[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Sun May 17 17:45:08 BST 2026


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
15fc6876 by Moritz Muehlenhoff at 2026-05-17T18:44:30+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1502,6 +1502,8 @@ CVE-2026-8328 (The ftpcp() function in Lib/ftplib.py was not updated when  CVE-2
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
 	- pypy3 <unfixed>
+	[trixie] - pypy3 <no-dsa> (Minor issue)
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/
 	NOTE: https://github.com/python/cpython/pull/149648
 	NOTE: https://github.com/python/cpython/commit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9
@@ -1907,6 +1909,8 @@ CVE-2026-41132 (CKAN is an open-source DMS (data management system) for powering
 	NOT-FOR-US: CKAN
 CVE-2026-41051 (csync2 uses insecure temporary directories when compiled with C99 or l ...)
 	- csync2 <unfixed>
+	[trixie] - csync2 <no-dsa> (Minor issue)
+	[bookworm] - csync2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1262472
 	TODO: check details for upstream
 CVE-2026-41050 (Fleet's Helm deployer did not fully apply ServiceAccount impersonation ...)
@@ -2479,6 +2483,7 @@ CVE-2026-44301 (Hugo is a static site generator. From 0.43 to before 0.161.0, wh
 	NOTE: https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857
 CVE-2026-44296 (Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a r ...)
 	- deskflow <unfixed>
+	[trixie] - deskflow <no-dsa> (Minor issue)
 	NOTE: https://github.com/deskflow/deskflow/security/advisories/GHSA-3mxm-cgh2-6448
 	NOTE: https://github.com/deskflow/deskflow/commit/329783490bd16774ba903b84212467d20d76bfba
 CVE-2026-44262 (Scramble generates API documentation for Laravel project. From 0.13.2  ...)
@@ -2747,6 +2752,8 @@ CVE-2026-8388 (Incorrect boundary conditions in the JavaScript Engine: JIT compo
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-45/#CVE-2026-8388
 CVE-2026-8368 (LWP::UserAgent versions before 6.83 for Perl leak Authorization and Pr ...)
 	- libwww-perl 6.83-1 (bug #1136449)
+	[trixie] - libwww-perl <no-dsa> (Minor issue)
+	[bookworm] - libwww-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39974665/
 	NOTE: https://github.com/libwww-perl/libwww-perl/pull/512
 	NOTE: https://github.com/libwww-perl/libwww-perl/pull/284
@@ -2755,12 +2762,18 @@ CVE-2026-8278
 	REJECTED
 CVE-2026-8162 (multiparty at 4.2.3 and lower versions are vulnerable to denial of servic ...)
 	- node-multiparty 4.3.0-1 (bug #1136447)
+	[trixie] - node-multiparty <no-dsa> (Minor issue)
+	[bookworm] - node-multiparty <no-dsa> (Minor issue)
 	NOTE: https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv
 CVE-2026-8161 (multiparty at 4.2.3 and lower versions are vulnerable to denial of servic ...)
 	- node-multiparty 4.3.0-1 (bug #1136447)
+	[trixie] - node-multiparty <no-dsa> (Minor issue)
+	[bookworm] - node-multiparty <no-dsa> (Minor issue)
 	NOTE: https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956
 CVE-2026-8159 (multiparty at 4.2.3 and lower versions are vulnerable to denial of servic ...)
 	- node-multiparty 4.3.0-1 (bug #1136447)
+	[trixie] - node-multiparty <no-dsa> (Minor issue)
+	[bookworm] - node-multiparty <no-dsa> (Minor issue)
 	NOTE: https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94
 CVE-2026-8111 (SQL injection in the web consoleof Ivanti Endpoint Managerbefore versi ...)
 	NOT-FOR-US: Ivanti
@@ -4010,6 +4023,8 @@ CVE-2026-7210 (`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
 	- pypy3 <unfixed>
+	[trixie] - pypy3 <no-dsa> (Minor issue)
+	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/PNY5OMBDPM2FRUZTWFFPJ6LISWKV627K/
 	NOTE: https://github.com/python/cpython/issues/149018
 	NOTE: https://github.com/python/cpython/pull/149023
@@ -8956,6 +8971,9 @@ CVE-2026-5753 (The All-in-One WP Migration Unlimited Extension plugin for WordPr
 	NOT-FOR-US: WordPress plugin
 CVE-2026-44405 (In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 a ...)
 	- paramiko <unfixed> (bug #1135907)
+	[trixie] - paramiko <ignored> (Deprecation of SHA-1 only for forky)
+	[bookworm] - paramiko <ignored> (Deprecation of SHA-1 only for forky)
+	[bullseye] - paramiko <ignored> (Deprecation of SHA-1 only for forky)
 	NOTE: https://github.com/paramiko/paramiko/commit/a4489456b6f65281e172380cc4826cee5e851dbb
 CVE-2026-44331 (In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerabilit ...)
 	- proftpd-dfsg 1.3.9a~dfsg-1 (bug #1135840)
@@ -26004,10 +26022,12 @@ CVE-2026-27655 (Zohocorp ManageEngine Exchange Reporter Plus versions before 580
 CVE-2026-27124 (FastMCP is the standard framework for building MCP applications. Prior ...)
 	NOT-FOR-US: FastMCP
 CVE-2026-26477 (An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remote  ...)
-	- dokuwiki 2025-05-14.b+dfsg-6
+	- dokuwiki 2025-05-14.b+dfsg-6 (unimportant)
 	NOTE: https://github.com/Hebing123/cve/issues/94
 	NOTE: https://github.com/dokuwiki/dokuwiki/issues/4613
 	NOTE: Fixed by: https://github.com/dokuwiki/dokuwiki/commit/bfc167db63967f8c872b3d797ca81138b9011ef4
+	NOTE: Negligible security impact per upstream assessment:
+	NOTE: https://github.com/dokuwiki/dokuwiki/issues/4613#issuecomment-4230046078
 CVE-2026-25773 (** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to saniti ...)
 	NOT-FOR-US: Focalboard
 CVE-2026-25118 (immich is a high performance self-hosted photo and video management so ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -62,6 +62,8 @@ netatalk
 --
 netty
 --
+nss (jmm)
+--
 opennds/oldstable
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15fc68764926b7fc450869192aa4680562dd851a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15fc68764926b7fc450869192aa4680562dd851a
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260517/c4dfda47/attachment.htm>
