[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed May 6 16:20:36 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0e7e4405 by Moritz Muehlenhoff at 2026-05-06T17:20:25+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1480,19 +1480,26 @@ CVE-2026-43060 (In the Linux kernel, the following vulnerability has been resolv
 	NOTE: https://git.kernel.org/linus/36eae0956f659e48d5366d9b083d9417f3263ddc (7.0-rc5)
 CVE-2026-6502
 	- qemu 1:11.0.0+ds-2
+	[trixie] - qemu <no-dsa> (Minor issue)
 	[bookworm] - qemu <not-affected> (Vulnerable code not present)
 	NOTE: Introduced with: https://gitlab.com/qemu-project/qemu/-/commit/7c092f17cceef10258ed23006b40e19b14996471 (v9.2.0-rc0)
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/30fad722ce68316d22b926ba0e6017f0440465df
 CVE-2026-6907 (An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `dj ...)
 	- python-django 3:5.2.14-1 (bug #1135755)
+	[trixie] - python-django <no-dsa> (Minor issue)
+	[bookworm] - python-django <no-dsa> (Minor issue)
 	NOTE: https://www.djangoproject.com/weblog/2026/may/05/security-releases/
 	NOTE: Fixed by: https://github.com/django/django/commit/2115d4eaee15107f5cd290d7cfcc5ffe3ad43661 (5.2.14)
 CVE-2026-35192 (An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Res ...)
 	- python-django 3:5.2.14-1 (bug #1135755)
+	[trixie] - python-django <no-dsa> (Minor issue)
+	[bookworm] - python-django <no-dsa> (Minor issue)
 	NOTE: https://www.djangoproject.com/weblog/2026/may/05/security-releases/
 	NOTE: Fixed by: https://github.com/django/django/commit/47cf968c125e3fab317e10fe150ec479e745f995 (5.2.14)
 CVE-2026-5766 (An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASG ...)
 	- python-django 3:5.2.14-1 (bug #1135755)
+	[trixie] - python-django <no-dsa> (Minor issue)
+	[bookworm] - python-django <no-dsa> (Minor issue)
 	NOTE: https://www.djangoproject.com/weblog/2026/may/05/security-releases/
 	NOTE: Fixed by: https://github.com/django/django/commit/2ec27eda3ba6c14f0856e6e3eb1df07c41fd95e6 (5.2.14)
 CVE-2026-43869 (Improper Validation of Certificate with Host Mismatch vulnerability in ...)
@@ -2257,6 +2264,8 @@ CVE-2026-0703 (The NextMove Lite \u2013 Thank You Page for WooCommerce plugin fo
 	NOT-FOR-US: WordPress plugin
 CVE-2026-40561 (Starlet versions through 0.31 for Perl allows HTTP Request Smuggling v ...)
 	- starlet 0.31-3 (bug #1135584)
+	[trixie] - starlet <no-dsa> (Minor issue)
+	[bookworm] - starlet <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39593408/
 	NOTE: Fixed by: https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0
 CVE-2026-7647 (The Profile Builder Pro plugin for WordPress is vulnerable to PHP Obje ...)
@@ -4336,6 +4345,8 @@ CVE-2026-XXXX [RUSTSEC-2026-0113]
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0113.html
 CVE-2026-7111 (Text::CSV_XS versions before 1.62 for Perl have a use-after-free when  ...)
 	- libtext-csv-xs-perl 1.62-1 (bug #1135232)
+	[trixie] - libtext-csv-xs-perl <no-dsa> (Minor issue)
+	[bookworm] - libtext-csv-xs-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39453344/
 	NOTE: https://github.com/cpan-authors/Text-CSV_XS/issues/65
 	NOTE: Requisite for test case: https://github.com/cpan-authors/Text-CSV_XS/commit/b69bd94c2847cf3a28442af6286a345435955bcd
@@ -11352,6 +11363,8 @@ CVE-2026-6383 (A flaw was found in KubeVirt's Role-Based Access Control (RBAC) e
 	NOT-FOR-US: KubeVirt
 CVE-2026-6245 (A flaw was found in the System Security Services Daemon (SSSD). The pa ...)
 	- sssd <unfixed> (bug #1134269)
+	[trixie] - sssd <no-dsa> (Minor issue)
+	[bookworm] - sssd <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2457954
 	NOTE: https://github.com/SSSD/sssd/pull/8622
 	NOTE: Fixed by: https://github.com/SSSD/sssd/commit/550b08cabe4dd5508c7ea74f634869374204d63f (2.13.0)
@@ -57949,9 +57962,13 @@ CVE-2025-67732 (Dify is an open-source LLM app development platform. Prior to ve
 	NOT-FOR-US: Dify
 CVE-2025-66648 (vega-functions provides function implementations for the Vega expressi ...)
 	- vega.js 5.33.1+ds+~cs5.3.0-2 (bug #1125185)
+	[trixie] - vega.js <no-dsa> (Minor issue)
+	[bookworm] - vega.js <no-dsa> (Minor issue)
 	NOTE: https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm
 CVE-2025-65110 (Vega is a visualization grammar, a declarative format for creating, sa ...)
 	- vega.js 5.33.1+ds+~cs5.3.0-4 (bug #1125184)
+	[trixie] - vega.js <no-dsa> (Minor issue)
+	[bookworm] - vega.js <no-dsa> (Minor issue)
 	NOTE: https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r
 CVE-2025-64425 (Coolify is an open-source and self-hostable tool for managing servers, ...)
 	NOT-FOR-US: Coolify
@@ -79058,6 +79075,8 @@ CVE-2025-60671 (A command injection vulnerability exists in the D-Link DIR-823G
 	NOT-FOR-US: D-Link
 CVE-2025-59840 (Vega is a visualization grammar, a declarative format for creating, sa ...)
 	- vega.js 5.33.1+ds+~cs5.3.0-4 (bug #1125183)
+	[trixie] - vega.js <no-dsa> (Minor issue)
+	[bookworm] - vega.js <no-dsa> (Minor issue)
 	NOTE: https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf
 CVE-2025-59480 (Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redir ...)
 	NOT-FOR-US: Mattermost Mobile Apps
@@ -156689,6 +156708,8 @@ CVE-2025-28135 (TOTOLINK A810R V4.1.2cu.5182_B20201026 was found to contain a bu
 	NOT-FOR-US: TOTOLINK
 CVE-2025-27793 (Vega is a visualization grammar, a declarative format for creating, sa ...)
 	- vega.js 5.33.1+ds+~cs5.3.0-1 (bug #1125182)
+	[trixie] - vega.js <no-dsa> (Minor issue)
+	[bookworm] - vega.js <no-dsa> (Minor issue)
 	NOTE: https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf
 	NOTE: Fixed by: https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966 (v5.32.0)
 CVE-2025-26909 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
@@ -156709,6 +156730,8 @@ CVE-2025-26731 (Improper Neutralization of Input During Web Page Generation ('Cr
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2025-26619 (Vega is a visualization grammar, a declarative format for creating, sa ...)
 	- vega.js 5.33.1+ds+~cs5.3.0-1 (bug #1125181)
+	[trixie] - vega.js <no-dsa> (Minor issue)
+	[bookworm] - vega.js <no-dsa> (Minor issue)
 	NOTE: https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
 	NOTE: https://github.com/vega/vega/issues/3984
 	NOTE: Fixed by: https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c (v5.31.0)
@@ -171069,6 +171092,7 @@ CVE-2025-25740 (D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-ba
 	NOT-FOR-US: D-Link
 CVE-2025-25304 (Vega is a visualization grammar, a declarative format for creating, sa ...)
 	- vega.js 5.28.0+ds+~cs5.3.0-1
+	[bookworm] - vega.js <no-dsa> (Minor issue)
 	NOTE: https://github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673j
 	NOTE: Fixed by: https://github.com/vega/vega/commit/9fb9ea07e27984394e463d286eb73944fa61411e (v5.26.0)
 CVE-2025-25297 (Label Studio is an open source data labeling tool. Prior to version 1. ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -44,6 +44,8 @@ isc-kea/oldstable
 --
 jackson-core (apo)
 --
+jetty12/stable
+--
 kamailio
 --
 krb5



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e7e4405cfaee5a0f70e7b9d8f5a1616dbe17d69

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e7e4405cfaee5a0f70e7b9d8f5a1616dbe17d69
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260506/2cb34233/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list