[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue May 12 14:29:27 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5548084e by Moritz Muehlenhoff at 2026-05-12T15:29:01+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -9970,9 +9970,13 @@ CVE-2026-6987 (A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is
 CVE-2026-6986 (A security vulnerability has been detected in Cesanta Mongoose up to 7 ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
 	- swupdate 2025.12+dfsg-10
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 CVE-2026-6985 (A weakness has been identified in Cesanta Mongoose up to 7.20. This vu ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
 	- swupdate 2025.12+dfsg-10
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 CVE-2026-6984 (A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22. ...)
 	NOT-FOR-US: AstrBotDevs AstrBot
 CVE-2026-6983 (A vulnerability was identified in pagekit up to 1.0.18. Affected by th ...)
@@ -22956,12 +22960,18 @@ CVE-2026-5326 (A vulnerability was identified in SourceCodester Leave Applicatio
 CVE-2026-5246 (A vulnerability was determined in Cesanta Mongoose up to 7.20. Affecte ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
 	- swupdate 2025.12+dfsg-10
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 CVE-2026-5245 (A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
 	- swupdate 2025.12+dfsg-10
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 CVE-2026-5244 (A vulnerability has been found in Cesanta Mongoose up to 7.20. This af ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
 	- swupdate 2025.12+dfsg-10
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 CVE-2026-5032 (The W3 Total Cache plugin for WordPress is vulnerable to information e ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-4636 (A flaw was found in Keycloak. An authenticated user with the uma_prote ...)
@@ -30439,6 +30449,8 @@ CVE-2026-33251 (Discourse is an open-source discussion platform. Prior to versio
 CVE-2026-33243 (barebox is a bootloader. In barebox from version 2016.03.0 to before v ...)
 	- barebox <itp> (bug #900958)
 	- u-boot <unfixed>
+	[trixie] - u-boot <no-dsa> (Minor issue)
+	[bookworm] - u-boot <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/u-boot/u-boot/commit/2092322b31cc8b1f8c9e2e238d1043ae0637b241 (v2026.04-rc4)
 CVE-2026-33238 (WWBN AVideo is an open source video platform. Prior to version 26.0, t ...)
 	NOT-FOR-US: WWBN AVideo
@@ -30494,6 +30506,8 @@ CVE-2026-33194 (SiYuan is a personal knowledge management system. Prior to versi
 	NOT-FOR-US: SiYuan
 CVE-2026-33186 (gRPC-Go is the Go language implementation of gRPC. Versions prior to 1 ...)
 	- golang-google-grpc 1.79.3-1 (bug #1132228)
+	[trixie] - golang-google-grpc <no-dsa> (Minor issue)
+	[bookworm] - golang-google-grpc <no-dsa> (Minor issue)
 	[bullseye] - golang-google-grpc <postponed> (Limited support, follow bookworm security updates)
 	NOTE: https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
 	NOTE: Fixed by: https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5 (v1.79.3)
@@ -42787,12 +42801,18 @@ CVE-2026-2969 (A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affec
 CVE-2026-2968 (A vulnerability was detected in Cesanta Mongoose up to 7.20. This impa ...)
 	- mongoose <not-affected> (Fixed before or with initial upload, also see bug #1135115)
 	- swupdate 2025.12+dfsg-10
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 CVE-2026-2967 (A security vulnerability has been detected in Cesanta Mongoose up to 7 ...)
 	- mongoose <not-affected> (Fixed before or with initial upload, also see bug #1135115)
 	- swupdate 2025.12+dfsg-10
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 CVE-2026-2966 (A weakness has been identified in Cesanta Mongoose up to 7.20. The imp ...)
 	- mongoose <not-affected> (Fixed before or with initial upload, also see bug #1135115)
 	- swupdate 2025.12+dfsg-10
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 CVE-2026-2965 (A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCR ...)
 	NOT-FOR-US: 07FLYCMS, 07FLY-CMS and 07FlyCRM
 CVE-2026-2964 (A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1 ...)
@@ -50221,6 +50241,8 @@ CVE-2026-25575 (NavigaTUM is a website and API to search for rooms, buildings an
 	NOT-FOR-US: NavigaTUM
 CVE-2026-25547 (@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-e ...)
 	- node-brace-expansion 2.0.3+~1.1.2-2 (bug #1127313)
+	[trixie] - node-brace-expansion <no-dsa> (Minor issue)
+	[bookworm] - node-brace-expansion <no-dsa> (Minor issue)
 	[bullseye] - node-brace-expansion <postponed> (minor issue; DoS)
 	NOTE: https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2
 	NOTE: Fixed by: https://github.com/isaacs/brace-expansion/commit/59d12f1e23accdec8c395ca824cf942c1fdea860 (v5.0.1)
@@ -80871,6 +80893,8 @@ CVE-2025-65503 (Use after free in endpoint destructors in Redboltz async_mqtt 10
 CVE-2025-65502 (Null pointer dereference in add_ca_certs() in Cesanta Mongoose before  ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
 	- swupdate 2025.12+dfsg-1
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 	NOTE: https://github.com/cesanta/mongoose/issues/3306
 	NOTE: https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2 (7.20)
 CVE-2025-65501 (Null pointer dereference in coap_dtls_info_callback() in OISM libcoap  ...)
@@ -99735,6 +99759,8 @@ CVE-2025-55795 (The openml/openml.org web application version v2.0.20241110 uses
 CVE-2025-51495 (An integer overflow vulnerability exists in the WebSocket component of ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
 	- swupdate 2025.12+dfsg-1
+	[trixie] - swupdate <no-dsa> (Minor issue)
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 	NOTE: https://github.com/cesanta/mongoose/pull/3131
 	NOTE: https://github.com/cesanta/mongoose/commit/cdc439bc38570048541b2ac6b9c326da87bf4a0a (7.18)
 CVE-2025-43400 (An out-of-bounds write issue was addressed with improved bounds checki ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -66,6 +66,8 @@ nghttp2
 --
 nodejs/oldstable (jmm)
 --
+openjpeg2 (jmm)
+--
 opennds/oldstable
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5548084e9c7b9d4500700b75f8fd36c8a816a575

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5548084e9c7b9d4500700b75f8fd36c8a816a575
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260512/8e3130d8/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list