[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu May 7 11:43:50 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5345aab3 by Moritz Muehlenhoff at 2026-05-07T12:43:41+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -235,6 +235,8 @@ CVE-2026-33441
 	REJECTED
 CVE-2026-44353
 	- streamlink 8.4.0-1
+	[trixie] - streamlink <no-dsa> (Minor issue)
+	[bookworm] - streamlink <no-dsa> (Minor issue)
 	NOTE: https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f
 CVE-2026-8031 (A vulnerability was detected in PicoTronica e-Clinic Healthcare System ...)
 	NOT-FOR-US: PicoTronica e-Clinic Healthcare System
@@ -696,6 +698,7 @@ CVE-2026-34473 (Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H
 	NOT-FOR-US: ZTE
 CVE-2026-33079 (In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regula ...)
 	- mistune <unfixed>
+	[trixie] - mistune <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - mistune <not-affected> (Vulnerable code not present)
 	[bullseye] - mistune <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp
@@ -6111,8 +6114,9 @@ CVE-2026-42379 (Insertion of Sensitive Information Into Sent Data vulnerability
 CVE-2026-41635 (Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, o ...)
 	- mina2 <unfixed> (bug #1135167)
 	[trixie] - mina2 <no-dsa> (Minor issue)
-	[bookworm] - mina2 <no-dsa> (Minor issue)
+	[bookworm] - mina2 <ignored> (Minor issue)
 	- mina <removed>
+	[bookworm] - mina <ignored> (Minor issue)
 	NOTE: https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm
 CVE-2026-41467 (ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scri ...)
 	NOT-FOR-US: ProjeQtor
@@ -6640,6 +6644,7 @@ CVE-2026-41244 (Mojic is a CLI tool to transform readable C code into an unrecog
 	NOT-FOR-US: Mojic
 CVE-2026-XXXX [RUSTSEC-2026-0104]
 	- rust-rustls-webpki 0.103.13+ds-1
+	[trixie] - rust-rustls-webpki <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0104.html
 	NOTE: https://github.com/advisories/GHSA-82j2-j2ch-gfr8
 CVE-2026-42254 (Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone pois ...)
@@ -13561,7 +13566,7 @@ CVE-2026-6100 (Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`,
 	{DLA-4532-1}
 	- python3.14 3.14.5~rc1-1
 	- python3.13 <unfixed>
-	[bookworm] - python3.13 <no-dsa> (Minor issue)
+	[trixie] - python3.13 <no-dsa> (Minor issue)
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
@@ -15487,6 +15492,7 @@ CVE-2026-1403
 	- gitlab <unfixed>
 CVE-2026-XXXX [RUSTSEC-2026-0049]
 	- rust-rustls-webpki 0.103.10+ds-1 (bug #1133085)
+	[trixie] - rust-rustls-webpki <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0049.html
 CVE-2026-5919 (Insufficient validation of untrusted input in WebSockets in Google Chr ...)
 	{DSA-6205-1}
@@ -29429,6 +29435,7 @@ CVE-2025-71239 (In the Linux kernel, the following vulnerability has been resolv
 	NOTE: https://git.kernel.org/linus/4f493a6079b588cf1f04ce5ed6cdad45ab0d53dc (7.0-rc1)
 CVE-2026-32829 (lz4_flex is a pure Rust implementation of LZ4 compression/decompressio ...)
 	- rust-lz4-flex 0.13.0-1
+	[trixie] - rust-lz4-flex <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0041.html
 	NOTE: https://github.com/advisories/GHSA-vvp9-7p8x-rfvv
 CVE-2026-4312 (GCB/FCB Audit Software developed by DrangSoft has a Missing Authentica ...)
@@ -337538,10 +337545,12 @@ CVE-2023-26488 (OpenZeppelin Contracts is a library for secure smart contract de
 	NOT-FOR-US: OpenZeppelin
 CVE-2023-26487 (Vega is a visualization grammar, a declarative format for creating, sa ...)
 	- vega.js 5.25.0+ds+~cs5.3.0-1
+	[bookworm] - vega.js <no-dsa> (Minor issue)
 	NOTE: https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55
 	NOTE: https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689 (v5.23.0)
 CVE-2023-26486 (Vega is a visualization grammar, a declarative format for creating, sa ...)
 	- vega.js 5.25.0+ds+~cs5.3.0-1
+	[bookworm] - vega.js <no-dsa> (Minor issue)
 	NOTE: https://github.com/vega/vega/security/advisories/GHSA-4vq7-882g-wcg4
 CVE-2023-26485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...)
 	- cmark-gfm 0.29.0.gfm.13-1 (bug #1034171)


=====================================
data/dsa-needed.txt
=====================================
@@ -122,5 +122,7 @@ tomcat10 (apo)
 --
 tomcat11/stable (apo)
 --
+tor
+--
 xrdp
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5345aab3e474d102f67fb87041a0f423e58e27c7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5345aab3e474d102f67fb87041a0f423e58e27c7
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260507/9469d7a5/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list