[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Sun May 17 20:56:14 BST 2026


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e77399f9 by Moritz Muehlenhoff at 2026-05-17T21:55:46+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -537,6 +537,8 @@ CVE-2026-35194 (Code injection in SQL code generation in Apache Flink 1.15.0 thr
 	NOT-FOR-US: Apache software not packaged in Debian
 CVE-2026-34253 (A buffer underflow vulnerability has been identified in the ogg123 uti ...)
 	- vorbis-tools <unfixed> (bug #1136943)
+	[trixie] - vorbis-tools <no-dsa> (Minor issue)
+	[bookworm] - vorbis-tools <no-dsa> (Minor issue)
 	NOTE: https://gitlab.xiph.org/xiph/vorbis-tools/-/work_items/2332
 	NOTE: https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/27
 	NOTE: https://gitlab.xiph.org/xiph/vorbis-tools/-/commit/4bb4fb33b25949178179f689db9afb477abeb572
@@ -632,6 +634,8 @@ CVE-2026-44678 (Tuist is a virtual platform team for Swift app devs. In 1.180.8
 	NOT-FOR-US: Tuist
 CVE-2026-44673 (libyang is a YANG data modeling language library. Prior to SO 5.2.15,  ...)
 	- libyang <unfixed>
+	[trixie] - libyang <no-dsa> (Minor issue)
+	[bookworm] - libyang <no-dsa> (Minor issue)
 	- libyang2 <removed>
 	NOTE: https://github.com/CESNET/libyang/security/advisories/GHSA-vw2p-pq79-92xh
 CVE-2026-44671 (ZITADEL is an open source identity management platform. From 2.71.11 t ...)
@@ -2455,18 +2459,22 @@ CVE-2026-XXXX [RUSTSEC-2026-0122]
 	NOTE: https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb
 CVE-2026-XXXX [RUSTSEC-2026-0137]
 	- rust-diesel <unfixed>
+	[trixie] - rust-diesel <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0137.html
 	NOTE: https://github.com/diesel-rs/diesel/pull/5042
 CVE-2026-XXXX [RUSTSEC-2026-0136]
 	- rust-diesel <unfixed>
+	[trixie] - rust-diesel <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0136.html
 	NOTE: https://github.com/diesel-rs/diesel/pull/5042
 CVE-2026-XXXX [RUSTSEC-2026-0135]
 	- rust-diesel <unfixed>
+	[trixie] - rust-diesel <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0135.html
 	NOTE: https://github.com/diesel-rs/diesel/pull/5042
 CVE-2026-XXXX [RUSTSEC-2026-0134]
 	- rust-diesel <unfixed>
+	[trixie] - rust-diesel <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0134.html
 	NOTE: https://github.com/diesel-rs/diesel/pull/5042
 CVE-2026-8463 (Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap ...)
@@ -4528,6 +4536,7 @@ CVE-2026-8262 (A vulnerability was identified in Devs Palace ERP Online up to 4.
 	NOT-FOR-US: Devs Palace ERP Online
 CVE-2026-8261 (A vulnerability was determined in Squirrel up to 3.2. This affects the ...)
 	- squirrel3 <unfixed>
+	[trixie] - squirrel3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/albertodemichelis/squirrel/issues/326
 CVE-2026-8260 (A vulnerability was found in D-Link DCS-935L up to 1.10.01. The impact ...)
 	NOT-FOR-US: D-Link
@@ -4535,6 +4544,7 @@ CVE-2026-8259 (A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The
 	NOT-FOR-US: Tenda
 CVE-2026-8258 (A flaw has been found in Squirrel up to 3.2. Impacted is the function  ...)
 	- squirrel3 <unfixed>
+	[trixie] - squirrel3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/albertodemichelis/squirrel/issues/325
 CVE-2026-8257 (A vulnerability was detected in WebAssembly Binaryen up to 117. This i ...)
 	- binaryen <unfixed> (unimportant)
@@ -6557,6 +6567,8 @@ CVE-2026-42267 (Kimai is an open-source time tracking application. From version
 	NOT-FOR-US: Kimai
 CVE-2026-42264 (Axios is a promise based HTTP client for the browser and Node.js. From ...)
 	- node-axios 1.15.2-1
+	[trixie] - node-axios <no-dsa> (Minor issue)
+	[bookworm] - node-axios <no-dsa> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj
 	NOTE: https://github.com/axios/axios/pull/10779
 	NOTE: https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa (v1.15.2)
@@ -9894,6 +9906,8 @@ CVE-2026-29169 (A NULL pointer dereference in mod_dav_lock in Apache HTTP Server
 	NOTE: https://github.com/apache/httpd/commit/225dc070adba11040b774cf641e1d8bc79941643 (2.4.67-rc1-candidate)
 CVE-2026-29004 (BusyBox before commit 42202bf contains a heap buffer overflow vulnerab ...)
 	- busybox <unfixed> (bug #1136012)
+	[trixie] - busybox <no-dsa> (Minor issue)
+	[bookworm] - busybox <no-dsa> (Minor issue)
 	NOTE: https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a
 	NOTE: https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409
 CVE-2026-26956 (vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 i ...)
@@ -10507,21 +10521,33 @@ CVE-2026-42482 (A stack-based buffer overflow in mangle_to_hex_lower() and mangl
 	NOTE: https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f
 CVE-2026-42481 (Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vulnerabil ...)
 	- opencascade <unfixed> (bug #1136008)
+	[trixie] - opencascade <no-dsa> (Minor issue)
+	[bookworm] - opencascade <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42480 (A stack-based out-of-bounds read vulnerability in VrmlData_Scene::Read ...)
 	- opencascade <unfixed> (bug #1136008)
+	[trixie] - opencascade <no-dsa> (Minor issue)
+	[bookworm] - opencascade <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42479 (An out-of-bounds read vulnerability in VrmlData_IndexedLineSet::TShape ...)
 	- opencascade <unfixed> (bug #1136008)
+	[trixie] - opencascade <no-dsa> (Minor issue)
+	[bookworm] - opencascade <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42478 (An issue was discovered in VrmlData_IndexedFaceSet::TShape in the VRML ...)
 	- opencascade <unfixed> (bug #1136008)
+	[trixie] - opencascade <no-dsa> (Minor issue)
+	[bookworm] - opencascade <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42477 (A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in ...)
 	- opencascade <unfixed> (bug #1136008)
+	[trixie] - opencascade <no-dsa> (Minor issue)
+	[bookworm] - opencascade <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42476 (Two heap-based out-of-bounds read vulnerabilities in the STL ASCII fil ...)
 	- opencascade <unfixed> (bug #1136008)
+	[trixie] - opencascade <no-dsa> (Minor issue)
+	[bookworm] - opencascade <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42475 (SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via cr ...)
 	NOT-FOR-US: MixPHP Framework
@@ -30140,6 +30166,8 @@ CVE-2026-4923 (Impact:  When using multiple wildcards, combined with at least on
 CVE-2026-4897 (A flaw was found in polkit. A local user can exploit this by providing ...)
 	{DLA-4553-1}
 	- policykit-1 127-3 (bug #1132234)
+	[trixie] - policykit-1 <no-dsa> (Minor issue)
+	[bookworm] - policykit-1 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2451739
 	NOTE: Fixed by: https://github.com/polkit-org/polkit/commit/7e122c8a5120c2aae2d9d44a26796dc18f5b677c
 	NOTE: Introduced with (part of the fixes for CVE-2015-4625):
@@ -318740,6 +318768,7 @@ CVE-2023-33934 (Improper Input Validation vulnerability in Apache Software Found
 CVE-2023-2905 (Due to a failure in validating the length of a provided MQTT_CMD_PUBLI ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
 	- swupdate 2024.12+dfsg-1
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 	[bullseye] - swupdate <no-dsa> (Minor issue)
 CVE-2023-3223 (A flaw was found in undertow. Servlets annotated with @MultipartConfig ...)
 	- undertow 2.3.18-1 (bug #1054893)
@@ -324881,6 +324910,7 @@ CVE-2023-34203 (In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge
 CVE-2023-34188 (The HTTP server in Mongoose before 7.10 accepts requests containing ne ...)
 	- mongoose <not-affected> (Fixed before or with initial upload)
 	- swupdate 2024.12+dfsg-1
+	[bookworm] - swupdate <no-dsa> (Minor issue)
 	[bullseye] - swupdate <no-dsa> (Minor issue)
 	NOTE: https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f (7.10)
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1


=====================================
data/dsa-needed.txt
=====================================
@@ -58,7 +58,7 @@ mbedtls/oldstable
 --
 mimetex/oldstable
 --
-netatalk
+netatalk (jmm)
 --
 netty
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e77399f9af4db4f144cc9fe01abc211b3c393b4c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e77399f9af4db4f144cc9fe01abc211b3c393b4c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260517/fe97a8af/attachment.htm>
