[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sun May 17 14:36:34 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
46afee35 by Moritz Muehlenhoff at 2026-05-17T15:34:52+02:00
trixie/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -311,6 +311,8 @@ CVE-2026-45772 (Turborepo is a high-performance build system for JavaScript and
NOT-FOR-US: Turborepo
CVE-2026-45736 (ws is an open source WebSocket client and server for Node.js. Prior to ...)
- node-ws 8.20.1+~cs14.19.1-1 (bug #1136804)
+ [trixie] - node-ws <no-dsa> (Minor issue)
+ [bookworm] - node-ws <no-dsa> (Minor issue)
NOTE: https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx
NOTE: Fixed by: https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086 (8.20.1)
CVE-2026-45622 (Vvveb is a powerful and easy to use CMS with page builder to build web ...)
@@ -458,6 +460,8 @@ CVE-2026-8503 (Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl
NOTE: https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/cc915cbbd266776eec3dd8bf4748b15fa827dbd0 (v1.3.19)
CVE-2026-8669 (Imager versions through 1.030 for Perl allow a heap out of bounds (OOB ...)
- libimager-perl 1.031+dfsg-1
+ [trixie] - libimager-perl <no-dsa> (Minor issue)
+ [bookworm] - libimager-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40083214/
NOTE: Imager embbeds the Imager::File::GIF code and syncs the fix:
NOTE: Fixed by: https://github.com/tonycoz/imager/commit/782e9c06cc75a0f7eed383f39522f51f44598b04 (v1.031)
@@ -523,12 +527,18 @@ CVE-2026-44647 (OneDev is a Git server with CI/CD, kanban, and packages. Prior t
NOT-FOR-US: OneDev
CVE-2026-44638 (libsixel is a SIXEL encoder/decoder implementation derived from kmiya' ...)
- libsixel 1:1.8.7-r2-1
+ [trixie] - libsixel <no-dsa> (Minor issue)
+ [bookworm] - libsixel <no-dsa> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/security/advisories/GHSA-wpx3-h5g8-qr3w
CVE-2026-44637 (libsixel is a SIXEL encoder/decoder implementation derived from kmiya' ...)
- libsixel 1:1.8.7-r2-1
+ [trixie] - libsixel <no-dsa> (Minor issue)
+ [bookworm] - libsixel <no-dsa> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/security/advisories/GHSA-9jm7-77gr-qghv
CVE-2026-44636 (libsixel is a SIXEL encoder/decoder implementation derived from kmiya' ...)
- libsixel 1:1.8.7-r2-1
+ [trixie] - libsixel <no-dsa> (Minor issue)
+ [bookworm] - libsixel <no-dsa> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5
CVE-2026-44430 (The MCP Registry provides MCP clients with a list of MCP servers, like ...)
NOT-FOR-US: MCP Registry
@@ -1484,7 +1494,9 @@ CVE-2026-8367 (aria2c accepts a server certificate with incorrect Extended Key U
CVE-2026-8328 (The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4 ...)
- python3.14 <unfixed>
- python3.13 <unfixed>
+ [trixie] - python3.13 <no-dsa> (Minor issue)
- python3.11 <removed>
+ [bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
@@ -2335,6 +2347,8 @@ CVE-2026-XXXX [RUSTSEC-2026-0134]
NOTE: https://github.com/diesel-rs/diesel/pull/5042
CVE-2026-8463 (Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap ...)
- libcrypt-argon2-perl 0.031-1
+ [trixie] - libcrypt-argon2-perl <no-dsa> (Minor issue)
+ [bookworm] - libcrypt-argon2-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40006926/
NOTE: https://github.com/Leont/crypt-argon2/commit/92eac03ce63d541e0ead7ea5a89b9b67ce0c0e64 (v0.031)
CVE-2026-8449
@@ -2458,6 +2472,8 @@ CVE-2026-44302 (Snappier is a high performance C# implementation of the Snappy c
NOT-FOR-US: Snappier
CVE-2026-44301 (Hugo is a static site generator. From 0.43 to before 0.161.0, when bui ...)
- hugo 0.161.0-1
+ [trixie] - hugo <no-dsa> (Minor issue)
+ [bookworm] - hugo <no-dsa> (Minor issue)
NOTE: https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857
CVE-2026-44296 (Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a r ...)
- deskflow <unfixed>
@@ -3716,6 +3732,8 @@ CVE-2026-42188 (Geyser is a bridge between Minecraft: Bedrock Edition and Minecr
NOT-FOR-US: Geyser
CVE-2026-42046 (libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an ...)
- libcaca <unfixed>
+ [trixie] - libcaca <no-dsa> (Minor issue)
+ [bookworm] - libcaca <no-dsa> (Minor issue)
NOTE: https://github.com/cacalabs/libcaca/security/advisories/GHSA-4vvg-vrqv-m56w
NOTE: https://github.com/cacalabs/libcaca/issues/86
NOTE: Fixed by: https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23
@@ -4174,8 +4192,9 @@ CVE-2026-41018 (The Elasticsearch logging provider, when configured with a `host
CVE-2026-40636 (Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale version ...)
NOT-FOR-US: Dell / EMC
CVE-2026-40612 (jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains ...)
- - jq 1.8.1-6 (bug #1136445)
+ - jq 1.8.1-6 (bug #1136445; unimportant)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-3609 (Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vu ...)
NOT-FOR-US: Wellbia XIGNCODE3 xhunter1.sys kernel driver
CVE-2026-3320 (Reflected Cross-Site Scripting (XSS) in the latest demo version of the ...)
@@ -4381,10 +4400,11 @@ CVE-2026-8258 (A flaw has been found in Squirrel up to 3.2. Impacted is the func
- squirrel3 <unfixed>
NOTE: https://github.com/albertodemichelis/squirrel/issues/325
CVE-2026-8257 (A vulnerability was detected in WebAssembly Binaryen up to 117. This i ...)
- - binaryen <unfixed>
+ - binaryen <unfixed> (unimportant)
NOTE: https://github.com/WebAssembly/binaryen/issues/8633
NOTE: https://github.com/WebAssembly/binaryen/pull/8635
NOTE: Fixed by: https://github.com/WebAssembly/binaryen/commit/1251efbc1ea471c1311d2726b2bbe061ff2a291c
+ NOTE: Crash in CLI tool, no security impact
CVE-2026-8256 (A security vulnerability has been detected in Devs Palace ERP Online u ...)
NOT-FOR-US: Devs Palace ERP Online
CVE-2026-8255 (A weakness has been identified in Devs Palace ERP Online up to 4.0.0. ...)
@@ -28186,7 +28206,10 @@ CVE-2026-30276 (An arbitrary file overwrite vulnerability in DeftPDF Document Tr
NOT-FOR-US: DeftPDF
CVE-2026-2950 (Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototy ...)
- node-lodash 4.18.1+dfsg-1
- TODO: check fixing commit details
+ [trixie] - node-lodash <no-dsa> (Minor issue)
+ [bookworm] - node-lodash <no-dsa> (Minor issue)
+ NOTE: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+ NOTE: https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81 (4.17.23)
CVE-2026-2696 (The Export All URLs WordPress plugin before 5.1 generates CSV filename ...)
NOT-FOR-US: WordPress plugin
CVE-2026-2480 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPre ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46afee35bef60ab29e7f8b5e53a12c91203cdf53
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46afee35bef60ab29e7f8b5e53a12c91203cdf53
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260517/c759927c/attachment.htm>
More information about the debian-security-tracker-commits
mailing list