[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun May 17 22:18:13 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5db6c922 by Moritz Muehlenhoff at 2026-05-17T23:15:22+02:00
trixie/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -353,6 +353,8 @@ CVE-2026-40930
 	NOTE: https://github.com/pnggroup/libpng/commit/faf06924688b62d7c1654b5ceddedbde66ffadb4
 CVE-2026-46433 [Heap OOB Read in VLAN Decapsulation memmove]
 	- lldpd 1.0.22-1
+	[trixie] - lldpd <no-dsa> (Minor issue)
+	[bookworm] - lldpd <no-dsa> (Minor issue)
 	NOTE: https://github.com/lldpd/lldpd/security/advisories/GHSA-2g8p-2h3j-63m3
 	NOTE: https://github.com/lldpd/lldpd/pull/787
 	NOTE: Fixed by: https://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6 (1.0.22)
@@ -2455,6 +2457,8 @@ CVE-2026-XXXX [NULL pointer dereference in DIGEST-MD5]
 	NOTE: Fixed by: https://codeberg.org/gsasl/gsasl/commit/da9b5ae2962b014879e4a406c3b38f25aa70e97a (v2.2.3)
 CVE-2026-XXXX [RUSTSEC-2026-0122]
 	- rust-rkyv <unfixed>
+	[trixie] - rust-rkyv <no-dsa> (Minor issue)
+	[bookworm] - rust-rkyv <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0122.html
 	NOTE: https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb
 CVE-2026-XXXX [RUSTSEC-2026-0137]
@@ -4098,6 +4102,8 @@ CVE-2026-0502 (Due to insufficient CSRF protection in SAP BusinessObjects Busine
 	NOT-FOR-US: SAP
 CVE-2026-7010 (HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP ...)
 	- libhttp-tiny-perl 0.092-2
+	[trixie] - libhttp-tiny-perl <no-dsa> (Minor issue)
+	[bookworm] - libhttp-tiny-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39952806/
 	NOTE: Fixed by: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d (release-0.093)
 CVE-2026-6146 (Amazon::Credentials versions through 1.2.0 for Perl uses rand to gener ...)
@@ -4775,6 +4781,8 @@ CVE-2026-45186 (In libexpat before 2.8.1, the computational complexity of attrib
 	NOTE: https://blog.hartwork.org/posts/expat-2-8-1-released/
 CVE-2026-45184 (Kdenlive before 26.04.1 allows dangerous proxy parameters when an atta ...)
 	- kdenlive 26.04.1-1 (bug #1136172)
+	[trixie] - kdenlive <no-dsa> (Minor issue)
+	[bookworm] - kdenlive <no-dsa> (Minor issue)
 	NOTE: https://kde.org/info/security/advisory-20260508-1.txt
 	NOTE: https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685 (v26.04.0)
 	NOTE: https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd (v26.04.1)
@@ -5258,6 +5266,8 @@ CVE-2022-50994 (DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an
 	NOT-FOR-US: DrayTek Vigor
 CVE-2026-6659 (Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure ran ...)
 	- libcrypt-passwdmd5-perl <unfixed> (bug #1136091)
+	[trixie] - libcrypt-passwdmd5-perl <postponed> (Minor issue, revisit when fixed upstream)
+	[bookworm] - libcrypt-passwdmd5-perl <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39857355/
 CVE-2026-43470 (In the Linux kernel, the following vulnerability has been resolved:  n ...)
 	- linux 6.19.10-1
@@ -7932,6 +7942,8 @@ CVE-2026-40562 (Gazelle versions through 0.49 for Perl allows HTTP Request Smugg
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39783440/
 CVE-2026-5081 (Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 ...)
 	- libapache-session-perl <unfixed> (unimportant)
+	[trixie] - libapache-session-perl <postponed> (Minor issue, revisit when fixed upstream)
+	[bookworm] - libapache-session-perl <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39783104/
 	NOTE: CVE exists to document that Apache::Session::Generate::ModUniqueId is
 	NOTE: to use e.g. for where session id might be used for authentication or
@@ -10649,6 +10661,7 @@ CVE-2025-52347 (An issue in the component DirectIo64.sys of PassMark BurnInTest
 	NOT-FOR-US: PassMark
 CVE-2026-XXXX [RUSTSEC-2026-0119]
 	- rust-hickory-proto <unfixed>
+	[trixie] - rust-hickory-proto <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0119.html
 	NOTE: https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-q2qq-hmj6-3wpp
 CVE-2026-XXXX [RUSTSEC-2026-0118]



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5db6c922d1d7fcf00367642de8edd1653404609a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5db6c922d1d7fcf00367642de8edd1653404609a
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260517/4c382b09/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list