[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri May 22 16:17:52 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
db92ea74 by Moritz Muehlenhoff at 2026-05-22T17:17:40+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -164,6 +164,8 @@ CVE-2026-22678 (Webmin before 2.641 contains a stored cross-site scripting vulne
 	TODO: check
 CVE-2026-5091 (Catalyst::Plugin::Authentication versions through 0.10024 for Perl  is ...)
 	- libcatalyst-plugin-authentication-perl <unfixed> (bug #1137325)
+	[trixie] - libcatalyst-plugin-authentication-perl <no-dsa> (Minor issue)
+	[bookworm] - libcatalyst-plugin-authentication-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40281889/
 	NOTE: https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e (v0.10_025)
 CVE-2026-8376 [Buffer overflow in Perl_study_chunk]
@@ -963,6 +965,7 @@ CVE-2026-XXXX [RUSTSEC-2026-0145]
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0145.html
 CVE-2026-41999 (Incorrect Behaviour of Views with TCP PROXY Requests)
 	- pdns 5.0.5-1
+	[trixie] - pdns <not-affected> (Vulnerable code not present, only affects 5.0.x)
 	[bookworm] - pdns <end-of-life> (See #1119290)
 	[bullseye] - pdns <end-of-life> (see DLA 4471)
 	NOTE: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html#incorrect-behaviour-of-views-with-tcp-proxy-requests
@@ -1857,6 +1860,8 @@ CVE-2026-8843 (Creating a "2dsphere_bucket" index on a non-timeseries bucket col
 	NOTE: https://jira.mongodb.org/browse/SERVER-116327
 CVE-2026-8836 (A vulnerability was found in lwIP up to 2.2.1. Affected is the functio ...)
 	- lwip <unfixed>
+	[trixie] - lwip <no-dsa> (Minor issue)
+	[bookworm] - lwip <no-dsa> (Minor issue)
 	NOTE: https://savannah.nongnu.org/bugs/?68194
 	NOTE: https://cgit.git.savannah.gnu.org/cgit/lwip.git/commit/?id=0c957ec03054eb6c8205e9c9d1d05d90ada3898c
 CVE-2026-8803 (A flaw has been found in opensourcepos Open Source Point of Sale up to ...)
@@ -2703,6 +2708,8 @@ CVE-2026-44666 (HRConvert2 is a self-hosted, drag-and-drop & nosql file conversi
 	NOT-FOR-US: HRConvert2
 CVE-2026-44662 (rust-openssl provides OpenSSL bindings for the Rust programming langua ...)
 	- rust-openssl 0.10.79-1 (bug #1136788)
+	[trixie] - rust-openssl <no-dsa> (Minor issue)
+	[bookworm] - rust-openssl <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xv59-967r-8726
 CVE-2026-44661 (python-utcp is the python implementation of UTCP. Prior to 1.1.3, the  ...)
 	NOT-FOR-US: python-utcp
@@ -2766,6 +2773,8 @@ CVE-2026-42847 (ClipBucket v5 is an open source video sharing platform. Prior to
 	NOT-FOR-US: ClipBucket
 CVE-2026-42327 (rust-openssl provides OpenSSL bindings for the Rust programming langua ...)
 	- rust-openssl 0.10.79-1 (bug #1136787)
+	[trixie] - rust-openssl <no-dsa> (Minor issue)
+	[bookworm] - rust-openssl <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xp3w-r5p5-63rr
 CVE-2026-41702 (VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerabil ...)
 	NOT-FOR-US: VMware
@@ -7242,11 +7251,15 @@ CVE-2026-5127 (The User Frontend: AI Powered Frontend Posting, User Directory, P
 	NOT-FOR-US: WordPress plugin
 CVE-2026-44928 (In uriparser before 1.0.2, the function family EqualsUri can misclassi ...)
 	- uriparser <unfixed> (bug #1136088)
+	[trixie] - uriparser <no-dsa> (Minor issue)
+	[bookworm] - uriparser <no-dsa> (Minor issue)
 	NOTE: https://github.com/uriparser/uriparser/pull/305
 	NOTE: Fixed by: https://github.com/uriparser/uriparser/commit/723717c713a01c08efed6b3ded9583d7819e3386
 	NOTE: Test: https://github.com/uriparser/uriparser/commit/bd7f2e6c0c17dd78853f85107535391b4635a86d
 CVE-2026-44927 (In uriparser before 1.0.2, there is pointer difference truncation to i ...)
 	- uriparser <unfixed> (bug #1136088)
+	[trixie] - uriparser <no-dsa> (Minor issue)
+	[bookworm] - uriparser <no-dsa> (Minor issue)
 	NOTE: https://github.com/uriparser/uriparser/pull/304
 	NOTE: Fixed by (merge): https://github.com/uriparser/uriparser/commit/dd98b0fa4ea69084ede319174ef107a5260d1334
 CVE-2026-44500 (ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad versio ...)
@@ -10060,12 +10073,18 @@ CVE-2026-29080 (A SQL injection vulnerability in `FilterEngine.create_sqla_query
 	NOT-FOR-US: Rucio
 CVE-2026-23928 (The Item history widget (in Zabbix 7.0+) or the Plain text widget (in  ...)
 	- zabbix <unfixed> (bug #1137209)
+	[trixie] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
+	[bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	NOTE: https://support.zabbix.com/browse/ZBX-27760
 CVE-2026-23927 (A user able to connect to Agent 2 can inject an Oracle TNS connection  ...)
 	- zabbix <unfixed> (bug #1137209)
+	[trixie] - zabbix <no-dsa> (Minor issue)
+	[bookworm] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-27759
 CVE-2026-23926 (An authenticated (non-super) administrator can create a maintenance pe ...)
 	- zabbix <unfixed> (bug #1137209)
+	[trixie] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
+	[bookworm] - zabbix <ignored> (The WEB UI is only supported for access by trusted users, no security updates issued for it, #1124558)
 	NOTE: https://support.zabbix.com/browse/ZBX-27758
 CVE-2026-23870 (A denial of service vulnerability could be triggered by sending specia ...)
 	TODO: check


=====================================
data/dsa-needed.txt
=====================================
@@ -94,6 +94,8 @@ php-laravel-framework/oldstable
 php-twig
   Maintainer will prepare updates
 --
+prometheus
+--
 python-aiohttp/oldstable
 --
 rtpengine
@@ -124,5 +126,9 @@ tomcat10 (apo)
 --
 tomcat11/stable (apo)
 --
+unbound
+--
 xrdp
 --
+yelp
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db92ea742091621c04782439f33bac56aaddea99

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db92ea742091621c04782439f33bac56aaddea99
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260522/e207d48f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list