[Git][security-tracker-team/security-tracker][master] 2 commits: Merge changes for updates with CVEs via trixie 13.5
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat May 16 09:51:16 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8f97691a by Salvatore Bonaccorso at 2026-05-15T17:52:57+02:00
Merge changes for updates with CVEs via trixie 13.5
- - - - -
0ee8bf87 by Salvatore Bonaccorso at 2026-05-16T10:51:10+02:00
Merge branch 'trixie-13.5' into 'master'
Merge changes accepted for trixie 13.5 release
See merge request security-tracker-team/security-tracker!293
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -4582,22 +4582,22 @@ CVE-2026-7652 (The LatePoint plugin for WordPress is vulnerable to Account Takeo
NOT-FOR-US: WordPress plugin
CVE-2026-6667 (PgBouncer before 1.25.2 did not perform an appropriate authorization c ...)
- pgbouncer 1.25.2-1 (bug #1136075)
- [trixie] - pgbouncer <no-dsa> (Minor issue)
+ [trixie] - pgbouncer 1.24.1-1+deb13u2
[bookworm] - pgbouncer <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/pgbouncer/pgbouncer/commit/97b5634be55d167a602b0bc0f09a8675997248a6 (pgbouncer_1_25_2)
CVE-2026-6666 (A possible null pointer reference in PgBouncer before 1.25.2 could lea ...)
- pgbouncer 1.25.2-1 (bug #1136075)
- [trixie] - pgbouncer <no-dsa> (Minor issue)
+ [trixie] - pgbouncer 1.24.1-1+deb13u2
[bookworm] - pgbouncer <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/pgbouncer/pgbouncer/commit/0564f937c0fd81378d67ddcb57b0c00abc0b0f8f (pgbouncer_1_25_2)
CVE-2026-6665 (The SCRAM code in PgBouncer before 1.25.2 did not check the return val ...)
- pgbouncer 1.25.2-1 (bug #1136075)
- [trixie] - pgbouncer <no-dsa> (Minor issue)
+ [trixie] - pgbouncer 1.24.1-1+deb13u2
[bookworm] - pgbouncer <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/pgbouncer/pgbouncer/commit/ab8dbb3b1a73b4a195062546e5e4f964b79f5b45 (pgbouncer_1_25_2)
CVE-2026-6664 (An integer overflow in network packet parsing code in PgBouncer before ...)
- pgbouncer 1.25.2-1 (bug #1136075)
- [trixie] - pgbouncer <no-dsa> (Minor issue)
+ [trixie] - pgbouncer 1.24.1-1+deb13u2
[bookworm] - pgbouncer <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/pgbouncer/pgbouncer/commit/ddc63c2175825bca9ef3c0a528280acaad76dbaa (pgbouncer_1_25_2)
CVE-2026-45130 (Vim is an open source, command line text editor. Prior to version 9.2. ...)
@@ -9430,14 +9430,14 @@ CVE-2026-42151 (Prometheus is an open-source monitoring system and time series d
NOTE: https://github.com/prometheus/prometheus/pull/18590
CVE-2026-42146 (CImg Library is a C++ library for image processing. Prior to commit c3 ...)
- cimg 3.5.2+dfsg-2 (bug #1135778)
- [trixie] - cimg <no-dsa> (Minor issue)
+ [trixie] - cimg 3.5.2+dfsg-1+deb13u1
[bookworm] - cimg <no-dsa> (Minor issue)
NOTE: https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv
NOTE: https://github.com/GreycLab/CImg/issues/477
NOTE: Fixed by: https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3 (v3.7.5)
CVE-2026-42144 (CImg Library is a C++ library for image processing. Prior to commit 4c ...)
- cimg 3.5.2+dfsg-2 (bug #1135778)
- [trixie] - cimg <no-dsa> (Minor issue)
+ [trixie] - cimg 3.5.2+dfsg-1+deb13u1
[bookworm] - cimg <no-dsa> (Minor issue)
NOTE: https://github.com/GreycLab/CImg/security/advisories/GHSA-4663-63fm-44gc
NOTE: https://github.com/GreycLab/CImg/issues/478
@@ -10013,7 +10013,7 @@ CVE-2026-0703 (The NextMove Lite \u2013 Thank You Page for WooCommerce plugin fo
NOT-FOR-US: WordPress plugin
CVE-2026-40561 (Starlet versions through 0.31 for Perl allows HTTP Request Smuggling v ...)
- starlet 0.31-3 (bug #1135584)
- [trixie] - starlet <no-dsa> (Minor issue)
+ [trixie] - starlet 0.31-2+deb13u1
[bookworm] - starlet <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/39593408/
NOTE: Fixed by: https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0
@@ -11475,7 +11475,7 @@ CVE-2022-50992 (Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an
NOT-FOR-US: Weaver (Fanwei) E-cology
CVE-2026-39402 (lxc is a Linux container runtime. In the setuid helper lxc-user-nic, t ...)
- lxc 1:7.0.0-1
- [trixie] - lxc <no-dsa> (Minor issue)
+ [trixie] - lxc 1:6.0.4-4+deb13u3
[bookworm] - lxc <no-dsa> (Minor issue)
[bullseye] - lxc <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/lxc/lxc/security/advisories/GHSA-3m9j-g9gc-vcvq
@@ -12113,7 +12113,7 @@ CVE-2026-XXXX [RUSTSEC-2026-0113]
NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0113.html
CVE-2026-7111 (Text::CSV_XS versions before 1.62 for Perl have a use-after-free when ...)
- libtext-csv-xs-perl 1.62-1 (bug #1135232)
- [trixie] - libtext-csv-xs-perl <no-dsa> (Minor issue)
+ [trixie] - libtext-csv-xs-perl 1.60-1+deb13u1
[bookworm] - libtext-csv-xs-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/39453344/
NOTE: https://github.com/cpan-authors/Text-CSV_XS/issues/65
@@ -12704,7 +12704,7 @@ CVE-2024-54011 (Penetration Testing engineers at Amazon have discovered a flaw w
NOT-FOR-US: Hanwha Vision
CVE-2026-6691 (The MongoDB C Driver's Cyrus SASL integration performs unsafe string c ...)
- mongo-c-driver 2.2.0-1
- [trixie] - mongo-c-driver <no-dsa> (Minor issue)
+ [trixie] - mongo-c-driver 1.30.4-1+deb13u2
[bookworm] - mongo-c-driver <no-dsa> (Minor issue)
[bullseye] - mongo-c-driver <postponed> (Minor issue; can be fixed in next update)
NOTE: https://jira.mongodb.org/browse/CDRIVER-6134
@@ -12949,7 +12949,7 @@ CVE-2024-46636 (NASA Earth Observing System Data and Information System (EOSDIS)
NOT-FOR-US: NASA Earth Observing System Data and Information System (EOSDIS) MODAPS
CVE-2026-42167 (mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute ar ...)
- proftpd-dfsg 1.3.9~dfsg-5 (bug #1135119)
- [trixie] - proftpd-dfsg <no-dsa> (Minor issue, will be fixed via spu)
+ [trixie] - proftpd-dfsg 1.3.8.c+dfsg-4+deb13u2
[bookworm] - proftpd-dfsg <no-dsa> (Minor issue, will be fixed via ospu)
NOTE: https://github.com/proftpd/proftpd/issues/2052
CVE-2026-7148 (A flaw has been found in CodeAstro Online Classroom 1.0. This affects ...)
@@ -14711,7 +14711,7 @@ CVE-2026-40431 (A vulnerability exists inSenseLiveX3050\u2019s web management in
NOT-FOR-US: SenseLive
CVE-2026-40254 (FreeRDP is a free implementation of the Remote Desktop Protocol. Versi ...)
- freerdp3 3.25.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u3
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx
@@ -14779,7 +14779,7 @@ CVE-2026-29050 (melange allows users to build apk packages using declarative pip
NOT-FOR-US: melange
CVE-2026-28525 (SWUpdate contains an integer underflow vulnerability in the multipart ...)
- swupdate 2025.12+dfsg-9
- [trixie] - swupdate <no-dsa> (Minor issue)
+ [trixie] - swupdate 2024.12.1+dfsg-3+deb13u2
[bookworm] - swupdate <no-dsa> (Minor issue)
[bullseye] - swupdate <postponed> (Minor issue; can be fixed in next update)
NOTE: Fixed by: https://github.com/sbabic/swupdate/commit/beee2dc0feef1cfe84f1aa6fc980e104b2e47a74
@@ -14976,13 +14976,13 @@ CVE-2026-22020 [updated libpng in Oracle Java]
- openjdk-25 <not-affected> (Specific to Oracle binary distribution, Debian uses system libpng)
CVE-2026-41163 (bubblewrap is a low-level unprivileged sandboxing tool. From version 0 ...)
- bubblewrap 0.11.2-1 (bug #1134704)
- [trixie] - bubblewrap <no-dsa> (Minor issue)
+ [trixie] - bubblewrap 0.11.0-2+deb13u1
[bookworm] - bubblewrap <not-affected> (Vulnerable code not present)
[bullseye] - bubblewrap <not-affected> (Vulnerable code not present)
NOTE: Bookworm/Bullseye don't have the --overlay feature, so there's no security impact
CVE-2026-41564 (CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG ...)
- libcryptx-perl 0.087-2
- [trixie] - libcryptx-perl <no-dsa> (Minor issue)
+ [trixie] - libcryptx-perl 0.085-1+deb13u1
[bookworm] - libcryptx-perl <no-dsa> (Minor issue)
[bullseye] - libcryptx-perl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/39209500/
@@ -14995,7 +14995,7 @@ CVE-2026-6874 (A vulnerability was determined in ericc-ch copilot-api up to 0.7.
CVE-2026-6019 (http.cookies.Morsel.js_output() returns an inline <script> snippet and ...)
- python3.14 3.14.5~rc1-1
- python3.13 <unfixed>
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u2
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -15272,7 +15272,7 @@ CVE-2026-6844 (A flaw was found in the `readelf` utility of the binutils package
NOTE: binutils not covered by security support
CVE-2026-6843 (A flaw was found in nano. A local user could exploit a format string v ...)
- nano 9.0-1
- [trixie] - nano <no-dsa> (Minor issue)
+ [trixie] - nano 8.4-1+deb13u1
[bookworm] - nano <no-dsa> (Minor issue)
[bullseye] - nano <postponed> (Minor issue; can be fixed in next update)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460017
@@ -15280,7 +15280,7 @@ CVE-2026-6843 (A flaw was found in nano. A local user could exploit a format str
NOTE: Fixed by: https://cgit.git.savannah.gnu.org/cgit/nano.git/commit/?id=0b7328bce452bf1b0bbff81276425d4809a9b6fd (v9.0)
CVE-2026-6842 (A flaw was found in nano. In environments with permissive umask settin ...)
- nano 9.0-1
- [trixie] - nano <no-dsa> (Minor issue)
+ [trixie] - nano 8.4-1+deb13u1
[bookworm] - nano <no-dsa> (Minor issue)
[bullseye] - nano <postponed> (Minor issue; can be fixed in next update)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460018
@@ -17722,7 +17722,7 @@ CVE-2026-5963 (EasyFlow .NET developed by Digiwin has a SQL Injection vulnerabil
NOT-FOR-US: Digiwin
CVE-2026-5958 (When sed is invoked with both -i (in-place edit) and --follow-symlinks ...)
- sed 4.9-3 (bug #1134495)
- [trixie] - sed <no-dsa> (Minor issue)
+ [trixie] - sed 4.9-2+deb13u1
[bookworm] - sed <no-dsa> (Minor issue)
[bullseye] - sed <postponed> (Minor issue; can be fixed in next update)
NOTE: https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git;a=commit;h=6b9b43c55ccd3beadbc0094b983c82bdb389f33b
@@ -17733,7 +17733,7 @@ CVE-2026-4048 (OS Command Injection Remote Code Execution Vulnerability in UI in
NOT-FOR-US: Progress Software
CVE-2026-41445 (KissFFT before commit8a8e66e contains an integer overflow vulnerabilit ...)
- kissfft 131.1.0-4.1 (bug #1134493)
- [trixie] - kissfft <no-dsa> (Minor issue)
+ [trixie] - kissfft 131.1.0-4.1~deb13u1
[bookworm] - kissfft <no-dsa> (Minor issue)
[bullseye] - kissfft <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/mborgerding/kissfft/commit/8a8e66e33d692bad1376fe7904d87d767730537f
@@ -18302,7 +18302,7 @@ CVE-2026-2262 (The Easy Appointments plugin for WordPress is vulnerable to Sensi
NOT-FOR-US: WordPress plugin
CVE-2026-29013 (libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix ...)
- libcoap3 4.3.5-3 (bug #1134340)
- [trixie] - libcoap3 <no-dsa> (Minor issue)
+ [trixie] - libcoap3 4.3.4-1.1+deb13u3
[bookworm] - libcoap3 <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/obgm/libcoap/commit/b7847c4dbb0dbee7c90b09a673d4cae256f03718 (v4.3.5b)
CVE-2026-23500 (Dolibarr is an enterprise resource planning (ERP) and customer relatio ...)
@@ -19140,6 +19140,7 @@ CVE-2023-3634 (In products of the MSE6 product-family by Festo a remote authenti
NOT-FOR-US: Festo
CVE-2026-41035 (In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted len ...)
- rsync 3.4.2+ds1-1 (bug #1134617; unimportant)
+ [trixie] - rsync 3.4.1+ds1-5+deb13u2
NOTE: https://www.openwall.com/lists/oss-security/2026/04/16/2
NOTE: https://github.com/RsyncProject/rsync/issues/871
NOTE: https://github.com/RsyncProject/rsync/pull/875
@@ -19344,12 +19345,12 @@ CVE-2026-6296 (Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.772
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-40176 (Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 ...)
- composer 2.9.7-1
- [trixie] - composer <no-dsa> (Minor issue; can be fixed via point release)
+ [trixie] - composer 2.8.8-1+deb13u2
[bookworm] - composer <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p
CVE-2026-40261 (Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 ...)
- composer 2.9.7-1
- [trixie] - composer <no-dsa> (Minor issue; can be fixed via point release)
+ [trixie] - composer 2.8.8-1+deb13u2
[bookworm] - composer <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q
CVE-2026-40959 (Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox esca ...)
@@ -20166,7 +20167,7 @@ CVE-2024-23104 (An exposure of sensitive information to an unauthorized actor vu
NOT-FOR-US: Fortinet
CVE-2026-34003 (A flaw was found in the X.Org X server's XKB key types request validat ...)
- xorg-server 2:21.1.22-1
- [trixie] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
[bookworm] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - xorg-server <postponed> (Minor issue)
- xwayland 2:24.1.10-1
@@ -20177,7 +20178,7 @@ CVE-2026-34003 (A flaw was found in the X.Org X server's XKB key types request v
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563fab5c4a554e0939da39e4d1dadef7cbae
CVE-2026-34002 (A flaw was found in the X.Org X server. This vulnerability, an out-of- ...)
- xorg-server 2:21.1.22-1
- [trixie] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
[bookworm] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - xorg-server <postponed> (Minor issue)
- xwayland 2:24.1.10-1
@@ -20187,7 +20188,7 @@ CVE-2026-34002 (A flaw was found in the X.Org X server. This vulnerability, an o
NOTE: fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1cc96ed9261052c31524162c78e458f98c
CVE-2026-34001 (A flaw was found in the X.Org X server. This use-after-free vulnerabil ...)
- xorg-server 2:21.1.22-1
- [trixie] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
[bookworm] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - xorg-server <postponed> (Minor issue)
- xwayland 2:24.1.10-1
@@ -20197,7 +20198,7 @@ CVE-2026-34001 (A flaw was found in the X.Org X server. This use-after-free vuln
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94ba9c891d801231654267556dc7f32b5e0
CVE-2026-34000 (A flaw was found in the X.Org X server. This out-of-bounds read vulner ...)
- xorg-server 2:21.1.22-1
- [trixie] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
[bookworm] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - xorg-server <postponed> (Minor issue)
- xwayland 2:24.1.10-1
@@ -20207,7 +20208,7 @@ CVE-2026-34000 (A flaw was found in the X.Org X server. This out-of-bounds read
NOTE: Fixed by: ttps://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f90b28c32ad499a78a4f391b7c06daea2
CVE-2026-33999 (A flaw was found in the X.Org X server. This integer underflow vulnera ...)
- xorg-server 2:21.1.22-1
- [trixie] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
[bookworm] - xorg-server <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - xorg-server <postponed> (Minor issue)
- xwayland 2:24.1.10-1
@@ -20311,7 +20312,7 @@ CVE-2026-40169 (ImageMagick is free and open-source software used for editing an
NOTE: https://github.com/ImageMagick/ImageMagick/commit/f86452a8aea37bf2b4bd36127f836dcc5f138b38 (7.1.2-19)
CVE-2026-40164 (jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6 ...)
- jq 1.8.1-5 (bug #1133921)
- [trixie] - jq <no-dsa> (Minor issue)
+ [trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
[bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29
@@ -20320,14 +20321,14 @@ CVE-2026-3017 (The Smart Post Show \u2013 Post Grid, Post Carousel & Slider, and
NOT-FOR-US: WordPress plugin
CVE-2026-39979 (jq is a command-line JSON processor. In commits before 2f09060afab23fe ...)
- jq 1.8.1-5 (bug #1133921)
- [trixie] - jq <no-dsa> (Minor issue)
+ [trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
[bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p
NOTE: Fixed by: https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f
CVE-2026-39956 (jq is a command-line JSON processor. In commits after 69785bf77f86e2ea ...)
- jq 1.8.1-5 (bug #1133921)
- [trixie] - jq <no-dsa> (Minor issue)
+ [trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
[bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28
@@ -20376,14 +20377,14 @@ CVE-2026-34069 (nimiq/core-rs-albatross is a Rust implementation of the Nimiq Pr
NOT-FOR-US: nimiq/core-rs-albatross
CVE-2026-33948 (jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18e ...)
- jq 1.8.1-5 (bug #1133921)
- [trixie] - jq <no-dsa> (Minor issue)
+ [trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
[bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9
NOTE: Fixed by: https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b
CVE-2026-33947 (jq is a command-line JSON processor. In versions 1.8.1 and below, func ...)
- jq 1.8.1-5 (bug #1133921)
- [trixie] - jq <no-dsa> (Minor issue)
+ [trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
[bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg
@@ -20498,7 +20499,7 @@ CVE-2026-5086 (Crypt::SecretBuffer versions before 0.019 for Perl is suseceptibl
NOT-FOR-US: Crypt::SecretBuffer Perl module
CVE-2026-6231 (The bson_validate function may return early on specific inputs and inc ...)
- mongo-c-driver 2.1.0-1
- [trixie] - mongo-c-driver <no-dsa> (Minor issue)
+ [trixie] - mongo-c-driver 1.30.4-1+deb13u2
[bookworm] - mongo-c-driver <no-dsa> (Minor issue)
[bullseye] - mongo-c-driver <postponed> (minor issue)
NOTE: https://jira.mongodb.org/browse/CDRIVER-6017
@@ -20553,7 +20554,7 @@ CVE-2026-6100 (Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`,
{DLA-4532-1}
- python3.14 3.14.5~rc1-1
- python3.13 <unfixed>
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u2
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -20644,7 +20645,7 @@ CVE-2026-33555 (An issue was discovered in HAProxy before 3.3.6. The HTTP/3 pars
NOTE: Fixed by: https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=3d8388d089170f8544c4a43bf0575f296c885f94 (v2.6.25)
CVE-2026-32316 (jq is a command-line JSON processor. An integer overflow vulnerability ...)
- jq 1.8.1-5 (bug #1133921)
- [trixie] - jq <no-dsa> (Minor issue)
+ [trixie] - jq 1.7.1-6+deb13u2
[bookworm] - jq <no-dsa> (Minor issue)
[bullseye] - jq <postponed> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f
@@ -20968,13 +20969,13 @@ CVE-2026-40393 (In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory
CVE-2026-40386 (In libexif through 0.6.25, an integer underflow in size checking for F ...)
{DLA-4558-1}
- libexif 0.6.26-1 (bug #1133923)
- [trixie] - libexif <no-dsa> (Minor issue)
+ [trixie] - libexif 0.6.25-1+deb13u1
[bookworm] - libexif <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b
CVE-2026-40385 (In libexif through 0.6.25, an unsigned 32bit integer overflow in Nikon ...)
{DLA-4558-1}
- libexif 0.6.26-1 (bug #1133922)
- [trixie] - libexif <no-dsa> (Minor issue)
+ [trixie] - libexif 0.6.25-1+deb13u1
[bookworm] - libexif <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58
CVE-2019-25713 (MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authe ...)
@@ -21148,7 +21149,7 @@ CVE-2026-40242 (Arcane is an interface for managing Docker containers, images, n
NOT-FOR-US: Arcane
CVE-2026-40199 (Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped I ...)
- libnet-cidr-lite-perl 0.22-3
- [trixie] - libnet-cidr-lite-perl <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - libnet-cidr-lite-perl 0.22-3~deb13u1
[bookworm] - libnet-cidr-lite-perl <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - libnet-cidr-lite-perl <postponed> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/38785618/
@@ -21156,7 +21157,7 @@ CVE-2026-40199 (Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 ma
NOTE: Tests: https://github.com/stigtsp/Net-CIDR-Lite/commit/029b9417d2078827f790addfa1dceb1df8297b85 (0.23)
CVE-2026-40198 (Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 g ...)
- libnet-cidr-lite-perl 0.22-3
- [trixie] - libnet-cidr-lite-perl <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - libnet-cidr-lite-perl 0.22-3~deb13u1
[bookworm] - libnet-cidr-lite-perl <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - libnet-cidr-lite-perl <postponed> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/38785616/
@@ -21164,13 +21165,13 @@ CVE-2026-40198 (Net::CIDR::Lite versions before 0.23 for Perl does not validate
NOTE: Tests: https://github.com/stigtsp/Net-CIDR-Lite/commit/380562e04f66026ba3859f76b3c8ae0489cbc750 (0.23)
CVE-2026-40194 (phpseclib is a PHP secure communications library. Starting in 0.1.1 an ...)
- php-phpseclib3 3.0.51-1
- [trixie] - php-phpseclib3 <no-dsa> (Minor issue)
+ [trixie] - php-phpseclib3 3.0.43-2+deb13u2
[bookworm] - php-phpseclib3 <no-dsa> (Minor issue)
- php-phpseclib 2.0.53-1
- [trixie] - php-phpseclib <no-dsa> (Minor issue)
+ [trixie] - php-phpseclib 2.0.48-3+deb13u2
[bookworm] - php-phpseclib <no-dsa> (Minor issue)
- phpseclib 1.0.28-1
- [trixie] - phpseclib <no-dsa> (Minor issue)
+ [trixie] - phpseclib 1.0.23-6+deb13u2
[bookworm] - phpseclib <no-dsa> (Minor issue)
[bullseye] - phpseclib <postponed> (Minor issue)
NOTE: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx
@@ -21263,7 +21264,7 @@ CVE-2026-6057 (FalkorDB Browser 1.9.3 contains an unauthenticated path traversal
NOT-FOR-US: FalkorDB Browser
CVE-2026-6042 (A security flaw has been discovered in musl libc up to 1.2.6. Affected ...)
- musl 1.2.5-3.1 (bug #1133372)
- [trixie] - musl <no-dsa> (Minor issue)
+ [trixie] - musl 1.2.5-3.1~deb13u1
[bookworm] - musl <no-dsa> (Minor issue)
[bullseye] - musl <postponed> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/04/02/10
@@ -21309,7 +21310,7 @@ CVE-2026-40212 (OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based
NOT-FOR-US: OpenStack Skyline
CVE-2026-40200 (An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based ...)
- musl 1.2.5-3.1 (bug #1133372)
- [trixie] - musl <no-dsa> (Minor issue)
+ [trixie] - musl 1.2.5-3.1~deb13u1
[bookworm] - musl <no-dsa> (Minor issue)
[bullseye] - musl <postponed> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/04/10/13
@@ -21358,7 +21359,7 @@ CVE-2026-40021 (Apache Log4net's XmlLayout https://logging.apache.org/log4net/m
CVE-2026-3446 (When calling base64.b64decode() or related functions the decoding proc ...)
- python3.14 3.14.4-1
- python3.13 <unfixed>
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u2
- python3.11 <removed>
[bookworm] - python3.11 <ignored> (Not backported to older Python releases due to compat concerns)
- python3.9 <removed>
@@ -24076,7 +24077,7 @@ CVE-2026-4740 (A flaw was found in Open Cluster Management (OCM), the technology
NOT-FOR-US: Open Cluster Management
CVE-2026-4631 (Cockpit's remote login feature passes user-supplied hostnames and user ...)
- cockpit 360-1 (bug #1133022)
- [trixie] - cockpit <no-dsa> (Minor issue)
+ [trixie] - cockpit 337-1+deb13u1
[bookworm] - cockpit <not-affected> (beiboot helper only used since 326)
[bullseye] - cockpit <not-affected> (beiboot helper only used since 326)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2450246
@@ -24740,7 +24741,7 @@ CVE-2025-13044 (IBM Concert 1.0.0 through 2.2.0 creates temporary files with pre
NOT-FOR-US: IBM
CVE-2026-4878 (A flaw was found in libcap. A local unprivileged user can exploit a Ti ...)
- libcap2 1:2.78-1
- [trixie] - libcap2 <no-dsa> (Minor issue)
+ [trixie] - libcap2 1:2.75-10+deb13u1
[bookworm] - libcap2 <no-dsa> (Minor issue)
[bullseye] - libcap2 <postponed> (Minor issue)
NOTE: https://github.com/AndrewGMorgan/libcap_mirror/security/advisories/GHSA-f78v-p5hx-m7hh
@@ -25405,7 +25406,7 @@ CVE-2026-40227 (In systemd 260 before 261, a local unprivileged user can trigger
CVE-2026-40226 (In nspawn in systemd 233 through 259 before 260, an escape-to-host act ...)
{DLA-4533-1}
- systemd 260~rc3-1
- [trixie] - systemd <no-dsa> (Minor issue)
+ [trixie] - systemd 257.13-1~deb13u1
[bookworm] - systemd <no-dsa> (Minor issue)
NOTE: https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx
NOTE: Fixed by: https://github.com/systemd/systemd/commit/61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40 (v260-rc3)
@@ -25415,7 +25416,7 @@ CVE-2026-40226 (In nspawn in systemd 233 through 259 before 260, an escape-to-ho
CVE-2026-40225 (In udev in systemd before 260, local root execution can occur via mali ...)
{DLA-4533-1}
- systemd 260~rc4-1
- [trixie] - systemd <no-dsa> (Minor issue)
+ [trixie] - systemd 257.13-1~deb13u1
[bookworm] - systemd <no-dsa> (Minor issue)
NOTE: https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx
NOTE: Fixed by: https://github.com/systemd/systemd/commit/16325b35fa6ecb25f66534a562583ce3b96d52f3 (v260-rc3)
@@ -26405,7 +26406,7 @@ CVE-2026-34088 (Exposure of Sensitive Information to an Unauthorized Actor vulne
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/DIBLSBHISKX6NFRUFNOGZRVW42E7R2QP/
CVE-2026-35535 (In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid ...)
- sudo 1.9.17p2-5 (bug #1130593)
- [trixie] - sudo <no-dsa> (Minor issue, can be fixed in a point release)
+ [trixie] - sudo 1.9.16p2-3+deb13u2
[bookworm] - sudo <no-dsa> (Minor issue, can be fixed in a point release)
[bullseye] - sudo <postponed> (Minor issue, can be fixed in a point release)
NOTE: Introduced by: https://github.com/sudo-project/sudo/commit/bd1ca79cca827a92e904f022e49df121931d4ff5 (SUDO_1_9_4p1)
@@ -26509,31 +26510,31 @@ CVE-2026-3692 (In Progress Flowmon versions prior to 12.5.8, a vulnerability exi
CVE-2026-35414 (OpenSSH before 10.3 mishandles the authorized_keys principals option i ...)
{DLA-4584-1}
- openssh 1:10.3p1-1 (bug #1132576)
- [trixie] - openssh <no-dsa> (Minor issue)
+ [trixie] - openssh 1:10.0p1-7+deb13u3
[bookworm] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.3p1
CVE-2026-35388 (OpenSSH before 10.3 omits connection multiplexing confirmation for pro ...)
{DLA-4584-1}
- openssh 1:10.3p1-1 (bug #1132575)
- [trixie] - openssh <no-dsa> (Minor issue)
+ [trixie] - openssh 1:10.0p1-7+deb13u3
[bookworm] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.3p1
CVE-2026-35387 (OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of an ...)
{DLA-4584-1}
- openssh 1:10.3p1-1 (bug #1132574)
- [trixie] - openssh <no-dsa> (Minor issue)
+ [trixie] - openssh 1:10.0p1-7+deb13u3
[bookworm] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.3p1
CVE-2026-35386 (In OpenSSH before 10.3, command execution can occur via shell metachar ...)
{DLA-4584-1}
- openssh 1:10.3p1-1 (bug #1132573)
- [trixie] - openssh <no-dsa> (Minor issue)
+ [trixie] - openssh 1:10.0p1-7+deb13u3
[bookworm] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.3p1
CVE-2026-35385 (In OpenSSH before 10.3, a file downloaded by scp may be installed setu ...)
{DLA-4584-1}
- openssh 1:10.3p1-1 (bug #1132572)
- [trixie] - openssh <no-dsa> (Minor issue)
+ [trixie] - openssh 1:10.0p1-7+deb13u3
[bookworm] - openssh <no-dsa> (Minor issue)
NOTE: https://www.openssh.org/releasenotes.html#10.3p1
CVE-2026-35168 (OpenSTAManager is an open source management software for technical ass ...)
@@ -26832,7 +26833,7 @@ CVE-2026-32145 (Allocation of Resources Without Limits or Throttling vulnerabili
NOT-FOR-US: gleam-wisp wisp
CVE-2026-31937 (Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15 ...)
- suricata 1:8.0.1-1
- [trixie] - suricata <no-dsa> (Minor issue)
+ [trixie] - suricata 1:7.0.10-1+deb13u4
[bookworm] - suricata <no-dsa> (Minor issue)
NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-86vg-w8vm-m3gg
NOTE: https://redmine.openinfosecfoundation.org/issues/8304
@@ -26840,7 +26841,7 @@ CVE-2026-31937 (Suricata is a network IDS, IPS and NSM engine. Prior to version
NOTE: https://github.com/OISF/suricata/commit/281f419c0481f7d24d8ce5482b962673a3938e9b (suricata-7.0.15)
CVE-2026-31935 (Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.1 ...)
- suricata 1:8.0.4-1
- [trixie] - suricata <no-dsa> (Minor issue)
+ [trixie] - suricata 1:7.0.10-1+deb13u4
[bookworm] - suricata <no-dsa> (Minor issue)
NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-vxrp-5pg7-7v4x
NOTE: https://redmine.openinfosecfoundation.org/issues/8295 (suricata-8.0.4)
@@ -26858,7 +26859,7 @@ CVE-2026-31934 (Suricata is a network IDS, IPS and NSM engine. From version 8.0.
NOTE: Introduced by: https://github.com/OISF/suricata/commit/a10c1f1dded570f99c4972ef9f730cec79218b75 (suricata-8.0.0-beta1)
CVE-2026-31933 (Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.1 ...)
- suricata 1:8.0.4-1
- [trixie] - suricata <no-dsa> (Minor issue)
+ [trixie] - suricata 1:7.0.10-1+deb13u4
[bookworm] - suricata <no-dsa> (Minor issue)
NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-hvp5-gpr6-j4gp
NOTE: https://redmine.openinfosecfoundation.org/issues/8364 (suricata-8.0.4)
@@ -26867,7 +26868,7 @@ CVE-2026-31933 (Suricata is a network IDS, IPS and NSM engine. Prior to versions
NOTE: https://github.com/OISF/suricata/commit/fecaa08f591c508b6486e7e9a2ee05636d1f9503 (suricata-7.0.15)
CVE-2026-31932 (Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.1 ...)
- suricata 1:8.0.4-1
- [trixie] - suricata <no-dsa> (Minor issue)
+ [trixie] - suricata 1:7.0.10-1+deb13u4
[bookworm] - suricata <no-dsa> (Minor issue)
NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-rp9m-jcpw-hggr
NOTE: https://redmine.openinfosecfoundation.org/issues/8306 (suricata-8.0.4)
@@ -28523,7 +28524,7 @@ CVE-2026-5122 (A security flaw has been discovered in osrg GoBGP up to 4.3.0. Th
CVE-2026-5121 (A flaw was found in libarchive. On 32-bit systems, an integer overflow ...)
{DLA-4563-1}
- libarchive 3.8.7-1 (bug #1133002)
- [trixie] - libarchive <no-dsa> (Minor issue)
+ [trixie] - libarchive 3.7.4-4+deb13u1
[bookworm] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/pull/2934
NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/a2a73a8f14b3208c7f6acbbc93265254a7c1efd0
@@ -28539,7 +28540,7 @@ CVE-2026-4266 (An Insecure Deserialization vulnerability in WatchGuard Fireware
NOT-FOR-US: WatchGuard
CVE-2026-4046 (The iconv() function in the GNU C Library versions 2.43 and earlier ma ...)
- glibc 2.42-15 (bug #1132499)
- [trixie] - glibc <postponed> (Minor issue, revisit when fixed upstream)
+ [trixie] - glibc 2.41-12+deb13u3
[bookworm] - glibc <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=33980
NOTE: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007
@@ -28764,7 +28765,7 @@ CVE-2025-15036 (A path traversal vulnerability exists in the `extract_archive_to
NOT-FOR-US: mlflow
CVE-2026-33691 (The OWASP core rule set (CRS) is a set of generic attack detection rul ...)
- modsecurity-crs 3.3.9-1
- [trixie] - modsecurity-crs <no-dsa> (Minor issue)
+ [trixie] - modsecurity-crs 3.3.7-1+deb13u2
[bookworm] - modsecurity-crs <no-dsa> (Minor issue)
[bullseye] - modsecurity-crs <postponed> (Minor issue)
NOTE: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w
@@ -29391,7 +29392,7 @@ CVE-2026-33725 (Metabase is an open source business intelligence and embedded an
CVE-2026-33721 (MapServer is a system for developing web-based GIS applications. Start ...)
{DLA-4537-1}
- mapserver 8.6.1-1
- [trixie] - mapserver <no-dsa> (Minor issue)
+ [trixie] - mapserver 8.4.0-4+deb13u2
[bookworm] - mapserver <no-dsa> (Minor issue)
NOTE: https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp
NOTE: Fixed by: https://github.com/MapServer/MapServer/commit/fb08dad4afee081b81c57ca0c5d37c149e7755f9 (rel-8-6-1)
@@ -29682,7 +29683,7 @@ CVE-2026-21724 (A vulnerability has been discovered in Grafana OSS where an auth
CVE-2026-4948 (A flaw was found in firewalld. A local unprivileged user can exploit t ...)
{DLA-4585-1}
- firewalld 2.4.0-2
- [trixie] - firewalld <no-dsa> (Minor issue)
+ [trixie] - firewalld 2.3.1-1+deb13u1
[bookworm] - firewalld <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2452086
NOTE: Fixed by: https://github.com/firewalld/firewalld/commit/5fb3914ad830feff6cb2b0670457c60a323c6c6c
@@ -30446,55 +30447,55 @@ CVE-2025-14684 (IBM Maximo Application Suite - Monitor Component 9.1, 9.0, 8.11,
NOT-FOR-US: IBM
CVE-2026-33952 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4v4p-9v5x-hc93
CVE-2026-33977 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8f2g-3q27-6xm5
CVE-2026-33995 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mv25-f4p2-5mxx
CVE-2026-33984 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8469-2xcx-frf6
CVE-2026-33983 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gfm-4p52-h478
CVE-2026-33985 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x6gr-8p7h-5h85
CVE-2026-33986 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h6qw-wxvm-hf97
CVE-2026-33987 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ff8h-p5vc-wcwc
CVE-2026-33982 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jm9-2925-g4v2
@@ -32390,21 +32391,21 @@ CVE-2026-32948 (sbt is a build tool for Scala, Java, and others. From version 0.
NOT-FOR-US: sbt
CVE-2026-32854 (LibVNCServer versions 0.9.15 and prior (fixed incommit dc78dee) contai ...)
- libvncserver 0.9.15+dfsg-3 (bug #1132017)
- [trixie] - libvncserver <no-dsa> (Minor issue)
+ [trixie] - libvncserver 0.9.15+dfsg-1+deb13u1
[bookworm] - libvncserver <no-dsa> (Minor issue)
[bullseye] - libvncserver <postponed> (Minor issue)
NOTE: https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x
NOTE: Fixed by: https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314
CVE-2026-32853 (LibVNCServer versions 0.9.15 and prior (fixed incommit 009008e) contai ...)
- libvncserver 0.9.15+dfsg-3 (bug #1132016)
- [trixie] - libvncserver <no-dsa> (Minor issue)
+ [trixie] - libvncserver 0.9.15+dfsg-1+deb13u1
[bookworm] - libvncserver <no-dsa> (Minor issue)
[bullseye] - libvncserver <postponed> (Minor issue)
NOTE: https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj
NOTE: Fixed by: https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931
CVE-2026-32647 (NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_ ...)
- nginx 1.28.3-1
- [trixie] - nginx <no-dsa> (Minor issue)
+ [trixie] - nginx 1.26.3-3+deb13u3
[bookworm] - nginx <no-dsa> (Minor issue)
NOTE: https://my.f5.com/manage/s/article/K000160366
NOTE: Fixed by: https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc (release-1.28.3)
@@ -32428,31 +32429,31 @@ CVE-2026-29772 (Astro is a web framework. Prior to version 10.0.0, Astro's Serve
NOT-FOR-US: Astro
CVE-2026-28755 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_strea ...)
- nginx 1.28.3-2
- [trixie] - nginx <no-dsa> (Minor issue)
+ [trixie] - nginx 1.26.3-3+deb13u3
[bookworm] - nginx <no-dsa> (Minor issue)
NOTE: https://my.f5.com/manage/s/article/K000160368
NOTE: Fixed by: https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8 (release-1.28.3)
CVE-2026-28753 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_ ...)
- nginx 1.28.3-1
- [trixie] - nginx <no-dsa> (Minor issue)
+ [trixie] - nginx 1.26.3-3+deb13u3
[bookworm] - nginx <no-dsa> (Minor issue)
NOTE: https://my.f5.com/manage/s/article/K000160367
NOTE: Fixed by: https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f (release-1.28.3)
CVE-2026-27784 (The 32-bit implementation of NGINX Open Source has a vulnerability in ...)
- nginx 1.28.3-1
- [trixie] - nginx <no-dsa> (Minor issue)
+ [trixie] - nginx 1.26.3-3+deb13u3
[bookworm] - nginx <no-dsa> (Minor issue)
NOTE: https://my.f5.com/manage/s/article/K000160364
NOTE: Fixed by: https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018 (release-1.28.3)
CVE-2026-27654 (NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_ ...)
- nginx 1.28.3-1
- [trixie] - nginx <no-dsa> (Minor issue)
+ [trixie] - nginx 1.26.3-3+deb13u3
[bookworm] - nginx <no-dsa> (Minor issue)
NOTE: https://my.f5.com/manage/s/article/K000160382
NOTE: Fixed by: https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82 (release-1.28.3)
CVE-2026-27651 (When the ngx_mail_auth_http_modulemodule is enabled on NGINX Plus or N ...)
- nginx 1.28.3-1
- [trixie] - nginx <no-dsa> (Minor issue)
+ [trixie] - nginx 1.26.3-3+deb13u3
[bookworm] - nginx <no-dsa> (Minor issue)
NOTE: https://my.f5.com/manage/s/article/K000160383
NOTE: Fixed by: https://github.com/nginx/nginx/commit/0f71dd8ea94ab8c123413b2e465be12a35392e9c (release-1.28.3)
@@ -33157,7 +33158,7 @@ CVE-2026-2412 (The Quiz and Survey Master (QSM) plugin for WordPress is vulnerab
CVE-2026-29111 (systemd, a system and service manager, (as PID 1) hits an assert and f ...)
{DLA-4533-1}
- systemd 260~rc2-1
- [trixie] - systemd <no-dsa> (Minor issue)
+ [trixie] - systemd 257.13-1~deb13u1
[bookworm] - systemd <no-dsa> (Minor issue)
NOTE: https://github.com/systemd/systemd/security/advisories/GHSA-gx6q-6f99-m764
NOTE: Fixed by: https://github.com/systemd/systemd/commit/42aee39107fbdd7db1ccd402a2151822b2805e9f (v260-rc2)
@@ -33469,7 +33470,7 @@ CVE-2019-25620 (Tree Studio 2.17 contains a denial of service vulnerability that
NOT-FOR-US: Tree Studio
CVE-2026-33347 (league/commonmark is a PHP Markdown parser. From version 2.3.0 to befo ...)
- php-league-commonmark 2.8.2-1
- [trixie] - php-league-commonmark <no-dsa> (Minor issue)
+ [trixie] - php-league-commonmark 2.7.0-1+deb13u1
[bookworm] - php-league-commonmark <no-dsa> (Minor issue)
[bullseye] - php-league-commonmark <postponed> (Minor issue)
NOTE: https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5
@@ -33998,7 +33999,7 @@ CVE-2026-33230 (NLTK (Natural Language Toolkit) is a suite of open source Python
NOTE: https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f
CVE-2026-33228 (flatted is a circular JSON parser. Prior to version 3.4.2, the parse() ...)
- node-flatted 3.4.2~ds-1 (bug #1131462)
- [trixie] - node-flatted <no-dsa> (Minor issue)
+ [trixie] - node-flatted 3.2.7~ds-1+deb13u1
[bookworm] - node-flatted <no-dsa> (Minor issue)
[bullseye] - node-flatted <postponed> (Minor issue)
NOTE: https://github.com/WebReflection/flatted/security/advisories/GHSA-rf6f-7fwh-wjgh
@@ -34288,6 +34289,7 @@ CVE-2026-0609 (The Logo Slider \u2013 Logo Carousel, Logo Showcase & Client Logo
CVE-2025-63261 (AWStats 8.0 is vulnerable to Command Injection via the open function)
{DLA-4509-1}
- awstats 8.0-5 (bug #1131878; unimportant)
+ [trixie] - awstats 7.9-1+deb13u1
NOTE: https://pentest-tools.com/PTT-2025-021-Code-Execution-in-AWStats.pdf
NOTE: https://github.com/eldy/AWStats/issues/287
NOTE: Crosses no reasonable security boundary, requires an attacker to modify awstats.conf
@@ -34303,7 +34305,7 @@ CVE-2026-4519 (The webbrowser.open() API would accept leading dashes in the URL
{DLA-4583-1}
- python3.14 3.14.4-1
- python3.13 <unfixed>
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u2
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -34369,7 +34371,7 @@ CVE-2026-4485 (A vulnerability has been found in itsourcecode College Management
NOT-FOR-US: itsourcecode System
CVE-2026-4438 (Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.co ...)
- glibc 2.42-14 (bug #1131887)
- [trixie] - glibc <no-dsa> (Minor issue)
+ [trixie] - glibc 2.41-12+deb13u3
[bookworm] - glibc <no-dsa> (Minor issue)
[bullseye] - glibc <postponed> (Minor issue, specification violation)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=34015
@@ -34377,7 +34379,7 @@ CVE-2026-4438 (Calling gethostbyaddr or gethostbyaddr_r with a configured nsswit
NOTE: https://www.openwall.com/lists/oss-security/2026/03/23/2
CVE-2026-4437 (Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.co ...)
- glibc 2.42-14 (bug #1131435)
- [trixie] - glibc <no-dsa> (Minor issue)
+ [trixie] - glibc 2.41-12+deb13u3
[bookworm] - glibc <no-dsa> (Minor issue)
[bullseye] - glibc <postponed> (Minor issue, validation issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=34014
@@ -35233,7 +35235,7 @@ CVE-2026-4439 (Out of bounds memory access in WebGL in Google Chrome on Android
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-34881 (OpenStack Glance before 29.1.1, 30.x before 30.1.1, and 31.0.0 is affe ...)
- glance 2:31.0.0-3 (bug #1131274)
- [trixie] - glance <no-dsa> (Minor issue)
+ [trixie] - glance 2:30.0.0-3+deb13u1
[bookworm] - glance <no-dsa> (Minor issue)
[bullseye] - glance <postponed> (Minor issue, potential infoleak)
NOTE: https://www.openwall.com/lists/oss-security/2026/03/19/3
@@ -35250,14 +35252,14 @@ CVE-2026-4427
CVE-2026-4426 (A flaw was found in libarchive. An Undefined Behavior vulnerability ex ...)
{DLA-4563-1}
- libarchive 3.8.7-1 (bug #1131444)
- [trixie] - libarchive <postponed> (Minor issue, revisit when fixed upstream)
+ [trixie] - libarchive 3.7.4-4+deb13u1
[bookworm] - libarchive <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/libarchive/libarchive/pull/2897
NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/c3cb1c568ebf9e8f7f478cfc0356ae54e99712b0
CVE-2026-4424 (A flaw was found in libarchive. This heap out-of-bounds read vulnerabi ...)
{DLA-4563-1}
- libarchive 3.8.7-1 (bug #1131446)
- [trixie] - libarchive <no-dsa> (Minor issue)
+ [trixie] - libarchive 3.7.4-4+deb13u1
[bookworm] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/pull/2898
NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375
@@ -35296,7 +35298,7 @@ CVE-2026-3503 (Protection mechanism failure in wolfCrypt post-quantum implementa
NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/65a1a6887747949ed148d8be3350b86ecff24fbc (v5.9.0-stable)
CVE-2026-3029 (A path traversal and arbitrary file write vulnerability exist in the e ...)
- pymupdf 1.26.7+ds1-1
- [trixie] - pymupdf <no-dsa> (Minor issue)
+ [trixie] - pymupdf 1.25.4+ds1-3+deb13u1
[bookworm] - pymupdf <no-dsa> (Minor issue)
[bullseye] - pymupdf <postponed> (Minor issue)
NOTE: https://github.com/pymupdf/PyMuPDF/issues/4767
@@ -36305,7 +36307,7 @@ CVE-2026-33550 (SOGo before 5.12.5 does not renew the OTP if a user disables/ena
NOTE: Fixed by: https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2 (SOGo-5.12.5)
CVE-2026-4359 (A compromised third party cloud server or man-in-the-middle attacker c ...)
- mongo-c-driver 2.2.3-1
- [trixie] - mongo-c-driver <no-dsa> (Minor issue)
+ [trixie] - mongo-c-driver 1.30.4-1+deb13u2
[bookworm] - mongo-c-driver <no-dsa> (Minor issue)
[bullseye] - mongo-c-driver <postponed> (Minor issue)
NOTE: https://jira.mongodb.org/browse/CDRIVER-6251
@@ -36585,7 +36587,7 @@ CVE-2026-4224 (When an Expat parser with a registered ElementDeclHandler parses
{DLA-4583-1}
- python3.14 3.14.3-4
- python3.13 <unfixed>
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u2
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -36606,7 +36608,7 @@ CVE-2026-3644 (The fix for CVE-2026-0672, which rejected control characters in h
{DLA-4583-1}
- python3.14 3.14.3-4
- python3.13 <unfixed>
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u2
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -36956,7 +36958,7 @@ CVE-2026-32776 (libexpat before 2.7.5 allows a NULL pointer dereference with emp
CVE-2026-32775 (libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_ ...)
{DLA-4558-1}
- libexif 0.6.26-1 (bug #1131116)
- [trixie] - libexif <no-dsa> (Minor issue)
+ [trixie] - libexif 0.6.25-1+deb13u1
[bookworm] - libexif <no-dsa> (Minor issue)
NOTE: https://github.com/libexif/libexif/issues/247
NOTE: Fixed by: https://github.com/libexif/libexif/commit/7df372e9d31d7c993a22b913c813a5f7ec4f3692
@@ -37231,7 +37233,7 @@ CVE-2025-15060 (claude-hovercraft executeClaudeCode Command Injection Remote Cod
CVE-2026-4111 (A flaw was identified in the RAR5 archive decompression logic of the l ...)
{DLA-4563-1}
- libarchive 3.8.6-1 (bug #1130753)
- [trixie] - libarchive <no-dsa> (Minor issue)
+ [trixie] - libarchive 3.7.4-4+deb13u1
[bookworm] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/pull/2877
NOTE: Testcase: https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4
@@ -37557,7 +37559,7 @@ CVE-2026-31899 (CairoSVG is an SVG converter based on Cairo, a 2D graphics libra
NOTE: Fixed by: https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf (2.9.0)
CVE-2026-31897 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xgv6-r22m-7c9x
@@ -37566,14 +37568,14 @@ CVE-2026-31886 (Dagu is a workflow engine with a built-in Web user interface. Pr
NOT-FOR-US: Dagu
CVE-2026-31885 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h23r-3988-3wf3
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/16df2300e1e3f5a51f68fb1626429e58b531b7c8 (3.24.0)
CVE-2026-31884 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jp7m-94ww-p56r
@@ -37581,7 +37583,7 @@ CVE-2026-31884 (FreeRDP is a free implementation of the Remote Desktop Protocol.
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/16df2300e1e3f5a51f68fb1626429e58b531b7c8 (3.24.0)
CVE-2026-31883 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-85x9-4xxp-xhm5
@@ -37597,7 +37599,7 @@ CVE-2026-31814 (Yamux is a stream multiplexer over reliable, ordered connections
NOTE: Fixed by: https://github.com/libp2p/rust-yamux/commit/b1aae09d60c0bd6a5915a5448f4e8cbc5174db53 (yamux-v0.13.9)
CVE-2026-31806 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrqm-46rj-cmx2
@@ -37629,21 +37631,21 @@ CVE-2026-2257 (The GetGenie plugin for WordPress is vulnerable to Insecure Direc
NOT-FOR-US: WordPress plugin
CVE-2026-29776 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c747-x4wf-cqrr
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/a9e0abf2eac8c2e370fa155bf1abb9d044c0ca8a (3.24.0)
CVE-2026-29775 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h666-rfw3-jhvj
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/ffad58fd2b329efd81a3239e9d7e3c927b8e503f (3.24.0)
CVE-2026-29774 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.24.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5q35-hv9x-7794
@@ -37662,7 +37664,7 @@ CVE-2026-24097 (Improper permission enforcement in Checkmk versions 2.4.0 before
- check-mk <removed>
CVE-2026-23943 (Improper Handling of Highly Compressed Data (Compression Bomb) vulnera ...)
- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
- [trixie] - erlang <no-dsa> (Minor issue)
+ [trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
NOTE: https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r
NOTE: Fixed by: https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1 (OTP-28.4.1)
@@ -37670,7 +37672,7 @@ CVE-2026-23943 (Improper Handling of Highly Compressed Data (Compression Bomb) v
NOTE: Fixed by: https://github.com/erlang/otp/commit/0c1c04b191f6ab940e8fcfabce39eb5a8a6440a4 (OTP-26.2.5.18)
CVE-2026-23942 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
- [trixie] - erlang <no-dsa> (Minor issue)
+ [trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
NOTE: https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h
NOTE: Fixed by: https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b (OTP-28.4.1)
@@ -37678,7 +37680,7 @@ CVE-2026-23942 (Improper Limitation of a Pathname to a Restricted Directory ('Pa
NOTE: Fixed by: https://github.com/erlang/otp/commit/5ed603a1211b83b8be2d1fc06d3f3bf30c3c9759 (OTP-26.2.5.18)
CVE-2026-23941 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling' ...)
- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
- [trixie] - erlang <no-dsa> (Minor issue)
+ [trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
NOTE: https://github.com/erlang/otp/security/advisories/GHSA-w4jc-9wpv-pqh7
NOTE: Fixed by: https://github.com/erlang/otp/commit/a4b46336fd25aa100ac602eb9a627aaead7eda18 (OTP-28.4.1)
@@ -37743,7 +37745,7 @@ CVE-2023-40693 (IBM Sterling B2B Integratorand IBM Sterling File Gateway6.1.0.0
CVE-2026-4105 (A flaw was found in systemd. The systemd-machined service contains an ...)
{DLA-4533-1}
- systemd 260~rc3-1
- [trixie] - systemd <no-dsa> (Only exloitable with custom polkit policy that allows register-machine access)
+ [trixie] - systemd 257.13-1~deb13u1
[bookworm] - systemd <no-dsa> (Only exloitable with custom polkit policy that allows register-machine access)
NOTE: https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862
NOTE: Introduced with: https://github.com/systemd/systemd/commit/fbe550738d03b178bb004a1390e74115e904118a (v225)
@@ -37920,7 +37922,7 @@ CVE-2026-3059 (SGLang's multimodal generation module is vulnerable to unauthenti
NOT-FOR-US: sgl-project sglang
CVE-2026-32274 (Black is the uncompromising Python code formatter. Prior to 26.3.1, Bl ...)
- black 26.3.1-1 (bug #1130657)
- [trixie] - black <no-dsa> (Minor issue)
+ [trixie] - black 25.1.0-3+deb13u1
[bookworm] - black <no-dsa> (Minor issue)
[bullseye] - black <postponed> (Minor issue)
NOTE: https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
@@ -38105,7 +38107,7 @@ CVE-2025-13462 (The "tarfile" module would still apply normalization of AREGTYPE
{DLA-4583-1}
- python3.14 3.14.3-4
- python3.13 <unfixed>
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -40644,7 +40646,7 @@ CVE-2026-30848 (Parse Server is an open source backend that can be deployed to a
NOT-FOR-US: Parse Server
CVE-2026-30838 (league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, th ...)
- php-league-commonmark 2.8.1-1
- [trixie] - php-league-commonmark <no-dsa> (Minor issue)
+ [trixie] - php-league-commonmark 2.7.0-1+deb13u1
[bookworm] - php-league-commonmark <no-dsa> (Minor issue)
[bullseye] - php-league-commonmark <postponed> (Minor issue)
NOTE: https://github.com/thephpleague/commonmark/security/advisories/GHSA-4v6x-c7xx-hw9f
@@ -40661,7 +40663,7 @@ CVE-2026-29787 (mcp-memory-service is an open-source memory backend for multi-ag
CVE-2026-29786 (node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, ...)
{DLA-4552-1}
- node-tar 6.2.1+ds1+~cs6.1.13-8
- [trixie] - node-tar <no-dsa> (Minor issue)
+ [trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
[bookworm] - node-tar <no-dsa> (Minor issue)
NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96
NOTE: Fixed by: https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f (v7.5.10)
@@ -41735,7 +41737,7 @@ CVE-2026-2297 (The import hook in CPython that handles legacy *.pyc files (Sourc
{DLA-4583-1}
- python3.14 3.14.3-4
- python3.13 <unfixed>
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -43864,12 +43866,12 @@ CVE-2026-27832 (Group-Office is an enterprise customer relationship management a
NOT-FOR-US: Group-Office
CVE-2026-27824 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
- calibre 9.4.0+ds+~0.10.5-1
- [trixie] - calibre <no-dsa> (Minor issue)
+ [trixie] - calibre 8.5.0+ds-1+deb13u2
[bookworm] - calibre <no-dsa> (Minor issue)
NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vhxc-r7v8-2xrw
CVE-2026-27810 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
- calibre 9.4.0+ds+~0.10.5-1
- [trixie] - calibre <no-dsa> (Minor issue)
+ [trixie] - calibre 8.5.0+ds-1+deb13u2
[bookworm] - calibre <no-dsa> (Minor issue)
NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-5fpj-fxw7-8grw
CVE-2026-27793 (Seerr is an open-source media request and discovery manager for Jellyf ...)
@@ -44014,7 +44016,7 @@ CVE-2026-3285 (A vulnerability was determined in berry-lang berry up to 1.1.0. T
NOT-FOR-US: berry-lang berry
CVE-2026-3284 (A vulnerability was found in libvips 8.19.0. Impacted is the function ...)
- vips 8.18.0-3 (bug #1129310)
- [trixie] - vips <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - vips 8.16.1-1+deb13u1
[bookworm] - vips <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - vips <postponed> (Minor issue, will be fixed via point release)
NOTE: https://github.com/libvips/libvips/issues/4879
@@ -44022,7 +44024,7 @@ CVE-2026-3284 (A vulnerability was found in libvips 8.19.0. Impacted is the func
NOTE: Fixed by: https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70
CVE-2026-3283 (A vulnerability has been found in libvips 8.19.0. This issue affects t ...)
- vips 8.18.0-3 (bug #1129310)
- [trixie] - vips <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - vips 8.16.1-1+deb13u1
[bookworm] - vips <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - vips <postponed> (Minor issue, will be fixed via point release)
NOTE: https://github.com/libvips/libvips/issues/4880
@@ -44030,7 +44032,7 @@ CVE-2026-3283 (A vulnerability has been found in libvips 8.19.0. This issue affe
NOTE: Fixed by: https://github.com/libvips/libvips/commit/24795bb3d19d84f7b6f5ed86451ad556c8f2fe70
CVE-2026-3282 (A flaw has been found in libvips 8.19.0. This vulnerability affects th ...)
- vips 8.18.0-3 (bug #1129311)
- [trixie] - vips <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - vips 8.16.1-1+deb13u1
[bookworm] - vips <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - vips <postponed> (Minor issue, will be fixed via point release)
NOTE: https://github.com/libvips/libvips/issues/4881
@@ -44038,7 +44040,7 @@ CVE-2026-3282 (A flaw has been found in libvips 8.19.0. This vulnerability affec
NOTE: Fixed by: https://github.com/libvips/libvips/commit/7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91
CVE-2026-3281 (A vulnerability was detected in libvips 8.19.0. This affects the funct ...)
- vips 8.18.0-3 (bug #1129312)
- [trixie] - vips <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - vips 8.16.1-1+deb13u1
[bookworm] - vips <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - vips <postponed> (Minor issue, will be fixed via point release)
NOTE: https://github.com/libvips/libvips/issues/4878
@@ -44290,7 +44292,7 @@ CVE-2023-31364 (Improper handling of direct memory writes in the input-output me
TODO: check
CVE-2025-71264 (Mumble before 1.6.870 is prone to an out-of-bounds array access, which ...)
- mumble 1.5.735-7 (bug #1129178)
- [trixie] - mumble <no-dsa> (Minor issue; will be fixed via point release)
+ [trixie] - mumble 1.5.735-5+deb13u1
[bookworm] - mumble <no-dsa> (Minor issue; will be fixed via point release)
[bullseye] - mumble <postponed> (Minor issue)
NOTE: https://github.com/mumble-voip/mumble/pull/7032
@@ -44321,7 +44323,7 @@ CVE-2026-2244 (A vulnerability in Google Cloud Vertex AI Workbench from7/21/2025
CVE-2026-28296 (A flaw was found in the FTP GVfs backend. A remote attacker could expl ...)
{DLA-4513-1}
- gvfs 1.59.90-1 (bug #1129286)
- [trixie] - gvfs <no-dsa> (Minor issue)
+ [trixie] - gvfs 1.57.2-2+deb13u1
[bookworm] - gvfs <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/gvfs/-/issues/833
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gvfs/-/commit/21dda19047b86c3e92fae668eb9dc80e33ca71fd (1.59.90)
@@ -44330,7 +44332,7 @@ CVE-2026-28296 (A flaw was found in the FTP GVfs backend. A remote attacker coul
CVE-2026-28295 (A flaw was found in the FTP GVfs backend. A malicious FTP server can e ...)
{DLA-4513-1}
- gvfs 1.59.90-1 (bug #1129285)
- [trixie] - gvfs <no-dsa> (Minor issue)
+ [trixie] - gvfs 1.57.2-2+deb13u1
[bookworm] - gvfs <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/gvfs/-/issues/832
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gvfs/-/commit/20db8173252ea88a4af05dc9a24aad6f29b807ad (1.59.90)
@@ -44964,7 +44966,7 @@ CVE-2025-14103 (GitLab has remediated an issue in GitLab CE/EE affecting all ver
- gitlab <not-affected> (Vulnerable code introduced later)
CVE-2026-27015 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
[bookworm] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
@@ -44972,7 +44974,7 @@ CVE-2026-27015 (FreeRDP is a free implementation of the Remote Desktop Protocol.
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/65d59d3b3c2f630f2ea862687ecf5f95f8115244 (3.23.0)
CVE-2026-26986 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
[bookworm] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
@@ -44980,7 +44982,7 @@ CVE-2026-26986 (FreeRDP is a free implementation of the Remote Desktop Protocol.
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/b4f0f0a18fe53aa8d47d062f91471f4e9c5e0d51 (3.23.0)
CVE-2026-26965 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
[bookworm] - freerdp3 <no-dsa> (Minor issue)
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
@@ -44988,66 +44990,66 @@ CVE-2026-26965 (FreeRDP is a free implementation of the Remote Desktop Protocol.
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc (3.23.0)
CVE-2026-26955 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77 (3.23.0)
CVE-2026-26271 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
CVE-2026-25997 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5j3-m6jf-3jq4
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/58409406afe7c2a8a71ed2dc8e22075be4f41c0c (3.23.0)
CVE-2026-25959 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78xg-v4p2-4w3c
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/d3e8b3b9365be96a4f11dda149d71b3287227d0a (3.23.0)
CVE-2026-25955 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/169d358734509e82663a0d6a0085ae726d439d8e (3.23.0)
CVE-2026-25954 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
CVE-2026-25953 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6rq-rxpc-rh3p
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5 (3.23.0)
CVE-2026-25952 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqm-cwjg-7w9x
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/1994e9844212a6dfe0ff12309fef520e888986b5 (3.23.0)
CVE-2026-25942 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/9362a0bf8dda04eedbca07d5dfaec1044e67cc6b (3.23.0)
CVE-2026-25941 (FreeRDP is a free implementation of the Remote Desktop Protocol. Versi ...)
- freerdp3 3.23.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8
@@ -45084,7 +45086,7 @@ CVE-2026-3148 (A vulnerability was determined in SourceCodester Simple and Nice
NOT-FOR-US: SourceCodester
CVE-2026-3147 (A vulnerability was found in libvips up to 8.18.0. This affects the fu ...)
- vips 8.18.0-3 (bug #1129314)
- [trixie] - vips <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - vips 8.16.1-1+deb13u1
[bookworm] - vips <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - vips <postponed> (Minor issue, will be fixed via point release)
NOTE: https://github.com/libvips/libvips/issues/4874
@@ -45092,7 +45094,7 @@ CVE-2026-3147 (A vulnerability was found in libvips up to 8.18.0. This affects t
NOTE: Fixed by: https://github.com/libvips/libvips/commit/b3ab458a25e0e261cbd1788474bbc763f7435780
CVE-2026-3146 (A vulnerability has been found in libvips up to 8.18.0. The impacted e ...)
- vips 8.18.0-3 (bug #1129315)
- [trixie] - vips <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - vips 8.16.1-1+deb13u1
[bookworm] - vips <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - vips <postponed> (Minor issue, will be fixed via point release)
NOTE: https://github.com/libvips/libvips/issues/4875
@@ -45100,7 +45102,7 @@ CVE-2026-3146 (A vulnerability has been found in libvips up to 8.18.0. The impac
NOTE: Fixed by: https://github.com/libvips/libvips/commit/d4ce337c76bff1b278d7085c3c4f4725e3aa6ece
CVE-2026-3145 (A flaw has been found in libvips up to 8.18.0. The affected element is ...)
- vips 8.18.0-3 (bug #1129315)
- [trixie] - vips <no-dsa> (Minor issue, will be fixed via point release)
+ [trixie] - vips 8.16.1-1+deb13u1
[bookworm] - vips <no-dsa> (Minor issue, will be fixed via point release)
[bullseye] - vips <postponed> (Minor issue, will be fixed via point release)
NOTE: https://github.com/libvips/libvips/issues/4876
@@ -46301,7 +46303,7 @@ CVE-2025-40701 (Reflected Cross-Site Scripting vulnerability in SOTESHOP, versio
NOT-FOR-US: SOTESHOP
CVE-2025-14905 (A flaw was found in the 389-ds-base server. A heap buffer overflow vul ...)
- 389-ds-base 3.1.2+vendor1-2 (bug #1130910)
- [trixie] - 389-ds-base <no-dsa> (Minor issue; can be fixed via point release)
+ [trixie] - 389-ds-base 3.1.2+dfsg1-1+deb13u1
[bookworm] - 389-ds-base <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2423624
NOTE: Fixed by: https://github.com/389ds/389-ds-base/commit/2e424110def2e3998f6045e136fb0d43f47b7f5a (main)
@@ -46457,7 +46459,7 @@ CVE-2026-2925 (A vulnerability was detected in D-Link DWR-M960 1.01.07. Affected
NOT-FOR-US: D-Link
CVE-2026-2913 (A vulnerability was determined in libvips up to 8.19.0. The affected e ...)
- vips 8.18.0-2 (bug #1128785)
- [trixie] - vips <no-dsa> (Minor issue)
+ [trixie] - vips 8.16.1-1+deb13u1
[bookworm] - vips <no-dsa> (Minor issue)
[bullseye] - vips <postponed> (Minor issue, local access required, hard to trigger)
NOTE: https://github.com/libvips/libvips/issues/4857
@@ -47038,7 +47040,7 @@ CVE-2026-21627 (The vulnerability was rooted in how the Tassos Framework plugin
NOT-FOR-US: Joomla
CVE-2026-21620 (Relative Path Traversal, Improper Isolation or Compartmentalization vu ...)
- erlang 1:27.3.4.8+dfsg-1 (bug #1128651)
- [trixie] - erlang <no-dsa> (Minor issue)
+ [trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
[bookworm] - erlang <no-dsa> (Minor issue)
NOTE: https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp
NOTE: https://github.com/erlang/otp/pull/10706
@@ -47556,7 +47558,7 @@ CVE-2026-26963 (Cilium is a networking, observability, and security solution wit
CVE-2026-26960 (node-tar is a full-featured Tar for Node.js. When using default option ...)
{DLA-4552-1}
- node-tar 6.2.1+ds1+~cs6.1.13-8 (bug #1129378)
- [trixie] - node-tar <no-dsa> (Minor issue)
+ [trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
[bookworm] - node-tar <no-dsa> (Minor issue)
NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
NOTE: Fixed by: https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f (v7.5.8)
@@ -47622,14 +47624,14 @@ CVE-2026-26275 (httpsig-hyper is a hyper extension for http message signatures.
CVE-2026-26065 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
{DLA-4554-1}
- calibre 9.3.0+ds+~0.10.5-1
- [trixie] - calibre <no-dsa> (Minor issue)
+ [trixie] - calibre 8.5.0+ds-1+deb13u2
[bookworm] - calibre <no-dsa> (Minor issue)
NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-vmfh-7mr7-pp2w
NOTE: Fixed by: https://github.com/kovidgoyal/calibre/commit/b6da1c3878c06eb1356cb0ec1106cb66e0e9bfb8 (v9.3.0)
CVE-2026-26064 (calibre is a cross-platform e-book manager for viewing, converting, ed ...)
{DLA-4554-1}
- calibre 9.3.0+ds+~0.10.5-1
- [trixie] - calibre <no-dsa> (Minor issue)
+ [trixie] - calibre 8.5.0+ds-1+deb13u2
[bookworm] - calibre <no-dsa> (Minor issue)
NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-72ch-3hqc-pgmp
NOTE: Fixed by: https://github.com/kovidgoyal/calibre/commit/e1b5f9b45a5e8fa96c136963ad9a1d35e6adac62 (v9.3.0)
@@ -51357,7 +51359,7 @@ CVE-2026-1853 (The BuddyHolis ListSearch plugin for WordPress is vulnerable to S
NOT-FOR-US: WordPress plugin
CVE-2026-1837 (A specially-crafted file can cause libjxl's decoder to write pixel dat ...)
- jpeg-xl 0.11.2-0.1 (bug #1128067)
- [trixie] - jpeg-xl <no-dsa> (Minor issue; can be fixed via next point release)
+ [trixie] - jpeg-xl 0.11.2-0.1~deb13u1
[bookworm] - jpeg-xl <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/libjxl/libjxl/issues/4549
NOTE: Introduced by: https://github.com/libjxl/libjxl/commit/f1fd4c384455471f42c006c392ff123c9c1fb1ae (v0.9.0)
@@ -51558,7 +51560,7 @@ CVE-2025-13391 (The Product Options and Price Calculation Formulas for WooCommer
NOT-FOR-US: WordPress plugin
CVE-2025-12474 (A specially-crafted file can cause libjxl's decoder to read pixel data ...)
- jpeg-xl 0.11.2-0.1 (bug #1128068)
- [trixie] - jpeg-xl <no-dsa> (Minor issue; can be fixed via next point release)
+ [trixie] - jpeg-xl 0.11.2-0.1~deb13u1
[bookworm] - jpeg-xl <no-dsa> (Minor issue; can be fixed via next point release)
NOTE: https://github.com/libjxl/libjxl/pull/4495
NOTE: Fixed by: https://github.com/libjxl/libjxl/commit/4523cf652f568f1fbb57bf9a10ae3caae785cd9f
@@ -52639,7 +52641,7 @@ CVE-2026-26079 (Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cas
NOTE: https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13
CVE-2026-23948 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6f3c-qvqq-2px5
@@ -53073,7 +53075,7 @@ CVE-2026-25732 (NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI'
NOT-FOR-US: NiceGUI
CVE-2026-25731 (calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template I ...)
- calibre 9.2.0+ds+~0.10.5-1
- [trixie] - calibre <no-dsa> (Will be fixed via point update)
+ [trixie] - calibre 8.5.0+ds-1+deb13u2
[bookworm] - calibre <no-dsa> (Will be fixed via point update)
[bullseye] - calibre <ignored> (Too intrusive to backport)
NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc
@@ -53085,14 +53087,14 @@ CVE-2026-25644 (DataHub is an open-source metadata platform. Prior to version 1.
CVE-2026-25636 (calibre is an e-book manager. In 9.1.0 and earlier, a path traversal v ...)
{DLA-4554-1}
- calibre 9.2.0+ds+~0.10.5-1
- [trixie] - calibre <no-dsa> (Will be fixed via point update)
+ [trixie] - calibre 8.5.0+ds-1+deb13u2
[bookworm] - calibre <no-dsa> (Will be fixed via point update)
NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29
NOTE: Fixed by: https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726 (v9.2.0)
CVE-2026-25635 (calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader con ...)
{DLA-4554-1}
- calibre 9.2.0+ds+~0.10.5-1
- [trixie] - calibre <no-dsa> (Will be fixed via point update)
+ [trixie] - calibre 8.5.0+ds-1+deb13u2
[bookworm] - calibre <no-dsa> (Will be fixed via point update)
NOTE: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr
NOTE: Fixed by: https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9 (v9.2.0)
@@ -56320,42 +56322,42 @@ CVE-2020-36994 (QlikView 12.50.20000.0 contains a denial of service vulnerabilit
NOT-FOR-US: QlikView
CVE-2026-24682 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vcw2-pqgw-mx6g
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/1c5c74223179d425a1ce6dbbb6a3dd2a958b7aee (3.22.0)
CVE-2026-24683 (FreeRDP is a free implementation of the Remote Desktop Protocol. ainpu ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-45pf-68pj-fg8q
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/d9ca272dce7a776ab475e9b1a8e8c3d2968c8486 (3.22.0)
CVE-2026-24676 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qh5p-frq4-pgxj
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/026b81ae5831ac1598d8f7371e0d0996fac7db00 (3.22.0)
CVE-2026-24677 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xw37-j744-f8v7
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/d2d4f449312ddafd4a4c6c8a4f856c7f0d44a3b5 (3.22.0)
CVE-2026-24678 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6gvg-29wx-6v7h
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/f3ab1a16139036179d9852745fdade18fec11600 (3.22.0)
CVE-2026-24684 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vcgv-xgjp-h83q
@@ -56363,35 +56365,35 @@ CVE-2026-24684 (FreeRDP is a free implementation of the Remote Desktop Protocol.
NOTE: fixed by: https://github.com/FreeRDP/FreeRDP/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5 (3.22.0)
CVE-2026-24679 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-2jp4-67x6-gv7x
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/2d563a50be17c1b407ca448b1321378c0726dd31 (3.22.0)
CVE-2026-24681 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ccvv-hg2w-6x9j
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/414f701464929c217f2509bcbd6d2c1f00f7ed73 (3.22.0)
CVE-2026-24675 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x9jr-99h2-g7mj
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/d676518809c319eec15911c705c13536036af2ae (3.22.0)
CVE-2026-24491 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4x6j-w49r-869g
NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/e02e052f6692550e539d10f99de9c35a23492db2 (3.22.0)
CVE-2026-24680 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.22.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j893-9wg8-33rc
@@ -57149,7 +57151,7 @@ CVE-2026-21417 (Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0,
CVE-2026-1489 (A flaw was found in GLib. An integer overflow vulnerability in its Uni ...)
{DLA-4491-1}
- glib2.0 2.86.3-5 (bug #1126549)
- [trixie] - glib2.0 <no-dsa> (Minor issue)
+ [trixie] - glib2.0 2.84.4-3~deb13u3
[bookworm] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3872
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4983
@@ -57157,7 +57159,7 @@ CVE-2026-1489 (A flaw was found in GLib. An integer overflow vulnerability in it
CVE-2026-1485 (A flaw was found in Glib's content type parsing logic. This buffer und ...)
{DLA-4491-1}
- glib2.0 2.86.3-5 (bug #1126550)
- [trixie] - glib2.0 <no-dsa> (Minor issue)
+ [trixie] - glib2.0 2.84.4-3~deb13u3
[bookworm] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3871
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4980
@@ -57165,7 +57167,7 @@ CVE-2026-1485 (A flaw was found in Glib's content type parsing logic. This buffe
CVE-2026-1484 (A flaw was found in the GLib Base64 encoding routine when processing v ...)
{DLA-4491-1}
- glib2.0 2.86.3-5 (bug #1126551)
- [trixie] - glib2.0 <no-dsa> (Minor issue)
+ [trixie] - glib2.0 2.84.4-3~deb13u3
[bookworm] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3870
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4978
@@ -57270,7 +57272,7 @@ CVE-2025-28162 (Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a l
CVE-2025-14911 (User-controlled chunkSize metadata from MongoDB lacks appropriate vali ...)
- mongodb <removed>
- mongo-c-driver 2.2.0-1
- [trixie] - mongo-c-driver <no-dsa> (Minor issue)
+ [trixie] - mongo-c-driver 1.30.4-1+deb13u2
[bookworm] - mongo-c-driver <no-dsa> (Minor issue)
[bullseye] - mongo-c-driver <postponed> (Minor issue)
NOTE: Fixed by: https://github.com/mongodb/mongo-c-driver/commit/ec39911d87ba43e0488c4eee732e6732de82c1ab (2.2.0)
@@ -58230,7 +58232,7 @@ CVE-2026-1299 (The email module, specifically the "BytesGenerator" class, didn\
{DLA-4455-1}
- python3.14 3.14.3-1 (bug #1126744)
- python3.13 3.13.12-1 (bug #1126745)
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -60103,7 +60105,7 @@ CVE-2026-0865 (User-controlled header names and values containing newlines can a
{DLA-4455-1}
- python3.14 3.14.3-1 (bug #1126739)
- python3.13 3.13.12-1 (bug #1126740)
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -60137,7 +60139,7 @@ CVE-2026-0672 (When using http.cookies.Morsel, user-controlled cookie values and
{DLA-4583-1 DLA-4455-1}
- python3.14 3.14.3-1 (bug #1126761)
- python3.13 3.13.12-1 (bug #1126762)
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -60230,7 +60232,7 @@ CVE-2025-15282 (User-controlled data URLs parsed by urllib.request.DataHandler a
{DLA-4455-1}
- python3.14 3.14.3-1 (bug #1126779)
- python3.13 3.13.12-1 (bug #1126780)
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -60253,7 +60255,7 @@ CVE-2025-11468 (When folding a long comment in an email header containing exclus
{DLA-4455-1}
- python3.14 3.14.3-1 (bug #1126786)
- python3.13 3.13.12-1 (bug #1126787)
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -60519,6 +60521,7 @@ CVE-2026-23952 (ImageMagick is free and open-source software used for editing an
NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/0e4023775c8859d2b802e8b459a27b599ca8403a (6.9.13-38)
CVE-2026-23950 (node-tar,a Tar for Node.js, has a race condition vulnerability in vers ...)
- node-tar 6.2.1+ds1+~cs6.1.13-7 (unimportant)
+ [trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
NOTE: https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6 (v7.5.4)
NOTE: Only an issue on case-insensitive filesystems, which are a very poor choice for a Nodejs deployment to begin with
@@ -60790,49 +60793,49 @@ CVE-2025-11043 (An Improper Certificate Validation vulnerability in the OPC-UA c
NOT-FOR-US: ABB group
CVE-2026-23534 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.21.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599
CVE-2026-23533 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.21.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v
CVE-2026-23532 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.21.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr
CVE-2026-23531 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.21.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5
CVE-2026-23530 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.21.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p
CVE-2026-23732 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.21.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp
CVE-2026-23883 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.21.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x
CVE-2026-23884 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.21.0+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp
@@ -60990,7 +60993,7 @@ CVE-2026-23800 (Incorrect Privilege Assignment vulnerability in Modular DS modul
CVE-2026-23745 (node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails t ...)
{DLA-4552-1}
- node-tar 6.2.1+ds1+~cs6.1.13-6
- [trixie] - node-tar <no-dsa> (Minor issue)
+ [trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
[bookworm] - node-tar <no-dsa> (Minor issue)
NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
NOTE: Fixed by: https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e (v7.5.3)
@@ -61653,7 +61656,7 @@ CVE-2026-0988 (A flaw was found in glib. Missing validation of offset and count
{DLA-4491-1}
[experimental] - glib2.0 2.87.1-1
- glib2.0 2.86.3-5 (bug #1125752)
- [trixie] - glib2.0 <no-dsa> (Minor issue)
+ [trixie] - glib2.0 2.84.4-3~deb13u3
[bookworm] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3851
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/glib/-/commit/c5766cff61ffce0b8e787eae09908ac348338e5f (2.87.1)
@@ -62040,55 +62043,55 @@ CVE-2026-23477 (Rocket.Chat is an open-source, secure, fully customizable commun
NOT-FOR-US: Rocket.Chat
CVE-2026-22859 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36
CVE-2026-22858 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896
CVE-2026-22857 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8
CVE-2026-22856 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv
CVE-2026-22855 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9
CVE-2026-22854 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf
CVE-2026-22853 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch
CVE-2026-22852 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4
CVE-2026-22851 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...)
- freerdp3 3.20.2+dfsg-1
- [trixie] - freerdp3 <no-dsa> (Minor issue)
+ [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
- freerdp2 <removed>
[bookworm] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8g87-6pvc-wh99
@@ -64180,7 +64183,7 @@ CVE-2026-22697 (CryptoLib provides a software-only solution using the CCSDS Spac
NOT-FOR-US: NASA CryptoLib
CVE-2026-22693 (HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null poi ...)
- harfbuzz 12.3.0-4 (bug #1125189)
- [trixie] - harfbuzz <no-dsa> (Minor issue)
+ [trixie] - harfbuzz 10.2.0-1+deb13u1
[bookworm] - harfbuzz <no-dsa> (Minor issue)
[bullseye] - harfbuzz <postponed> (Minor issue)
NOTE: https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww
@@ -64776,7 +64779,7 @@ CVE-2025-68715 (An issue was discovered in Panda Wireless PWRU0 devices with fir
NOT-FOR-US: Panda Wireless PWRU0 devices
CVE-2025-68158 (Authlib is a Python library which builds OAuth and OpenID Connect serv ...)
- python-authlib 1.6.6-1
- [trixie] - python-authlib <no-dsa> (Minor issue)
+ [trixie] - python-authlib 1.6.0-1+deb13u1
[bookworm] - python-authlib <no-dsa> (Minor issue)
NOTE: https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523
NOTE: Fixed by: https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489 (v1.6.6)
@@ -65622,7 +65625,7 @@ CVE-2025-14017 (When doing multi-threaded LDAPS transfers (LDAP over TLS) with l
NOTE: Built with OpenLDAP (only affects the legacy LDAP support)
CVE-2025-13034 (When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedp ...)
- curl 8.18.0~rc2-1
- [trixie] - curl <no-dsa> (Minor issue)
+ [trixie] - curl 8.14.1-2+deb13u3
[bookworm] - curl <not-affected> (Vulnerable code introduced later)
[bullseye] - curl <not-affected> (Vulnerable code introduced later)
NOTE: https://curl.se/docs/CVE-2025-13034.html
@@ -68293,7 +68296,7 @@ CVE-2025-49028 (Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoh
NOT-FOR-US: WordPress plugin or theme
CVE-2025-34468 (libcoap versions up to and including 4.3.5, prior to commit 30db3ea, c ...)
- libcoap3 4.3.5-3 (bug #1124407)
- [trixie] - libcoap3 <no-dsa> (Minor issue)
+ [trixie] - libcoap3 4.3.4-1.1+deb13u3
[bookworm] - libcoap3 <no-dsa> (Minor issue)
NOTE: https://github.com/obgm/libcoap/pull/1737
NOTE: Fixed by: https://github.com/obgm/libcoap/commit/30db3eaa1f0464722ebea2ca2d5084aebfbd344d (develop)
@@ -82577,7 +82580,7 @@ CVE-2025-12084 (When building nested elements using xml.dom.minidom methods such
{DLA-4455-1 DLA-4445-1}
- python3.14 3.14.2-1
- python3.13 3.13.11-1
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -83266,7 +83269,7 @@ CVE-2025-3500 (Integer Overflow or Wraparound vulnerability in Avast Antivirus (
NOT-FOR-US: Avast Antivirus
CVE-2025-34297 (KissFFT versions prior to the fix commit 1b083165 contain an integer o ...)
- kissfft 131.1.0-4.1 (bug #1131147)
- [trixie] - kissfft <no-dsa> (Minor issue)
+ [trixie] - kissfft 131.1.0-4.1~deb13u1
[bookworm] - kissfft <no-dsa> (Minor issue)
[bullseye] - kissfft <postponed> (Minor issue)
NOTE: https://github.com/mborgerding/kissfft/issues/120
@@ -83286,7 +83289,7 @@ CVE-2025-13837 (When loading a plist file, the plistlib module reads data in siz
{DLA-4445-1}
- python3.14 3.14.2-1
- python3.13 3.13.11-1
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -83305,7 +83308,7 @@ CVE-2025-13836 (When reading an HTTP response from a server, if no read amount i
{DLA-4445-1}
- python3.14 3.14.2-1
- python3.13 3.13.11-1
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -90974,7 +90977,7 @@ CVE-2025-6075 (If the value passed to os.path.expandvars() is user-controlled a
{DLA-4445-1}
- python3.14 3.14.2-1
- python3.13 3.13.11-1
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -93730,7 +93733,7 @@ CVE-2025-62707 (pypdf is a free and open-source pure-python PDF library. Prior t
CVE-2025-62706 (Authlib is a Python library which builds OAuth and OpenID Connect serv ...)
{DLA-4352-1}
- python-authlib 1.6.5-1
- [trixie] - python-authlib <no-dsa> (Minor issue)
+ [trixie] - python-authlib 1.6.0-1+deb13u1
[bookworm] - python-authlib <no-dsa> (Minor issue)
NOTE: https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m
NOTE: Fixed by: https://github.com/authlib/authlib/commit/4b5b5703394608124cd39e547cc7829feda05a13 (v1.6.5)
@@ -95728,7 +95731,7 @@ CVE-2025-34281 (ThingsBoard in versions prior to v4.2.1 allows an authenticated
NOT-FOR-US: ThingsBoard
CVE-2025-26625 (Git LFS is a Git extension for versioning large files. In Git LFS vers ...)
- git-lfs 3.7.1-1 (bug #1118339)
- [trixie] - git-lfs <no-dsa> (Minor issue)
+ [trixie] - git-lfs 3.6.1-1+deb13u1
[bookworm] - git-lfs <no-dsa> (Minor issue)
NOTE: https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5
NOTE: https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396 (main)
@@ -97873,7 +97876,7 @@ CVE-2025-61930 (Emlog is an open source website building system. Emlog Pro versi
NOT-FOR-US: Emlog
CVE-2025-61912 (python-ldap is a lightweight directory access protocol (LDAP) client A ...)
- python-ldap 3.4.5-1 (bug #1117859)
- [trixie] - python-ldap <no-dsa> (Minor issue)
+ [trixie] - python-ldap 3.4.4-1+deb13u1
[bookworm] - python-ldap <no-dsa> (Minor issue)
[bullseye] - python-ldap <postponed> (Minor issue)
NOTE: https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6
@@ -97881,7 +97884,7 @@ CVE-2025-61912 (python-ldap is a lightweight directory access protocol (LDAP) cl
NOTE: https://github.com/python-ldap/python-ldap/commit/9f5b2effbafdf7af0e7064a7aa42d2739d373bd7 (python-ldap-3.4.5)
CVE-2025-61911 (python-ldap is a lightweight directory access protocol (LDAP) client A ...)
- python-ldap 3.4.5-1 (bug #1117858)
- [trixie] - python-ldap <no-dsa> (Minor issue)
+ [trixie] - python-ldap 3.4.4-1+deb13u1
[bookworm] - python-ldap <no-dsa> (Minor issue)
[bullseye] - python-ldap <postponed> (Minor issue)
NOTE: https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r7r6-cc7p-4v5m
@@ -97989,7 +97992,7 @@ CVE-2025-61921 (Sinatra is a domain-specific language for creating web applicati
CVE-2025-61920 (Authlib is a Python library which builds OAuth and OpenID Connect serv ...)
{DLA-4352-1}
- python-authlib 1.6.5-1
- [trixie] - python-authlib <no-dsa> (Minor issue)
+ [trixie] - python-authlib 1.6.0-1+deb13u1
[bookworm] - python-authlib <no-dsa> (Minor issue)
NOTE: https://github.com/authlib/authlib/security/advisories/GHSA-pq5p-34cr-23v9
NOTE: https://github.com/authlib/authlib/commit/867e3f87b072347a1ae9cf6983cc8bbf88447e5e (v1.6.5)
@@ -99055,7 +99058,7 @@ CVE-2025-8291 (The 'zipfile' module would not check the validity of the ZIP64 En
{DLA-4445-1 DLA-4354-1}
- python3.14 3.14.0-3
- python3.13 3.13.11-1
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
@@ -105302,7 +105305,7 @@ CVE-2025-59430 (Mesh Connect JS SDK contains JS libraries for integrating with M
CVE-2025-59420 (Authlib is a Python library which builds OAuth and OpenID Connect serv ...)
{DLA-4352-1}
- python-authlib 1.6.4-1
- [trixie] - python-authlib <no-dsa> (Minor issue)
+ [trixie] - python-authlib 1.6.0-1+deb13u1
[bookworm] - python-authlib <no-dsa> (Minor issue)
NOTE: https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
NOTE: https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df (v1.6.4)
@@ -124569,7 +124572,7 @@ CVE-2025-8265 (A vulnerability classified as critical has been found in 299Ko CM
CVE-2025-8194 (There is a defect in the CPython \u201ctarfile\u201d module affecting ...)
{DLA-4445-1}
- python3.13 3.13.6-1 (bug #1124764)
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.12 <removed>
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -137922,7 +137925,7 @@ CVE-2025-6196 (A flaw was found in libgepub, a library used to read EPUB files.
CVE-2025-6069 (The html.parser.HTMLParser class had worse-case quadratic complexity w ...)
{DLA-4445-1 DLA-4354-1}
- python3.13 3.13.6-1
- [trixie] - python3.13 <no-dsa> (Minor issue)
+ [trixie] - python3.13 3.13.5-2+deb13u1
- python3.12 <removed>
- python3.11 <removed>
[bookworm] - python3.11 <no-dsa> (Minor issue)
@@ -140292,7 +140295,7 @@ CVE-2024-55595
CVE-2025-5918 (A vulnerability has been identified in the libarchive library. This fl ...)
{DLA-4368-1}
- libarchive 3.8.4-1 (bug #1107624)
- [trixie] - libarchive <no-dsa> (Minor issue)
+ [trixie] - libarchive 3.7.4-4+deb13u1
[bookworm] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/pull/2584
NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/dcbf1e0ededa95849f098d154a25876ed5754bcf (v3.8.0)
@@ -245202,7 +245205,7 @@ CVE-2024-36656 (In MintHCM 4.0.3, a registered user can execute arbitrary JavaSc
NOT-FOR-US: MintHCM
CVE-2024-36600 (Buffer Overflow Vulnerability in libcdio 2.2.0 (fixed in 2.3.0) allows ...)
- libcdio 2.2.0-4.1 (bug #1129256)
- [trixie] - libcdio <no-dsa> (Can be fixed via point release)
+ [trixie] - libcdio 2.2.0-4.1~deb13u1
[bookworm] - libcdio <not-affected> (Vulnerable code not present)
[bullseye] - libcdio <not-affected> (Vulnerable code not present)
NOTE: https://github.com/gashasbi/My-Reports/tree/main/CVE-2024-36600
@@ -282455,13 +282458,13 @@ CVE-2024-27354 (An issue was discovered in phpseclib 1.x before 1.0.23, 2.x befo
NOTE: https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575
CVE-2026-44167 (phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0 ...)
- phpseclib 1.0.29-1
- [trixie] - phpseclib <no-dsa> (Minor issue, will be fixed via point update)
+ [trixie] - phpseclib 1.0.23-6+deb13u3
[bookworm] - phpseclib <no-dsa> (Minor issue, will be fixed via point update)
- php-phpseclib 2.0.54-1
- [trixie] - php-phpseclib <no-dsa> (Minor issue, will be fixed via point update)
+ [trixie] - php-phpseclib 2.0.48-3+deb13u3
[bookworm] - php-phpseclib <no-dsa> (Minor issue, will be fixed via point update)
- php-phpseclib3 3.0.52-1
- [trixie] - php-phpseclib3 <no-dsa> (Minor issue, will be fixed via point update)
+ [trixie] - php-phpseclib3 3.0.43-2+deb13u3
[bookworm] - php-phpseclib3 <no-dsa> (Minor issue, will be fixed via point update)
NOTE: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-3qpq-r242-jqj7
NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc (3.0.52, 2.0.54, 1.0.29)
@@ -307209,7 +307212,7 @@ CVE-2023-45805 (pdm is a Python package and dependency manager supporting the la
NOTE: https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 (2.10.0)
CVE-2023-44483 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...)
- libxml-security-java 2.1.8-1.1 (bug #1059313)
- [trixie] - libxml-security-java <no-dsa> (Minor issue)
+ [trixie] - libxml-security-java 2.1.8-1.1~deb13u1
[bookworm] - libxml-security-java <no-dsa> (Minor issue)
[bullseye] - libxml-security-java <no-dsa> (Minor issue)
[buster] - libxml-security-java <no-dsa> (Minor issue)
@@ -466375,7 +466378,7 @@ CVE-2021-37746 (textview_uri_security_check in textview.c in Claws Mail before 3
[buster] - claws-mail <no-dsa> (Minor issue)
[stretch] - claws-mail <no-dsa> (Minor issue)
- sylpheed <removed> (bug #991723)
- [trixie] - sylpheed <postponed> (Minor issue, revisit when fixed upstream)
+ [trixie] - sylpheed 3.8.0~beta1-2+deb13u1
[bookworm] - sylpheed <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - sylpheed <no-dsa> (Minor issue)
[buster] - sylpheed <no-dsa> (Minor issue)
=====================================
data/next-point-update.txt
=====================================
@@ -1,435 +1,3 @@
-CVE-2026-25635
- [trixie] - calibre 8.5.0+ds-1+deb13u2
-CVE-2026-25636
- [trixie] - calibre 8.5.0+ds-1+deb13u2
-CVE-2026-25731
- [trixie] - calibre 8.5.0+ds-1+deb13u2
-CVE-2026-26065
- [trixie] - calibre 8.5.0+ds-1+deb13u2
-CVE-2026-26064
- [trixie] - calibre 8.5.0+ds-1+deb13u2
-CVE-2026-27824
- [trixie] - calibre 8.5.0+ds-1+deb13u2
-CVE-2026-27810
- [trixie] - calibre 8.5.0+ds-1+deb13u2
-CVE-2026-22851
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-22852
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-22853
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-22854
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-22855
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-22856
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-22857
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-22858
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-22859
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-23530
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-23531
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-23532
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-23533
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-23534
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-23732
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-23883
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-23884
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-23948
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24491
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24675
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24676
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24677
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24678
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24679
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24680
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24681
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24682
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24683
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-24684
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-25941
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-25942
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-25952
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-25953
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-25954
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-25955
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-25959
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-25997
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-26271
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-26986
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-27015
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-26955
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-26965
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u1
-CVE-2026-0988
- [trixie] - glib2.0 2.84.4-3~deb13u3
-CVE-2026-1484
- [trixie] - glib2.0 2.84.4-3~deb13u3
-CVE-2026-1485
- [trixie] - glib2.0 2.84.4-3~deb13u3
-CVE-2026-1489
- [trixie] - glib2.0 2.84.4-3~deb13u3
-CVE-2025-68158
- [trixie] - python-authlib 1.6.0-1+deb13u1
-CVE-2025-62706
- [trixie] - python-authlib 1.6.0-1+deb13u1
-CVE-2025-61920
- [trixie] - python-authlib 1.6.0-1+deb13u1
-CVE-2025-59420
- [trixie] - python-authlib 1.6.0-1+deb13u1
-CVE-2025-13034
- [trixie] - curl 8.14.1-2+deb13u3
-CVE-2021-37746
- [trixie] - sylpheed 3.8.0~beta1-2+deb13u1
-CVE-2025-71264
- [trixie] - mumble 1.5.735-5+deb13u1
-CVE-2026-33228
- [trixie] - node-flatted 3.2.7~ds-1+deb13u1
-CVE-2026-23745
- [trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
-CVE-2026-23950
- [trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
-CVE-2026-29786
- [trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
-CVE-2026-26960
- [trixie] - node-tar 6.2.1+~cs7.0.8-1+deb13u1
-CVE-2026-3029
- [trixie] - pymupdf 1.25.4+ds1-3+deb13u1
-CVE-2026-28296
- [trixie] - gvfs 1.57.2-2+deb13u1
-CVE-2026-28295
- [trixie] - gvfs 1.57.2-2+deb13u1
-CVE-2026-33347
- [trixie] - php-league-commonmark 2.7.0-1+deb13u1
-CVE-2026-30838
- [trixie] - php-league-commonmark 2.7.0-1+deb13u1
-CVE-2026-23943
- [trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
-CVE-2026-23942
- [trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
-CVE-2026-23941
- [trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
-CVE-2026-21620
- [trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
-CVE-2026-27654
- [trixie] - nginx 1.26.3-3+deb13u3
-CVE-2026-27784
- [trixie] - nginx 1.26.3-3+deb13u3
-CVE-2026-32647
- [trixie] - nginx 1.26.3-3+deb13u3
-CVE-2026-27651
- [trixie] - nginx 1.26.3-3+deb13u3
-CVE-2026-28753
- [trixie] - nginx 1.26.3-3+deb13u3
-CVE-2026-28755
- [trixie] - nginx 1.26.3-3+deb13u3
-CVE-2025-63261
- [trixie] - awstats 7.9-1+deb13u1
-CVE-2026-34881
- [trixie] - glance 2:30.0.0-3+deb13u1
-CVE-2026-3283
- [trixie] - vips 8.16.1-1+deb13u1
-CVE-2026-3284
- [trixie] - vips 8.16.1-1+deb13u1
-CVE-2026-3282
- [trixie] - vips 8.16.1-1+deb13u1
-CVE-2026-3281
- [trixie] - vips 8.16.1-1+deb13u1
-CVE-2026-3147
- [trixie] - vips 8.16.1-1+deb13u1
-CVE-2026-3145
- [trixie] - vips 8.16.1-1+deb13u1
-CVE-2026-3146
- [trixie] - vips 8.16.1-1+deb13u1
-CVE-2026-2913
- [trixie] - vips 8.16.1-1+deb13u1
-CVE-2026-32853
- [trixie] - libvncserver 0.9.15+dfsg-1+deb13u1
-CVE-2026-32854
- [trixie] - libvncserver 0.9.15+dfsg-1+deb13u1
-CVE-2026-4878
- [trixie] - libcap2 1:2.75-10+deb13u1
-CVE-2025-61912
- [trixie] - python-ldap 3.4.4-1+deb13u1
-CVE-2025-61911
- [trixie] - python-ldap 3.4.4-1+deb13u1
-CVE-2026-29774
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-29775
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-29776
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-31806
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-31883
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-31885
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-31884
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-31897
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-33952
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-33977
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-33995
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-33984
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-33983
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-33985
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-33986
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-33987
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2026-33982
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u2
-CVE-2025-12084
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2025-11468
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2025-13462
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2025-13836
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2025-13837
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2025-6069
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2025-6075
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2025-8194
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2025-8291
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2025-15282
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2026-0672
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2026-0865
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2026-1299
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2026-2297
- [trixie] - python3.13 3.13.5-2+deb13u1
-CVE-2026-4631
- [trixie] - cockpit 337-1+deb13u1
-CVE-2026-40198
- [trixie] - libnet-cidr-lite-perl 0.22-3~deb13u1
-CVE-2026-40199
- [trixie] - libnet-cidr-lite-perl 0.22-3~deb13u1
-CVE-2026-35535
- [trixie] - sudo 1.9.16p2-3+deb13u2
-CVE-2026-40386
- [trixie] - libexif 0.6.25-1+deb13u1
-CVE-2026-40385
- [trixie] - libexif 0.6.25-1+deb13u1
-CVE-2026-32775
- [trixie] - libexif 0.6.25-1+deb13u1
-CVE-2026-40164
- [trixie] - jq 1.7.1-6+deb13u2
-CVE-2026-32316
- [trixie] - jq 1.7.1-6+deb13u2
-CVE-2026-33947
- [trixie] - jq 1.7.1-6+deb13u2
-CVE-2026-33948
- [trixie] - jq 1.7.1-6+deb13u2
-CVE-2026-39956
- [trixie] - jq 1.7.1-6+deb13u2
-CVE-2026-39979
- [trixie] - jq 1.7.1-6+deb13u2
-CVE-2024-36600
- [trixie] - libcdio 2.2.0-4.1~deb13u1
-CVE-2026-33999
- [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
-CVE-2026-34000
- [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
-CVE-2026-34001
- [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
-CVE-2026-34002
- [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
-CVE-2026-34003
- [trixie] - xorg-server 2:21.1.16-1.3+deb13u2
-CVE-2026-40194
- [trixie] - php-phpseclib3 3.0.43-2+deb13u2
- [trixie] - php-phpseclib 2.0.48-3+deb13u2
- [trixie] - phpseclib 1.0.23-6+deb13u2
-CVE-2026-44167 [Bypass of CVE-2024-27355 mitigations]
- [trixie] - phpseclib 1.0.23-6+deb13u3
- [trixie] - php-phpseclib 2.0.48-3+deb13u3
- [trixie] - php-phpseclib3 3.0.43-2+deb13u3
-CVE-2026-29013
- [trixie] - libcoap3 4.3.4-1.1+deb13u3
-CVE-2025-34468
- [trixie] - libcoap3 4.3.4-1.1+deb13u3
-CVE-2025-26625
- [trixie] - git-lfs 3.6.1-1+deb13u1
-CVE-2026-40261
- [trixie] - composer 2.8.8-1+deb13u2
-CVE-2026-40176
- [trixie] - composer 2.8.8-1+deb13u2
-CVE-2026-31932
- [trixie] - suricata 1:7.0.10-1+deb13u4
-CVE-2026-31933
- [trixie] - suricata 1:7.0.10-1+deb13u4
-CVE-2026-31935
- [trixie] - suricata 1:7.0.10-1+deb13u4
-CVE-2026-31937
- [trixie] - suricata 1:7.0.10-1+deb13u4
-CVE-2026-41564
- [trixie] - libcryptx-perl 0.085-1+deb13u1
-CVE-2026-41163
- [trixie] - bubblewrap 0.11.0-2+deb13u1
-CVE-2026-5958
- [trixie] - sed 4.9-2+deb13u1
-CVE-2026-4437
- [trixie] - glibc 2.41-12+deb13u3
-CVE-2026-4438
- [trixie] - glibc 2.41-12+deb13u3
-CVE-2026-4046
- [trixie] - glibc 2.41-12+deb13u3
-CVE-2026-6231
- [trixie] - mongo-c-driver 1.30.4-1+deb13u2
-CVE-2026-4359
- [trixie] - mongo-c-driver 1.30.4-1+deb13u2
-CVE-2025-14911
- [trixie] - mongo-c-driver 1.30.4-1+deb13u2
-CVE-2026-6691
- [trixie] - mongo-c-driver 1.30.4-1+deb13u2
-CVE-2026-1837
- [trixie] - jpeg-xl 0.11.2-0.1~deb13u1
-CVE-2025-12474
- [trixie] - jpeg-xl 0.11.2-0.1~deb13u1
-CVE-2026-40226
- [trixie] - systemd 257.13-1~deb13u1
-CVE-2026-40225
- [trixie] - systemd 257.13-1~deb13u1
-CVE-2026-29111
- [trixie] - systemd 257.13-1~deb13u1
-CVE-2026-4105
- [trixie] - systemd 257.13-1~deb13u1
-CVE-2026-33691
- [trixie] - modsecurity-crs 3.3.7-1+deb13u2
-CVE-2026-39402
- [trixie] - lxc 1:6.0.4-4+deb13u3
-CVE-2026-42167
- [trixie] - proftpd-dfsg 1.3.8.c+dfsg-4+deb13u2
-CVE-2026-41035
- [trixie] - rsync 3.4.1+ds1-5+deb13u2
-CVE-2026-33721
- [trixie] - mapserver 8.4.0-4+deb13u2
-CVE-2026-35386
- [trixie] - openssh 1:10.0p1-7+deb13u3
-CVE-2026-35414
- [trixie] - openssh 1:10.0p1-7+deb13u3
-CVE-2026-35385
- [trixie] - openssh 1:10.0p1-7+deb13u3
-CVE-2026-35387
- [trixie] - openssh 1:10.0p1-7+deb13u3
-CVE-2026-35388
- [trixie] - openssh 1:10.0p1-7+deb13u3
-CVE-2026-28525
- [trixie] - swupdate 2024.12.1+dfsg-3+deb13u2
-CVE-2026-4948
- [trixie] - firewalld 2.3.1-1+deb13u1
-CVE-2025-5918
- [trixie] - libarchive 3.7.4-4+deb13u1
-CVE-2026-4111
- [trixie] - libarchive 3.7.4-4+deb13u1
-CVE-2026-4424
- [trixie] - libarchive 3.7.4-4+deb13u1
-CVE-2026-4426
- [trixie] - libarchive 3.7.4-4+deb13u1
-CVE-2026-5121
- [trixie] - libarchive 3.7.4-4+deb13u1
-CVE-2026-40254
- [trixie] - freerdp3 3.15.0+dfsg-2.1+deb13u3
-CVE-2025-14905
- [trixie] - 389-ds-base 3.1.2+dfsg1-1+deb13u1
-CVE-2026-32274
- [trixie] - black 25.1.0-3+deb13u1
-CVE-2026-40561
- [trixie] - starlet 0.31-2+deb13u1
-CVE-2026-7111
- [trixie] - libtext-csv-xs-perl 1.60-1+deb13u1
-CVE-2026-3446
- [trixie] - python3.13 3.13.5-2+deb13u2
-CVE-2026-4224
- [trixie] - python3.13 3.13.5-2+deb13u2
-CVE-2026-3644
- [trixie] - python3.13 3.13.5-2+deb13u2
-CVE-2026-4519
- [trixie] - python3.13 3.13.5-2+deb13u2
-CVE-2026-6019
- [trixie] - python3.13 3.13.5-2+deb13u2
-CVE-2026-6100
- [trixie] - python3.13 3.13.5-2+deb13u2
-CVE-2026-6843
- [trixie] - nano 8.4-1+deb13u1
-CVE-2026-6842
- [trixie] - nano 8.4-1+deb13u1
-CVE-2026-22693
- [trixie] - harfbuzz 10.2.0-1+deb13u1
-CVE-2026-42144
- [trixie] - cimg 3.5.2+dfsg-1+deb13u1
-CVE-2026-42146
- [trixie] - cimg 3.5.2+dfsg-1+deb13u1
-CVE-2023-44483
- [trixie] - libxml-security-java 2.1.8-1.1~deb13u1
-CVE-2025-34297
- [trixie] - kissfft 131.1.0-4.1~deb13u1
-CVE-2026-41445
- [trixie] - kissfft 131.1.0-4.1~deb13u1
-CVE-2026-6042
- [trixie] - musl 1.2.5-3.1~deb13u1
-CVE-2026-40200
- [trixie] - musl 1.2.5-3.1~deb13u1
-CVE-2026-6667
- [trixie] - pgbouncer 1.24.1-1+deb13u2
-CVE-2026-6666
- [trixie] - pgbouncer 1.24.1-1+deb13u2
-CVE-2026-6665
- [trixie] - pgbouncer 1.24.1-1+deb13u2
-CVE-2026-6664
- [trixie] - pgbouncer 1.24.1-1+deb13u2
CVE-2026-32711
[trixie] - pydicom 2.4.3-2+deb13u1
CVE-2026-5265
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2c59d8d94a1837f1d35ca5c10e457fea565bcd5b...0ee8bf87a30e953a2b4b1cab9539834ef8560b64
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2c59d8d94a1837f1d35ca5c10e457fea565bcd5b...0ee8bf87a30e953a2b4b1cab9539834ef8560b64
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260516/29e1bb6d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list