment Form & Other Custom Form Bu ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-4985 (A vulnerability was identified in dloebl CGIF up to 0.5.2. This vulner ...)
-	- cgif 0.5.3-1 (bug #1132167)
+	- cgif 0.5.3-1 (bug #1132167; unimportant)
 	NOTE: https://github.com/dloebl/cgif/issues/110
 	NOTE: https://github.com/dloebl/cgif/pull/112
+	NOTE: https://github.com/dloebl/cgif/commit/a9ecd7a129f3f7177dfec3e0e7b48c87131ac410
+	NOTE: No security impact per upstream
 CVE-2026-4984 (The Twilio integration webhook handler accepts any POST request withou ...)
 	NOT-FOR-US: botpress
 CVE-2026-4982 (A user with permission "update world" in any Venueless world is able t ...)
@@ -27006,7 +27016,7 @@ CVE-2026-26945 (Dell Integrated Dell Remote Access Controller 9, 14G versions pr
 CVE-2026-26740 (Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attack ...)
 	- giflib <unfixed> (bug #1131368)
 	NOTE: https://github.com/zakkanijia/POC/blob/main/giflib/giftool/giflib_giftool_gce_len_heap_oobwrite_disclosure.md
-	TODO: check report upstream
+	NOTE: https://sourceforge.net/p/giflib/bugs/199/
 CVE-2026-25449 (Deserialization of Untrusted Data vulnerability in shinetheme Traveler ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-24063 (When a plugin is installed using the Arturia Software Center (MacOS),  ...)
@@ -28415,6 +28425,8 @@ CVE-2026-32628 (AnythingLLM is an application that turns pieces of content into
 CVE-2026-32627 (cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTT ...)
 	[experimental] - cpp-httplib 0.41.0+ds-1
 	- cpp-httplib 0.41.0+ds-3 (bug #1130876)
+	[trixie] - cpp-httplib <no-dsa> (Minor issue)
+	[bookworm] - cpp-httplib <no-dsa> (Minor issue)
 	NOTE: https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g
 CVE-2026-32626 (AnythingLLM is an application that turns pieces of content into contex ...)
 	NOT-FOR-US: AnythingLLM
@@ -31909,6 +31921,8 @@ CVE-2026-29184 (Backstage is an open framework for building developer portals. P
 CVE-2026-29076 (cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTT ...)
 	[experimental] - cpp-httplib 0.41.0+ds-1
 	- cpp-httplib 0.41.0+ds-3 (bug #1130235)
+	[trixie] - cpp-httplib <no-dsa> (Minor issue)
+	[bookworm] - cpp-httplib <no-dsa> (Minor issue)
 	NOTE: https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69
 	NOTE: Fixed by: https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6 (v0.37.0)
 CVE-2026-29067 (ZITADEL is an open source identity management platform. From version 4 ...)
@@ -150920,13 +150934,11 @@ CVE-2025-31672 (Improper Input Validation vulnerability in Apache POI. The issue
 	NOTE: https://www.openwall.com/lists/oss-security/2025/04/08/2
 	NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=69620
 CVE-2025-31344 (Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. ...)
-	- giflib <unfixed> (bug #1102520)
-	[trixie] - giflib <no-dsa> (Minor issue)
-	[bookworm] - giflib <no-dsa> (Minor issue)
-	[bullseye] - giflib <postponed> (Minor issue, revisit when fixed upstream)
+	- giflib <unfixed> (bug #1102520; unimportant)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/04/07/3
 	NOTE: https://sourceforge.net/p/giflib/bugs/176/
 	NOTE: Fixed by: https://sourceforge.net/p/giflib/code/ci/7bbe8ea1a595bb7509ffa0a86b076e9b720e85af/ (6.1.1)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2025-22017 (In the Linux kernel, the following vulnerability has been resolved:  d ...)
 	- linux 6.12.21-1
 	[bookworm] - linux <not-affected> (Vulnerable code not present)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb302cb300e2f32ede7ad3e2441077c8a42765f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb302cb300e2f32ede7ad3e2441077c8a42765f
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260506/330efeb7/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list