[Git][security-tracker-team/security-tracker][master] 4 commits: dla: add mongo-c-driver

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Fri May 22 08:32:42 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9db53011 by Sylvain Beucler at 2026-05-22T09:32:29+02:00
dla: add mongo-c-driver

- - - - -
232a47fb by Sylvain Beucler at 2026-05-22T09:32:29+02:00
dla: add imagemagick

- - - - -
81582f24 by Sylvain Beucler at 2026-05-22T09:32:31+02:00
CVE-2026-33633,CVE-2026-33642/kitty: bullseye not-affected

- - - - -
a5560aab by Sylvain Beucler at 2026-05-22T09:32:34+02:00
CVE-2026-6811/php-mongodb: bullseye postponed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1348,8 +1348,10 @@ CVE-2026-33741 (EspoCRM is an open source customer relationship management appli
 	NOT-FOR-US: EspoCRM
 CVE-2026-33642 (Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and b ...)
 	- kitty 0.47.0-1 (bug #1137210)
+	[bullseye] - kitty <not-affected> (frame composition introduced later)
 	NOTE: https://github.com/kovidgoyal/kitty/security/advisories/GHSA-qfgm-2c64-6x3x
 	NOTE: https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34
+	NOTE: Introduced by: https://github.com/kovidgoyal/kitty/commit/340159b59141e26f25a20948fde8f9137b2df758 (v0.22.0)
 CVE-2026-33637 (Faraday is an HTTP client library abstraction layer that provides a co ...)
 	- ruby-faraday <unfixed> (bug #1137212)
 	[trixie] - ruby-faraday <not-affected> (Incomplete fix for CVE-2026-25765 not applied)
@@ -1359,8 +1361,10 @@ CVE-2026-33637 (Faraday is an HTTP client library abstraction layer that provide
 	NOTE: https://github.com/lostisland/faraday/commit/3f1280c69e93297d574e85a2d462d05ebadf1d09 (v2.14.2)
 CVE-2026-33633 (Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and belo ...)
 	- kitty 0.47.0-1 (bug #1137210)
+	[bullseye] - kitty <not-affected> (frame composition introduced later)
 	NOTE: https://github.com/kovidgoyal/kitty/security/advisories/GHSA-j68c-v8x4-269g
 	NOTE: https://github.com/kovidgoyal/kitty/commit/e9661f0f3afb4e4dbffa509adfb3df3c9780ad34
+	NOTE: Introduced by: https://github.com/kovidgoyal/kitty/commit/340159b59141e26f25a20948fde8f9137b2df758 (v0.22.0)
 CVE-2026-32882 (libheif is a HEIF and AVIF file format decoder and encoder. Versions 1 ...)
 	- libheif <unfixed>
 	NOTE: https://github.com/strukturag/libheif/security/advisories/GHSA-hg7q-rjr2-8x46
@@ -2661,6 +2665,7 @@ CVE-2026-6811 (Stack exhaustion vulnerability in the MongoDB PHP driver can caus
 	- php-mongodb <unfixed> (bug #1136802)
 	[trixie] - php-mongodb <no-dsa> (Minor issue)
 	[bookworm] - php-mongodb <no-dsa> (Minor issue)
+	[bullseye] - php-mongodb <postponed> (Minor issue, DoS in unusual circumstances)
 	NOTE: https://jira.mongodb.org/browse/PHPC-2636
 	NOTE: Fixed by: https://github.com/mongodb/mongo-php-driver/commit/2060beb85a041182550d022ec223783ffdaf6ec8 (1.21.5, 2.1.8)
 CVE-2026-6646 (The The7 theme for WordPress is vulnerable to Stored Cross-Site Script ...)


=====================================
data/dla-needed.txt
=====================================
@@ -249,6 +249,10 @@ haveged
   NOTE: 20260519: Added by Front-Desk (Beuc)
   NOTE: 20260519: high / LPE (Beuc/front-desk)
 --
+imagemagick
+  NOTE: 20260522: Added by Front-Desk (Beuc)
+  NOTE: 20260522: Another batch of CVEs, upcoming DSA (Beuc/front-desk)
+--
 jackson-core (Markus Koschany)
   NOTE: 20250707: Added by Front-Desk (apo)
   NOTE: 20251016: A single patch is not possible to apply to fix the CVE. I'm working on backporting more than one.
@@ -386,6 +390,10 @@ mimetex
   NOTE: 20250629: There doesn't seem to be a fix so far according to #1103801 (dleidert)
   NOTE: 20250629: Best course of action seems to be some kind of mitigation similar to https://moodle.org/mod/forum/discuss.php?d=467592 (dleidert)
 --
+mongo-c-driver
+  NOTE: 20260522: Added by Front-Desk (Beuc)
+  NOTE: 20260522: Follow bookworm 12.14 (4+1 CVEs) (Beuc/front-desk)
+--
 nagvis
   NOTE: 20250117: Added by Front-Desk (rouca)
   NOTE: 20250119: Also check/fix https://bugs.debian.org/1061044
@@ -424,6 +432,7 @@ nodejs (rouca)
 nss
   NOTE: 20260518: Added by Front-Desk (Beuc)
   NOTE: 20260518: Upcoming DSA (3 CVEs) (Beuc/front-desk)
+  NOTE: 20260521: DSA-6290-1 (Beuc/front-desk)
 --
 nvidia-cuda-toolkit
   NOTE: 20241004: Added by Front-Desk (Beuc)
@@ -449,6 +458,7 @@ openssl
 --
 openvpn
   NOTE: 20260517: Added by Front-Desk (pochu)
+  NOTE: 20260521: DSA-6289-1 (2 CVEs) (Beuc/front-desk)
 --
 openvswitch
   NOTE: 20260405: Added by Front-Desk (ta)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89d5af1157993fed7495d3120a1a751ca9608ade...a5560aabacc6367185aa56f85dd1704ecb6ff79b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89d5af1157993fed7495d3120a1a751ca9608ade...a5560aabacc6367185aa56f85dd1704ecb6ff79b
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260522/294c043d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list