[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
337325e3 by Moritz Muehlenhoff at 2026-05-19T11:33:10+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3849,6 +3849,7 @@ CVE-2026-31237 (The Ludwig framework thru 0.10.4 is vulnerable to insecure deser
 	NOT-FOR-US: Ludwig framework
 CVE-2026-31236 (The llm CLI tool thru 0.27.1 contains a critical code injection vulner ...)
 	- llm <unfixed>
+	[trixie] - llm <no-dsa> (Minor issue)
 	NOTE: https://www.notion.so/CVE-2026-31236-35d1e139318881a4a0f1fffcf671f7e3
 CVE-2026-31235 (The imgaug library thru 0.4.0 contains an insecure deserialization vul ...)
 	NOT-FOR-US: imgaug
@@ -8183,7 +8184,11 @@ CVE-2026-6344 (The Fluent Forms plugin for WordPress is vulnerable to Arbitrary
 	NOT-FOR-US: WordPress plugin
 CVE-2026-6210 (A type confusion vulnerability in Qt SVG allows an attacker to cause a ...)
 	- qt6-svg 6.10.2-6 (bug #1136089)
+	[trixie] - qt6-svg <no-dsa> (Minor issue)
+	[bookworm] - qt6-svg <no-dsa> (Minor issue)
 	- qtsvg-opensource-src <unfixed>
+	[trixie] - qtsvg-opensource-src <no-dsa> (Minor issue)
+	[bookworm] - qtsvg-opensource-src <no-dsa> (Minor issue)
 	NOTE: https://codereview.qt-project.org/c/qt/qtsvg/+/724887
 CVE-2026-43975 (FolderUploadsFileManager in Apache Wicket does not validate or sanitiz ...)
 	NOT-FOR-US: Apache software not packaged in Debian
@@ -27984,9 +27989,9 @@ CVE-2025-66484 (IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored c
 CVE-2025-66483 (IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session aft ...)
 	NOT-FOR-US: IBM
 CVE-2025-66442 (In Mbed TLS through 4.0.0, there is a compiler-induced timing side cha ...)
-	- mbedtls <unfixed>
+	- mbedtls <unfixed> (unimportant)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/
-	TODO: No fix is available for this issue, check if it will be considered upstream
+	NOTE: mbedtls not built with clang in Debian
 CVE-2025-36375 (IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPow ...)
 	NOT-FOR-US: IBM
 CVE-2025-36373 (IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPow ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -60,6 +60,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+lxd/oldstable
+--
 mbedtls/oldstable
 --
 mimetex/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337325e3f0b765c3e69bbf3e4f95448a06ad610e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/337325e3f0b765c3e69bbf3e4f95448a06ad610e
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260519/a2fe4b27/attachment-0001.htm>