[Git][security-tracker-team/security-tracker][master] lts: bullseye triage

Emilio Pozuelo Monfort (@pochu) pochu at debian.org
Mon May 18 10:52:54 BST 2026 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d4c43ab1 by Emilio Pozuelo Monfort at 2026-05-18T11:51:54+02:00
lts: bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1807,6 +1807,7 @@ CVE-2026-45028 (Astro is a web framework. Astro versions prior to 6.1.10 used AE
 	NOT-FOR-US: Astro
 CVE-2026-44919 (In OpenStack Ironic through 35.x before a3f6d73, during image handling ...)
 	- ironic 1:35.0.1-3 (bug #1136655)
+	[bullseye] - ironic <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/ironic/+bug/2150332
 	NOTE: https://opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0
 CVE-2026-44665 (fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input d ...)
@@ -4857,6 +4858,7 @@ CVE-2026-45184 (Kdenlive before 26.04.1 allows dangerous proxy parameters when a
 	- kdenlive 26.04.1-1 (bug #1136172)
 	[trixie] - kdenlive <no-dsa> (Minor issue)
 	[bookworm] - kdenlive <no-dsa> (Minor issue)
+	[bullseye] - kdenlive <no-dsa> (Minor issue)
 	NOTE: https://kde.org/info/security/advisory-20260508-1.txt
 	NOTE: https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685 (v26.04.0)
 	NOTE: https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd (v26.04.1)
@@ -6585,6 +6587,7 @@ CVE-2026-4935 (The OttoKit: All-in-One Automation Platform WordPress plugin befo
 	NOT-FOR-US: WordPress plugin
 CVE-2026-44916 (In OpenStack Ironic before 35.0.2 (in a certain non-default configurat ...)
 	- ironic 1:35.0.1-2 (bug #1136005)
+	[bullseye] - ironic <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/ironic/+bug/2148307
 	NOTE: https://review.opendev.org/c/openstack/ironic/+/987514
 CVE-2026-44365
@@ -9387,6 +9390,7 @@ CVE-2026-42997 (An issue was discovered in idrac in OpenStack Ironic before 35.0
 	- ironic 1:35.0.1-1 (bug #1135811)
 	[trixie] - ironic <no-dsa> (Minor issue; can be fixed via point release)
 	[bookworm] - ironic <no-dsa> (Minor issue; can be fixed via point release)
+	[bullseye] - ironic <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/ironic/+bug/2148317
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/05/10
 	NOTE: https://opendev.org/openstack/ironic/commit/8b663209ff46ba2fbd05797ba7105b4f00e6dac4 (35.0.1)
@@ -10037,12 +10041,14 @@ CVE-2025-70072 (An issue in Assimp v.6.0.2 allows a remote attacker to cause a d
 	- assimp <unfixed>
 	[trixie] - assimp <no-dsa> (Minor issue)
 	[bookworm] - assimp <no-dsa> (Minor issue)
+	[bullseye] - assimp <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/GunP4ng/cdaf0cb89dc6f1d09a9e88fa1135894e
 	NOTE: https://github.com/assimp/assimp/issues/6635
 CVE-2025-70071 (An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial  ...)
 	- assimp <unfixed>
 	[trixie] - assimp <no-dsa> (Minor issue)
 	[bookworm] - assimp <no-dsa> (Minor issue)
+	[bullseye] - assimp <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea
 CVE-2025-67796 (IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that al ...)
 	- rdiffweb <itp> (bug #969974)
@@ -10077,16 +10083,19 @@ CVE-2025-70070 (An issue in Assimp v.6.0.2 allows a remote attacker to cause a d
 	- assimp <unfixed>
 	[trixie] - assimp <no-dsa> (Minor issue)
 	[bookworm] - assimp <no-dsa> (Minor issue)
+	[bullseye] - assimp <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2465295
 CVE-2025-70069 (An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial  ...)
 	- assimp <unfixed>
 	[trixie] - assimp <no-dsa> (Minor issue)
 	[bookworm] - assimp <no-dsa> (Minor issue)
+	[bullseye] - assimp <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2465306
 CVE-2025-70067 (Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in ...)
 	- assimp <unfixed>
 	[trixie] - assimp <no-dsa> (Minor issue)
 	[bookworm] - assimp <no-dsa> (Minor issue)
+	[bullseye] - assimp <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2465308
 CVE-2026-43868 (Memory Allocation with Excessive Size Value vulnerability in Apache Th ...)
 	[experimental] - thrift 0.23.0-1
@@ -17497,6 +17506,7 @@ CVE-2026-40611 (Let's Encrypt client and ACME library written in Go (Lego). Prio
 	- golang-github-xenolf-lego <unfixed> (bug #1134643)
 	[trixie] - golang-github-xenolf-lego <no-dsa> (Minor issue)
 	[bookworm] - golang-github-xenolf-lego <no-dsa> (Minor issue)
+	[bullseye] - golang-github-xenolf-lego <no-dsa> (Minor issue)
 	NOTE: https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8
 	NOTE: Fixed by: https://github.com/go-acme/lego/commit/aa6fcebccb73828e933c33363dccc0a93a101988 (v4.34.0)
 CVE-2026-40608 (Next AI Draw.io is a next.js web application that integrates AI capabi ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4c43ab1edaa59bb37770c3d0e0202b39e939fee

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4c43ab1edaa59bb37770c3d0e0202b39e939fee
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260518/cbdc42fd/attachment.htm>

More information about the debian-security-tracker-commits mailing list