[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon May 18 09:49:43 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2a5263c7 by Moritz Muehlenhoff at 2026-05-18T10:48:07+02:00
trixie/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -396,6 +396,8 @@ CVE-2025-67031 (ORSEE (Online Recruitment System for Economic Experiments) 3.1.0
NOT-FOR-US: ORSEE (Online Recruitment System for Economic Experiments)
CVE-2026-8704 (Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing ex ...)
- libcrypt-dsa-perl 1.20-1 (bug #1136809)
+ [trixie] - libcrypt-dsa-perl <no-dsa> (Minor issue)
+ [bookworm] - libcrypt-dsa-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40104289/
NOTE: Fixed by: https://github.com/perl-Crypt-OpenPGP/Crypt-DSA/commit/e7dc7836594908d6e9abf74b0a66f12a78569d1c (1.20)
CVE-2026-8700 (Crypt::DSA versions before 1.20 for Perl generate seeds using rand. S ...)
@@ -454,6 +456,8 @@ CVE-2026-46508 (Turborepo is a high-performance build system for JavaScript and
NOT-FOR-US: Turborepo
CVE-2026-46483 (Vim is an open source, command line text editor. Prior to 9.2.0479, a ...)
- vim <unfixed> (bug #1136803)
+ [trixie] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim <no-dsa> (Minor issue)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
NOTE: https://github.com/vim/vim/commit/3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 (v9.2.0479)
CVE-2026-46474 (Trog::TOTP versions before 1.006 for Perl generate secrets using rand. ...)
@@ -1677,6 +1681,8 @@ CVE-2026-8369 (Improper Input Validation in the NAT64 translator in The OpenThre
NOT-FOR-US: OpenThread
CVE-2026-8367 (aria2c accepts a server certificate with incorrect Extended Key Usage ...)
- aria2 <unfixed>
+ [trixie] - aria2 <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - aria2 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/aria2/aria2/issues/2355
CVE-2026-8328 (The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4 ...)
- python3.14 <unfixed>
@@ -2698,6 +2704,7 @@ CVE-2026-44241 (Micronaut Framework is a JVM-based full stack Java framework des
NOT-FOR-US: Micronaut Framework
CVE-2026-44240 (basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is v ...)
- node-proxy-agents 0~2025070717+~cs15.3.8-1 (bug #1136650)
+ [trixie] - node-proxy-agents <no-dsa> (Minor issue)
NOTE: https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89
CVE-2026-44232 (DSSRF is a Node.js library that provides a wide range of utilities and ...)
NOT-FOR-US: DSSRF
@@ -4212,7 +4219,9 @@ CVE-2026-7308 (An authenticated user with upload permission to a hosted reposito
CVE-2026-7210 (`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entro ...)
- python3.14 <unfixed>
- python3.13 <unfixed>
+ [trixie] - python3.13 <no-dsa> (Minor issue)
- python3.11 <removed>
+ [bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.9 <removed>
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
@@ -4569,10 +4578,14 @@ CVE-2026-5084 (WebDyne::Session versions through 2.075 for Perl generates the se
NOT-FOR-US: WebDyne::Session Perl module
CVE-2026-8276 (A flaw has been found in bettercap up to 2.41.5. Affected by this issu ...)
- bettercap <unfixed> (bug #1136448)
+ [trixie] - bettercap <no-dsa> (Minor issue)
+ [bookworm] - bettercap <no-dsa> (Minor issue)
NOTE: https://github.com/bettercap/bettercap/issues/1265
NOTE: https://github.com/bettercap/bettercap/commit/0eaa375c5e5446bfba94a290eff92967a5deac9e (v2.41.7)
CVE-2026-8275 (A vulnerability was detected in bettercap up to 2.41.5. Affected by th ...)
- bettercap <unfixed> (bug #1136448)
+ [trixie] - bettercap <no-dsa> (Minor issue)
+ [bookworm] - bettercap <no-dsa> (Minor issue)
NOTE: https://github.com/bettercap/bettercap/issues/1263
NOTE: https://github.com/bettercap/bettercap/commit/3731d5576cffae9eefe3721cd46a40933304129f (v2.41.7)
CVE-2026-8274 (A security vulnerability has been detected in npitre cramfs-tools up t ...)
@@ -27558,6 +27571,8 @@ CVE-2026-34528 (File Browser is a file managing interface for uploading, deletin
NOT-FOR-US: File Browser
CVE-2026-34525 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
- python-aiohttp 3.13.5-1 (bug #1132582)
+ [trixie] - python-aiohttp <no-dsa> (Minor issue)
+ [bookworm] - python-aiohttp <no-dsa> (Minor issue)
NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67
NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 (v3.13.4)
NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000 (v3.13.5)
@@ -36701,6 +36716,7 @@ CVE-2025-14031 (IBM Sterling B2B Integrator andand IBM Sterling File Gateway6.1.
NOT-FOR-US: IBM
CVE-2026-3312
- pagure <unfixed> (bug #1132033)
+ [trixie] - pagure <no-dsa> (Minor issue)
[bullseye] - pagure <postponed> (Minor issue, infoleak)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2443259
CVE-2025-71276 (SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a5263c798b59f34540d8866849e503da73f8adf
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a5263c798b59f34540d8866849e503da73f8adf
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260518/a3216846/attachment.htm>
More information about the debian-security-tracker-commits
mailing list