[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
302fb74d by Moritz Muehlenhoff at 2026-05-07T09:24:46+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2696,6 +2696,8 @@ CVE-2026-43868 (Memory Allocation with Excessive Size Value vulnerability in Apa
 	NOTE: rust bindings not built in Debian package
 CVE-2026-43964 (Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 somet ...)
 	- postfix 3.11.2-1 (bug #1135718)
+	[trixie] - postfix <no-dsa> (Minor issue)
+	[bookworm] - postfix <no-dsa> (Minor issue)
 	NOTE: https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/04/25
 CVE-2026-7740 (A security vulnerability has been detected in justdan96 tsMuxer up to  ...)
@@ -4339,6 +4341,7 @@ CVE-2026-42799 (Out-of-bounds read vulnerability in ASR Kestrel (nr_fw modules)
 	NOT-FOR-US: ASR Microelectronics
 CVE-2026-42798 (Little CMS (lcms2) 2.16 through 2.18 before 2.19 has an integer overfl ...)
 	- lcms2 <unfixed> (bug #1135320)
+	[bookworm] - lcms2 <not-affected> (Vulnerable code not present)
 	[bullseye] - lcms2 <not-affected> (Vulnerable code not present; added in 2.16)
 	NOTE: Fixed by: https://github.com/mm2/Little-CMS/commit/6a686019825a89b715d16671f18d049523354176 (lcms2.19rc1)
 CVE-2026-42512 (As dhclient is building an environment to pass to dhclient-script, it  ...)
@@ -11026,6 +11029,7 @@ CVE-2026-40491 (gdown is a Google Drive public file/folder downloader. Versions
 	NOTE: Fixed by: https://github.com/wkentaro/gdown/commit/af569fc6ed300b7974dee66dc51e9f01b57b4dff (v5.2.2)
 CVE-2026-40490 (The AsyncHttpClient (AHC) library allows Java applications to easily e ...)
 	- async-http-client <unfixed> (bug #1134337)
+	[bookworm] - async-http-client <no-dsa> (Minor issue)
 	[bullseye] - async-http-client <postponed> (minor issue)
 	NOTE: https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g
 	NOTE: Fixed by: https://github.com/AsyncHttpClient/async-http-client/commit/6b2fbb7f88f322f1a90345d77d8a1ffe36dfa5f4 (async-http-client-project-3.0.9)
@@ -13499,7 +13503,9 @@ CVE-2026-6100 (Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`,
 	{DLA-4532-1}
 	- python3.14 3.14.5~rc1-1
 	- python3.13 <unfixed>
+	[bookworm] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
@@ -29467,6 +29473,7 @@ CVE-2026-4224 (When an Expat parser with a registered ElementDeclHandler parses
 	- python3.13 <unfixed>
 	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
@@ -29486,6 +29493,7 @@ CVE-2026-3644 (The fix for CVE-2026-0672, which rejected control characters in h
 	- python3.13 <unfixed>
 	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/
 	NOTE: https://github.com/python/cpython/issues/145599
@@ -37382,11 +37390,15 @@ CVE-2026-27933 (Manyfold is an open source, self-hosted web application for mana
 	NOT-FOR-US: Manyfold
 CVE-2026-27904 (minimatch is a minimal matching utility for converting glob expression ...)
 	- node-minimatch 9.0.7-1 (bug #1129095)
+	[trixie] - node-minimatch <no-dsa> (Minor issue)
+	[bookworm] - node-minimatch <no-dsa> (Minor issue)
 	[bullseye] - node-minimatch <postponed> (minor issue; DoS)
 	NOTE: https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74
 	NOTE: Fixed by: https://github.com/isaacs/minimatch/commit/0d4616de9193bf1d359271662e92657bb51b2f75 (v9.0.7)
 CVE-2026-27903 (minimatch is a minimal matching utility for converting glob expression ...)
 	- node-minimatch 9.0.7-1 (bug #1129095)
+	[trixie] - node-minimatch <no-dsa> (Minor issue)
+	[bookworm] - node-minimatch <no-dsa> (Minor issue)
 	[bullseye] - node-minimatch <postponed> (minor issue; DoS)
 	NOTE: https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj
 	NOTE: Fixed by: https://github.com/isaacs/minimatch/commit/0d4616de9193bf1d359271662e92657bb51b2f75 (v9.0.7)


=====================================
data/dsa-needed.txt
=====================================
@@ -57,6 +57,8 @@ lcms2 (jmm)
 libpng1.6
   Maintainer will work on updates
 --
+libreoffice (jmm)
+--
 libreswan/oldstable
 --
 linux (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/302fb74df8e664d4a5a38c56b8942a5915b8d4a6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/302fb74df8e664d4a5a38c56b8942a5915b8d4a6
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260507/7de61aeb/attachment-0001.htm>