[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon May 11 18:26:12 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f3a896b1 by Moritz Muehlenhoff at 2026-05-11T19:25:01+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -671,6 +671,8 @@ CVE-2026-41496 (PraisonAI is a multi-agent teams system. Prior to praisonai vers
 	NOT-FOR-US: PraisonAI
 CVE-2026-41493 (YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path tra ...)
 	- yard <unfixed> (bug #1136076)
+	[trixie] - yard <no-dsa> (Minor issue)
+	[bookworm] - yard <no-dsa> (Minor issue)
 	NOTE: https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
 CVE-2026-41491 (Dapr is a portable, event-driven, runtime for building distributed app ...)
 	NOT-FOR-US: Dapr
@@ -1944,10 +1946,14 @@ CVE-2026-8097 (A security flaw has been discovered in CodeAstro Online Classroom
 	NOT-FOR-US: CodeAstro
 CVE-2026-8088 (A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The af ...)
 	- gdal <unfixed> (bug #1135997)
+	[trixie] - gdal <no-dsa> (Minor issue)
+	[bookworm] - gdal <no-dsa> (Minor issue)
 	NOTE: https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1)
 	NOTE: https://github.com/OSGeo/gdal/issues/14379
 CVE-2026-8087 (A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. I ...)
 	- gdal <unfixed> (bug #1135997)
+	[trixie] - gdal <no-dsa> (Minor issue)
+	[bookworm] - gdal <no-dsa> (Minor issue)
 	NOTE: https://github.com/OSGeo/gdal/issues/14363
 	NOTE: https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b (v3.13.0RC1)
 CVE-2026-8069 (PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege E ...)
@@ -1994,6 +2000,7 @@ CVE-2026-42501 (A malicious module proxy can exploit a flaw in the go command's
 	- golang-1.25 1.25.10-1
 	- golang-1.26 1.26.3-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
 	NOTE: https://go-review.googlesource.com/c/go/+/775321
@@ -2003,6 +2010,7 @@ CVE-2026-42499 (Pathological inputs could cause DoS through consumePhrase when p
 	- golang-1.25 1.25.10-1
 	- golang-1.26 1.26.3-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
 	NOTE: https://go-review.googlesource.com/c/go/+/771520
@@ -2162,6 +2170,8 @@ CVE-2026-33823 (Improper authorization in Microsoft Teams allows an authorized a
 	NOT-FOR-US: Microsoft
 CVE-2026-33814 (When processing HTTP/2 SETTINGS frames, transport will enter an infini ...)
 	- golang-golang-x-net <unfixed> (bug #1136030)
+	[trixie] - golang-golang-x-net <no-dsa> (Minor issue)
+	[bookworm] - golang-golang-x-net <no-dsa> (Minor issue)
 	NOTE: https://go-review.googlesource.com/c/go/+/761581
 	NOTE: https://go-review.googlesource.com/c/net/+/761640
 	NOTE: https://github.com/golang/go/issues/78476
@@ -2267,11 +2277,15 @@ CVE-2026-8090 (Use-after-free in the DOM: Networking component. This vulnerabili
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-44/#CVE-2026-8090
 CVE-2026-8086 (A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This i ...)
 	- gdal <unfixed> (bug #1135997)
+	[trixie] - gdal <no-dsa> (Minor issue)
+	[bookworm] - gdal <no-dsa> (Minor issue)
 	NOTE: https://github.com/OSGeo/gdal/issues/14356
 	NOTE: https://github.com/OSGeo/gdal/pull/14361
 	NOTE: https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636 (v3.12.4RC1)
 CVE-2026-8084 (A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This v ...)
 	- gdal <unfixed> (bug #1135997)
+	[trixie] - gdal <no-dsa> (Minor issue)
+	[bookworm] - gdal <no-dsa> (Minor issue)
 	NOTE: https://github.com/OSGeo/gdal/issues/14378
 	NOTE: https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c (v3.13.0RC1)
 CVE-2026-8083 (A vulnerability was found in SourceCodester Pharmacy Sales and Invento ...)
@@ -4682,6 +4696,8 @@ CVE-2026-6918 (In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication rem
 	NOT-FOR-US: Eclipse
 CVE-2026-6322 (fast-uri normalize() decoded percent-encoded authority delimiters insi ...)
 	- node-ajv 8.20.0~ds+~cs6.1.3-1 (bug #1135998)
+	[trixie] - node-ajv <no-dsa> (Minor issue)
+	[bookworm] - node-ajv <no-dsa> (Minor issue)
 	NOTE: https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc
 	NOTE: https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293 (v3.1.2)
 	NOTE: Embedded fast-uri used and provided as node-fast-uri
@@ -5027,6 +5043,8 @@ CVE-2026-6418 (An issue was discovered in the Shared Account Synchronization com
 	NOT-FOR-US: PaperCut
 CVE-2026-6321 (fast-uri decoded percent-encoded path separators and dot segments befo ...)
 	- node-ajv 8.20.0~ds+~cs6.1.3-1 (bug #1135998)
+	[trixie] - node-ajv <no-dsa> (Minor issue)
+	[bookworm] - node-ajv <no-dsa> (Minor issue)
 	NOTE: https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6
 	NOTE: Fixed by: https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35 (v3.1.1)
 	NOTE: Embedded fast-uri used and provided as node-fast-uri
@@ -5199,6 +5217,8 @@ CVE-2026-42075 (Evolver is a GEP-powered self-evolving engine for AI agents. Pri
 	NOT-FOR-US: Evolver
 CVE-2026-42052 (Beets is the media library management system. Prior to version 2.10.0, ...)
 	- beets <unfixed> (bug #1135779)
+	[trixie] - beets <no-dsa> (Minor issue)
+	[bookworm] - beets <no-dsa> (Minor issue)
 	NOTE: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
 CVE-2026-42027 (Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP Ext ...)
 	- apache-opennlp 2.5.9-1 (bug #1135782)
@@ -8542,6 +8562,8 @@ CVE-2026-7183 (A vulnerability has been found in aligungr UERANSIM up to 3.2.7.
 	NOT-FOR-US: aligungr UERANSIM
 CVE-2026-7179 (A security vulnerability has been detected in OSPG binwalk up to 2.4.3 ...)
 	- binwalk <unfixed> (bug #1136010)
+	[trixie] - binwalk <no-dsa> (Minor issue)
+	[bookworm] - binwalk <no-dsa> (Minor issue)
 	NOTE: https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/binwalk_path_traversal.md
 CVE-2026-7178 (A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1 ...)
 	NOT-FOR-US: ChatGPTNextWeb NextChat
@@ -8774,6 +8796,8 @@ CVE-2026-6970 (authd prior to version 0.6.4 contains a logic error in primary gr
 	NOT-FOR-US: Canonical authd
 CVE-2026-6357 (pip prior to version 26.1 would run self-update check functionality af ...)
 	- python-pip <unfixed> (bug #1135110)
+	[trixie] - python-pip <no-dsa> (Minor issue)
+	[bookworm] - python-pip <no-dsa> (Minor issue)
 	NOTE: https://github.com/pypa/pip/pull/13923
 CVE-2026-6337
 	REJECTED
@@ -14437,6 +14461,7 @@ CVE-2026-40962 (FFmpeg before 8.1 has an integer overflow and resultant out-of-b
 	[bullseye] - ffmpeg <postponed> (minor issue)
 	NOTE: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348
 	NOTE: Fixed by: https://code.ffmpeg.org/FFmpeg/FFmpeg/commit/e392fb8c9c3949d975531d2b23c645d2465a7ebc (n8.1)
+	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/78c944bdb170d8dcece166115d92b45379b040f4 (n7.1.4)
 	NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/b07fdedf940ded686ffe4e9fb221170a11ff0478 (n5.1.9)
 CVE-2026-40947 (Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey- ...)
 	- libfido2 <not-affected> (Only affects libfido2 on Windows)
@@ -24060,6 +24085,8 @@ CVE-2026-34054 (vcpkg is a free and open-source C/C++ package manager. Prior to
 	NOT-FOR-US: vcpkg
 CVE-2026-34043 (Serialize JavaScript to a superset of JSON that includes regular expre ...)
 	- node-serialize-javascript 7.0.5+~5.0.4-1 (bug #1132605)
+	[trixie] - node-serialize-javascript <no-dsa> (Minor issue)
+	[bookworm] - node-serialize-javascript <no-dsa> (Minor issue)
 	[bullseye] - node-serialize-javascript <postponed> (minor issue; DoS)
 	NOTE: https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v
 	NOTE: https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b (v7.0.5)
@@ -216317,6 +216344,8 @@ CVE-2024-45613 (CKEditor 5 is a JavaScript rich-text editor. Starting in version
 	- ckeditor3 <not-affected> (Specific to ckeditor 5)
 CVE-2024-44825 (Directory Traversal vulnerability in Centro de Tecnologia da Informaco ...)
 	- invesalius <unfixed> (bug #1136204)
+	[trixie] - invesalius <no-dsa> (Minor issue)
+	[bookworm] - invesalius <no-dsa> (Minor issue)
 	NOTE: https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-44825
 	NOTE: https://www.partywave.site/show/research/cve-2024-44825-invesalius-arbitrary-file-write-and-directory-traversal
 	NOTE: https://github.com/invesalius/invesalius3/commit/8b966260b3d9510e3ddc473aac4cc6578bab3aab
@@ -278097,8 +278126,14 @@ CVE-2024-27354 (An issue was discovered in phpseclib 1.x before 1.0.23, 2.x befo
 	NOTE: https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
 CVE-2026-XXXX [Bypass of CVE-2024-27355 mitigations]
 	- phpseclib 1.0.29-1
+	[trixie] - phpseclib <no-dsa> (Minor issue, will be fixed via point update)
+	[bookworm] - phpseclib <no-dsa> (Minor issue, will be fixed via point update)
 	- php-phpseclib 2.0.54-1
+	[trixie] - php-phpseclib <no-dsa> (Minor issue, will be fixed via point update)
+	[bookworm] - php-phpseclib <no-dsa> (Minor issue, will be fixed via point update)
 	- php-phpseclib3 3.0.52-1
+	[trixie] - php-phpseclib3 <no-dsa> (Minor issue, will be fixed via point update)
+	[bookworm] - php-phpseclib3 <no-dsa> (Minor issue, will be fixed via point update)
 	NOTE: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-3qpq-r242-jqj7
 	NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc (3.0.52, 2.0.54, 1.0.29)
 CVE-2024-27355 (An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0 ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -22,6 +22,9 @@ ceph (carnil)
 --
 cups
 --
+ffmpeg (jmm)
+  for 5.1.9 and 7.1.4
+--
 firebird3.0
 --
 firebird4.0/stable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3a896b1c052b6a4933b8829788f0f22c251b86a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3a896b1c052b6a4933b8829788f0f22c251b86a
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260511/165968a7/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list