[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d7ec8b51 by Moritz Muehlenhoff at 2026-05-20T09:23:45+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2257,6 +2257,8 @@ CVE-2026-45371 (SiYuan is an open-source personal knowledge management system. P
 	NOT-FOR-US: SiYuan
 CVE-2026-45205 (Uncontrolled Recursion vulnerability in Apache Commons.  When processi ...)
 	- commons-configuration2 <unfixed> (bug #1136705)
+	[trixie] - commons-configuration2 <no-dsa> (Minor issue)
+	[bookworm] - commons-configuration2 <no-dsa> (Minor issue)
 	- commons-configuration <not-affected> (Vulnerable code not present)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/14/5
 	NOTE: https://github.com/apache/commons-configuration/pull/634
@@ -5311,9 +5313,13 @@ CVE-2026-41431 (Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser sh
 	NOT-FOR-US: Zen
 CVE-2026-41257 (jq is a command-line JSON processor. In 1.8.1 and earlier, the jq byte ...)
 	- jq 1.8.1-6 (bug #1136445)
+	[trixie] - jq <no-dsa> (Minor issue)
+	[bookworm] - jq <no-dsa> (Minor issue)
 	NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539
 CVE-2026-41256 (jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level j ...)
 	- jq 1.8.1-6 (bug #1136445)
+	[trixie] - jq <no-dsa> (Minor issue)
+	[bookworm] - jq <no-dsa> (Minor issue)
 	NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg
 CVE-2026-41250 (Taiga is a project management platform for startups and agile develope ...)
 	NOT-FOR-US: Taiga
@@ -7928,10 +7934,15 @@ CVE-2026-41643 (GoBGP is an open source Border Gateway Protocol (BGP) implementa
 	- gobgp 4.3.0-1
 	[bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
 	NOTE: https://github.com/osrg/gobgp/security/advisories/GHSA-8rxh-r2p6-7f2q
+	NOTE: https://github.com/osrg/gobgp/issues/3308
+	NOTE: https://github.com/osrg/gobgp/commit/9fe96a9b92918e782c2d054e305fc96b48f3e8e4 (v4.3.0)
 CVE-2026-41642 (GoBGP is an open source Border Gateway Protocol (BGP) implementation i ...)
 	- gobgp 4.4.0-1
-	[bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
+	[trixie] - gobgp <not-affected> (Vulnerable code not present, introduced in 4.3.0)
+	[bookworm] - gobgp <not-affected> (Vulnerable code not present, introduced in 4.3.0)
+	[bullseye] - gobgp <not-affected> (Vulnerable code not present, introduced in 4.3.0)
 	NOTE: https://github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4px
+	NOTE: https://github.com/osrg/gobgp/commit/215aee08db47e55f4f8a7741e516951f76a959b4 (v4.4.0)
 CVE-2026-41589 (Wish is an SSH server with defaults and a collection of middlewares. F ...)
 	NOT-FOR-US: Wish SSH
 CVE-2026-41554 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -75,7 +75,7 @@ nss (jmm)
 opennds/oldstable
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
-openvpn
+openvpn (jmm)
   Maintainer already prepared debdiff for trixie, bookworm is harder, needs discussion
 --
 pdfminer (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7ec8b51890367b5aa11c9f88716c50fece8feb5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7ec8b51890367b5aa11c9f88716c50fece8feb5
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260520/6d88b2cc/attachment-0001.htm>