[Git][security-tracker-team/security-tracker][master] lts: bullseye triage
Emilio Pozuelo Monfort (@pochu)
pochu at debian.org
Sun May 17 17:23:25 BST 2026
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ff699996 by Emilio Pozuelo Monfort at 2026-05-17T18:23:07+02:00
lts: bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -462,6 +462,7 @@ CVE-2026-8669 (Imager versions through 1.030 for Perl allow a heap out of bounds
- libimager-perl 1.031+dfsg-1
[trixie] - libimager-perl <no-dsa> (Minor issue)
[bookworm] - libimager-perl <no-dsa> (Minor issue)
+ [bullseye] - libimager-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40083214/
NOTE: Imager embbeds the Imager::File::GIF code and syncs the fix:
NOTE: Fixed by: https://github.com/tonycoz/imager/commit/782e9c06cc75a0f7eed383f39522f51f44598b04 (v1.031)
@@ -2474,6 +2475,7 @@ CVE-2026-44301 (Hugo is a static site generator. From 0.43 to before 0.161.0, wh
- hugo 0.161.0-1
[trixie] - hugo <no-dsa> (Minor issue)
[bookworm] - hugo <no-dsa> (Minor issue)
+ [bullseye] - hugo <no-dsa> (Minor issue)
NOTE: https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857
CVE-2026-44296 (Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a r ...)
- deskflow <unfixed>
@@ -5050,6 +5052,7 @@ CVE-2026-41493 (YARD is a Ruby Documentation tool. Prior to version 0.9.42, a pa
- yard <unfixed> (bug #1136076)
[trixie] - yard <no-dsa> (Minor issue)
[bookworm] - yard <no-dsa> (Minor issue)
+ [bullseye] - yard <no-dsa> (Minor issue)
NOTE: https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
CVE-2026-41491 (Dapr is a portable, event-driven, runtime for building distributed app ...)
NOT-FOR-US: Dapr
@@ -7103,6 +7106,7 @@ CVE-2026-44353
- streamlink 8.4.0-1
[trixie] - streamlink <no-dsa> (Minor issue)
[bookworm] - streamlink <no-dsa> (Minor issue)
+ [bullseye] - streamlink <no-dsa> (Minor issue)
NOTE: https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f
CVE-2026-8031 (A vulnerability was detected in PicoTronica e-Clinic Healthcare System ...)
NOT-FOR-US: PicoTronica e-Clinic Healthcare System
@@ -9578,6 +9582,7 @@ CVE-2026-42146 (CImg Library is a C++ library for image processing. Prior to com
- cimg 3.5.2+dfsg-2 (bug #1135778)
[trixie] - cimg 3.5.2+dfsg-1+deb13u1
[bookworm] - cimg <no-dsa> (Minor issue)
+ [bullseye] - cimg <no-dsa> (Minor issue)
NOTE: https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv
NOTE: https://github.com/GreycLab/CImg/issues/477
NOTE: Fixed by: https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3 (v3.7.5)
@@ -9585,6 +9590,7 @@ CVE-2026-42144 (CImg Library is a C++ library for image processing. Prior to com
- cimg 3.5.2+dfsg-2 (bug #1135778)
[trixie] - cimg 3.5.2+dfsg-1+deb13u1
[bookworm] - cimg <no-dsa> (Minor issue)
+ [bullseye] - cimg <no-dsa> (Minor issue)
NOTE: https://github.com/GreycLab/CImg/security/advisories/GHSA-4663-63fm-44gc
NOTE: https://github.com/GreycLab/CImg/issues/478
NOTE: Fixed by: https://github.com/GreycLab/CImg/commit/4ca26bce4d8c61fcd1507d5f9401b9fb1222c27d (v3.7.5)
@@ -9624,6 +9630,7 @@ CVE-2026-42052 (Beets is the media library management system. Prior to version 2
- beets 2.11.0-1 (bug #1135779)
[trixie] - beets <no-dsa> (Minor issue)
[bookworm] - beets <no-dsa> (Minor issue)
+ [bullseye] - beets <no-dsa> (Minor issue)
NOTE: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
CVE-2026-42027 (Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP Ext ...)
- apache-opennlp 2.5.9-1 (bug #1135782)
@@ -10161,6 +10168,7 @@ CVE-2026-40561 (Starlet versions through 0.31 for Perl allows HTTP Request Smugg
- starlet 0.31-3 (bug #1135584)
[trixie] - starlet 0.31-2+deb13u1
[bookworm] - starlet <no-dsa> (Minor issue)
+ [bullseye] - starlet <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/39593408/
NOTE: Fixed by: https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0
CVE-2026-7647 (The Profile Builder Pro plugin for WordPress is vulnerable to PHP Obje ...)
@@ -11492,6 +11500,7 @@ CVE-2026-5080 (Dancer::Session::Abstract versions through 1.3522 for Perl genera
- libdancer-perl 1.3522-2 (bug #1135322)
[trixie] - libdancer-perl <no-dsa> (Minor issue)
[bookworm] - libdancer-perl <no-dsa> (Minor issue)
+ [bullseye] - libdancer-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/39488574/
CVE-2026-4670 (Authentication bypass by primary weakness vulnerability in Progress So ...)
NOT-FOR-US: Progress Software
@@ -12796,6 +12805,7 @@ CVE-2026-41525 (KDE Dolphin before 25.12.3 allows applications in a Flatpak (or
- dolphin 4:26.04.0-1
[trixie] - dolphin <no-dsa> (Minor issue)
[bookworm] - dolphin <no-dsa> (Minor issue)
+ [bullseye] - dolphin <no-dsa> (Minor issue)
NOTE: https://kde.org/info/security/advisory-20260427-2.txt
NOTE: Fixed by: https://invent.kde.org/system/dolphin/-/commit/4a4da5f73899cdd2a1ef111194e79a620eed7716 (v26.03.80)
CVE-2026-40980 (In Spring AI, a malicious PDF file can be crafted that triggers the al ...)
@@ -12969,6 +12979,7 @@ CVE-2026-7179 (A security vulnerability has been detected in OSPG binwalk up to
- binwalk <unfixed> (bug #1136010)
[trixie] - binwalk <no-dsa> (Minor issue)
[bookworm] - binwalk <no-dsa> (Minor issue)
+ [bullseye] - binwalk <no-dsa> (Minor issue)
NOTE: https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/binwalk_path_traversal.md
CVE-2026-7178 (A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1 ...)
NOT-FOR-US: ChatGPTNextWeb NextChat
@@ -13230,8 +13241,10 @@ CVE-2026-41635 (Apache MINA's AbstractIoBuffer.resolveClass() contains two branc
- mina2 <unfixed> (bug #1135167)
[trixie] - mina2 <no-dsa> (Minor issue)
[bookworm] - mina2 <ignored> (Minor issue)
+ [bullseye] - mina2 <ignored> (Minor issue)
- mina <removed>
[bookworm] - mina <ignored> (Minor issue)
+ [bullseye] - mina <ignored> (Minor issue)
NOTE: https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm
CVE-2026-41467 (ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scri ...)
NOT-FOR-US: ProjeQtor
@@ -17361,6 +17374,7 @@ CVE-2026-39378 (The nbconvert tool, jupyter nbconvert, converts Jupyter notebook
- nbconvert 7.17.1-1 (bug #1134890)
[trixie] - nbconvert <no-dsa> (Minor issue)
[bookworm] - nbconvert <no-dsa> (Minor issue)
+ [bullseye] - nbconvert <no-dsa> (Minor issue)
NOTE: https://github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9
NOTE: Fixed by: https://github.com/jupyter/nbconvert/commit/0e6b8ccabf2aca6c18fac8c574f22b7155f441fb (v7.17.1)
CVE-2026-39377 (The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to v ...)
@@ -220803,6 +220817,7 @@ CVE-2024-44825 (Directory Traversal vulnerability in Centro de Tecnologia da Inf
- invesalius <unfixed> (bug #1136204)
[trixie] - invesalius <no-dsa> (Minor issue)
[bookworm] - invesalius <no-dsa> (Minor issue)
+ [bullseye] - invesalius <no-dsa> (Minor issue)
NOTE: https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-44825
NOTE: https://www.partywave.site/show/research/cve-2024-44825-invesalius-arbitrary-file-write-and-directory-traversal
NOTE: https://github.com/invesalius/invesalius3/commit/8b966260b3d9510e3ddc473aac4cc6578bab3aab
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff699996b4bea87b85aef57fb4d7addb0b4c9a46
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff699996b4bea87b85aef57fb4d7addb0b4c9a46
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260517/1153757d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list