[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon May 18 16:09:50 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
05b45e40 by Moritz Muehlenhoff at 2026-05-18T16:17:42+02:00
trixie/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -118,6 +118,7 @@ CVE-2026-8723 (### Summary `qs.stringify` throws `TypeError` when called with
TODO: check
CVE-2026-8721 (Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwo ...)
- libcrypt-openssl-pkcs12-perl 1.95-1
+ [trixie] - libcrypt-openssl-pkcs12-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40149249/
NOTE: https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/7b90e88a97f0ebe440032b8116249d1004d7ca6f
NOTE: https://github.com/dsully/perl-crypt-openssl-pkcs12/commit/468712ae04188342b263f057ad65f21a3545013b
@@ -127,6 +128,7 @@ CVE-2026-8719 (The AI Engine \u2013 The Chatbot, AI Framework & MCP for WordPres
NOT-FOR-US: WordPress plugin
CVE-2026-8507 (Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-boun ...)
- libcrypt-openssl-pkcs12-perl 1.95-1
+ [trixie] - libcrypt-openssl-pkcs12-perl <no-dsa> (Minor issue)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40149247/
NOTE: https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/55
NOTE: https://github.com/dsully/perl-crypt-openssl-pkcs12/issues/56
@@ -677,6 +679,8 @@ CVE-2026-7373 (Rapid7 Metasploit Pro is vulnerable to a local privilege escalati
NOT-FOR-US: Rapid7 Metasploit Pro
CVE-2026-6811 (Stack exhaustion vulnerability in the MongoDB PHP driver can cause app ...)
- php-mongodb <unfixed> (bug #1136802)
+ [trixie] - php-mongodb <no-dsa> (Minor issue)
+ [bookworm] - php-mongodb <no-dsa> (Minor issue)
NOTE: https://jira.mongodb.org/browse/PHPC-2636
NOTE: Fixed by: https://github.com/mongodb/mongo-php-driver/commit/2060beb85a041182550d022ec223783ffdaf6ec8 (1.21.5, 2.1.8)
CVE-2026-6646 (The The7 theme for WordPress is vulnerable to Stored Cross-Site Script ...)
@@ -1843,6 +1847,7 @@ CVE-2026-44478 (hoppscotch is an open source API development ecosystem. The fix
NOT-FOR-US: hoppscotch
CVE-2026-44471 (gitoxide is an implementation of git written in Rust. Prior to 0.21.1, ...)
- rust-gix-fs 0.16.1-2 (bug #1136703)
+ [trixie] - rust-gix-fs <no-dsa> (Minor issue)
NOTE: https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f89h-2fjh-2r9q
CVE-2026-44470 (The Claude Desktop app gives you Claude Code with a graphical interfac ...)
NOT-FOR-US: Claude Desktop app
@@ -2771,6 +2776,8 @@ CVE-2026-42355 (NanaZip is an open source file archive. From 5.0.1252.0 to befor
CVE-2026-42338 (ip-address is a library for parsing and manipulating IPv4 and IPv6 add ...)
[experimental] - node-ip-address 10.2.0-1
- node-ip-address <unfixed>
+ [trixie] - node-ip-address <no-dsa> (Minor issue)
+ [bookworm] - node-ip-address <no-dsa> (Minor issue)
NOTE: https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g
CVE-2026-42289 (ChurchCRM is an open-source church management system. Prior to 7.3.2, ...)
NOT-FOR-US: ChurchCRM
@@ -4290,6 +4297,8 @@ CVE-2026-44991 (OpenClaw before 2026.4.21 contains an authorization bypass vulne
NOT-FOR-US: OpenClaw
CVE-2026-44777 (jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordi ...)
- jq 1.8.1-6 (bug #1136445)
+ [trixie] - jq <no-dsa> (Minor issue)
+ [bookworm] - jq <no-dsa> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9
CVE-2026-44738 (Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandb ...)
NOT-FOR-US: Grav CMS
@@ -4329,6 +4338,8 @@ CVE-2026-43968 (Improper Neutralization of CRLF Sequences ('CRLF Injection') vul
NOTE: https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c
CVE-2026-43896 (jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded r ...)
- jq 1.8.1-6 (bug #1136445)
+ [trixie] - jq <no-dsa> (Minor issue)
+ [bookworm] - jq <no-dsa> (Minor issue)
NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846
CVE-2026-43895 (jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts ...)
- jq 1.8.1-6 (bug #1136445)
@@ -4574,9 +4585,13 @@ CVE-2026-XXXX [yelp: Sandbox escape]
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639 (49.1)
CVE-2026-XXXX [openpgp: Don't imply missing key flags from key type]
- rust-sequoia-openpgp <unfixed>
+ [trixie] - rust-sequoia-openpgp <no-dsa> (Minor issue)
+ [bookworm] - rust-sequoia-openpgp <no-dsa> (Minor issue)
NOTE: Fixed by: https://gitlab.com/sequoia-pgp/sequoia/-/commit/58214b47b110e110432731f8fc5dec71918c4254 (openpgp/v2.3.0)
CVE-2026-XXXX [openpgp: Reject nested embedded signatures]
- rust-sequoia-openpgp <unfixed>
+ [trixie] - rust-sequoia-openpgp <no-dsa> (Minor issue)
+ [bookworm] - rust-sequoia-openpgp <no-dsa> (Minor issue)
NOTE: Fixed by: https://gitlab.com/sequoia-pgp/sequoia/-/commit/23403ff850352b420f19a8fb4724ce35bf963e08 (openpgp/v2.3.0)
CVE-2026-5084 (WebDyne::Session versions through 2.075 for Perl generates the session ...)
NOT-FOR-US: WebDyne::Session Perl module
@@ -9214,6 +9229,8 @@ CVE-2026-44405 (In Paramiko through 4.0.0 before a448945, rsakey.py allows the S
NOTE: https://github.com/paramiko/paramiko/commit/a4489456b6f65281e172380cc4826cee5e851dbb
CVE-2026-44331 (In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerabilit ...)
- proftpd-dfsg 1.3.9a~dfsg-1 (bug #1135840)
+ [trixie] - proftpd-dfsg <no-dsa> (Minor issue)
+ [bookworm] - proftpd-dfsg <no-dsa> (Minor issue)
NOTE: https://github.com/proftpd/proftpd/issues/2057
NOTE: https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1
CVE-2026-41950 (Dify before version 1.14.0 contains an authorization bypass vulnerabil ...)
@@ -24176,6 +24193,8 @@ CVE-2026-39374 (Plane is an an open-source project management tool. Prior to 1.3
NOT-FOR-US: Plane
CVE-2026-39373 (JWCrypto implements JWK, JWS, and JWE specifications using python-cryp ...)
- python-jwcrypto <unfixed> (bug #1133006)
+ [trixie] - python-jwcrypto <no-dsa> (Minor issue)
+ [bookworm] - python-jwcrypto <no-dsa> (Minor issue)
[bullseye] - python-jwcrypto <postponed> (minor issue; limited memory DoS)
NOTE: https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
NOTE: Fixed by: https://github.com/latchset/jwcrypto/commit/25db861d8b29434838669a94a843af03d29ea6ed (v1.5.7)
=====================================
data/dsa-needed.txt
=====================================
@@ -25,6 +25,8 @@ cups
dovecot
Noah Meyerhans proposing updates for review, wait for exposure in unstable for regressions
--
+expat
+--
firebird3.0
--
firebird4.0/stable
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05b45e409004182bb64f9b348ff2805ea2e8d913
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05b45e409004182bb64f9b348ff2805ea2e8d913
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260518/73f4aac8/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list