[Git][security-tracker-team/security-tracker][master] 8 commits: CVE-2026-8159,CVE-2026-8161,CVE-2026-8162/node-multiparty: follow bookworm triage

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Fri May 22 20:46:43 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b2a8a710 by Sylvain Beucler at 2026-05-22T21:46:13+02:00
CVE-2026-8159,CVE-2026-8161,CVE-2026-8162/node-multiparty: follow bookworm triage

- - - - -
a5fbae49 by Sylvain Beucler at 2026-05-22T21:46:16+02:00
CVE-2026-45736/node-ws: follow bookworm triage

- - - - -
d9838b1f by Sylvain Beucler at 2026-05-22T21:46:19+02:00
CVE-2026-41672,CVE-2026-41673,CVE-2026-41674,CVE-2026-41675/node-xmldom: follow bookworm triage

- - - - -
d03c14d7 by Sylvain Beucler at 2026-05-22T21:46:22+02:00
CVE-2026-42476..81/opencascade: follow bookworm triage

- - - - -
8740cc13 by Sylvain Beucler at 2026-05-22T21:46:24+02:00
CVE-2026-7582/openimageio: follow bookworm triage

- - - - -
c3dbce2e by Sylvain Beucler at 2026-05-22T21:46:27+02:00
CVE-2026-42783,CVE-2026-42784/rust-sequoia-openpgp: follow bookworm triage

- - - - -
82d9918c by Sylvain Beucler at 2026-05-22T21:46:27+02:00
dla: add xorg-server

- - - - -
e369db4c by Sylvain Beucler at 2026-05-22T21:46:28+02:00
dla: add vips

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2698,6 +2698,7 @@ CVE-2026-45736 (ws is an open source WebSocket client and server for Node.js. Pr
 	- node-ws 8.20.1+~cs14.19.1-1 (bug #1136804)
 	[trixie] - node-ws <no-dsa> (Minor issue)
 	[bookworm] - node-ws <no-dsa> (Minor issue)
+	[bullseye] - node-ws <postponed> (Minor issue)
 	NOTE: https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx
 	NOTE: Fixed by: https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086 (8.20.1)
 CVE-2026-45622 (Vvveb is a powerful and easy to use CMS with page builder to build web ...)
@@ -5229,16 +5230,19 @@ CVE-2026-8162 (multiparty at 4.2.3 and lower versions are vulnerable to denial of s
 	- node-multiparty 4.3.0-1 (bug #1136447)
 	[trixie] - node-multiparty <no-dsa> (Minor issue)
 	[bookworm] - node-multiparty <no-dsa> (Minor issue)
+	[bullseye] - node-multiparty <postponed> (Minor issue)
 	NOTE: https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv
 CVE-2026-8161 (multiparty at 4.2.3 and lower versions are vulnerable to denial of servic ...)
 	- node-multiparty 4.3.0-1 (bug #1136447)
 	[trixie] - node-multiparty <no-dsa> (Minor issue)
 	[bookworm] - node-multiparty <no-dsa> (Minor issue)
+	[bullseye] - node-multiparty <postponed> (Minor issue)
 	NOTE: https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956
 CVE-2026-8159 (multiparty at 4.2.3 and lower versions are vulnerable to denial of servic ...)
 	- node-multiparty 4.3.0-1 (bug #1136447)
 	[trixie] - node-multiparty <no-dsa> (Minor issue)
 	[bookworm] - node-multiparty <no-dsa> (Minor issue)
+	[bullseye] - node-multiparty <postponed> (Minor issue)
 	NOTE: https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94
 CVE-2026-8111 (SQL injection in the web consoleof Ivanti Endpoint Managerbefore versi ...)
 	NOT-FOR-US: Ivanti
@@ -6861,11 +6865,13 @@ CVE-2026-42784 [openpgp: Don't imply missing key flags from key type]
 	- rust-sequoia-openpgp <unfixed> (bug #1137328)
 	[trixie] - rust-sequoia-openpgp <no-dsa> (Minor issue)
 	[bookworm] - rust-sequoia-openpgp <no-dsa> (Minor issue)
+	[bullseye] - rust-sequoia-openpgp <postponed> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/sequoia-pgp/sequoia/-/commit/58214b47b110e110432731f8fc5dec71918c4254 (openpgp/v2.3.0)
 CVE-2026-42783 [openpgp: Reject nested embedded signatures]
 	- rust-sequoia-openpgp <unfixed> (bug #1137326)
 	[trixie] - rust-sequoia-openpgp <no-dsa> (Minor issue)
 	[bookworm] - rust-sequoia-openpgp <no-dsa> (Minor issue)
+	[bullseye] - rust-sequoia-openpgp <postponed> (Minor issue)
 	NOTE: Fixed by: https://gitlab.com/sequoia-pgp/sequoia/-/commit/23403ff850352b420f19a8fb4724ce35bf963e08 (openpgp/v2.3.0)
 CVE-2026-5084 (WebDyne::Session versions through 2.075 for Perl generates the session ...)
 	NOT-FOR-US: WebDyne::Session Perl module
@@ -9553,18 +9559,21 @@ CVE-2026-41675 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2
 	- node-xmldom 0.9.10-1
 	[trixie] - node-xmldom <no-dsa> (Minor issue)
 	[bookworm] - node-xmldom <no-dsa> (Minor issue)
+	[bullseye] - node-xmldom <postponed> (Minor issue)
 	NOTE: https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx
 	NOTE: https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2 (0.9.10)
 CVE-2026-41674 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)  ...)
 	- node-xmldom 0.9.10-1
 	[trixie] - node-xmldom <no-dsa> (Minor issue)
 	[bookworm] - node-xmldom <no-dsa> (Minor issue)
+	[bullseye] - node-xmldom <postponed> (Minor issue)
 	NOTE: https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h
 	NOTE: https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314 (0.9.10)
 CVE-2026-41673 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)  ...)
 	- node-xmldom 0.9.10-1
 	[trixie] - node-xmldom <no-dsa> (Minor issue)
 	[bookworm] - node-xmldom <no-dsa> (Minor issue)
+	[bullseye] - node-xmldom <postponed> (Minor issue)
 	NOTE: https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw
 	NOTE: https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe (0.9.10)
 	NOTE: https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a (0.9.10)
@@ -9580,6 +9589,7 @@ CVE-2026-41672 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2
 	- node-xmldom 0.9.10-1
 	[trixie] - node-xmldom <no-dsa> (Minor issue)
 	[bookworm] - node-xmldom <no-dsa> (Minor issue)
+	[bullseye] - node-xmldom <postponed> (Minor issue)
 	NOTE: https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8
 	NOTE: https://github.com/xmldom/xmldom/pull/987
 	NOTE: https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1 (0.9.10)
@@ -12920,6 +12930,7 @@ CVE-2026-7582 (A vulnerability was detected in AcademySoftwareFoundation OpenIma
 	- openimageio <unfixed> (bug #1135382)
 	[trixie] - openimageio <no-dsa> (Minor issue)
 	[bookworm] - openimageio <no-dsa> (Minor issue)
+	[bullseye] - openimageio <postponed> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/5131
 	NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/94ec2deec3e3bf2f2e2ff84d008e27425d626fe2
 CVE-2026-7581 (A security vulnerability has been detected in alexta69 MeTube up to 20 ...)
@@ -12999,31 +13010,37 @@ CVE-2026-42481 (Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vuln
 	- opencascade <unfixed> (bug #1136008)
 	[trixie] - opencascade <no-dsa> (Minor issue)
 	[bookworm] - opencascade <no-dsa> (Minor issue)
+	[bullseye] - opencascade <postponed> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42480 (A stack-based out-of-bounds read vulnerability in VrmlData_Scene::Read ...)
 	- opencascade <unfixed> (bug #1136008)
 	[trixie] - opencascade <no-dsa> (Minor issue)
 	[bookworm] - opencascade <no-dsa> (Minor issue)
+	[bullseye] - opencascade <postponed> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42479 (An out-of-bounds read vulnerability in VrmlData_IndexedLineSet::TShape ...)
 	- opencascade <unfixed> (bug #1136008)
 	[trixie] - opencascade <no-dsa> (Minor issue)
 	[bookworm] - opencascade <no-dsa> (Minor issue)
+	[bullseye] - opencascade <postponed> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42478 (An issue was discovered in VrmlData_IndexedFaceSet::TShape in the VRML ...)
 	- opencascade <unfixed> (bug #1136008)
 	[trixie] - opencascade <no-dsa> (Minor issue)
 	[bookworm] - opencascade <no-dsa> (Minor issue)
+	[bullseye] - opencascade <postponed> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42477 (A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in ...)
 	- opencascade <unfixed> (bug #1136008)
 	[trixie] - opencascade <no-dsa> (Minor issue)
 	[bookworm] - opencascade <no-dsa> (Minor issue)
+	[bullseye] - opencascade <postponed> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42476 (Two heap-based out-of-bounds read vulnerabilities in the STL ASCII fil ...)
 	- opencascade <unfixed> (bug #1136008)
 	[trixie] - opencascade <no-dsa> (Minor issue)
 	[bookworm] - opencascade <no-dsa> (Minor issue)
+	[bullseye] - opencascade <postponed> (Minor issue)
 	NOTE: https://gist.github.com/sgInnora/dfba083d04906283e9c92aea78e2d94a
 CVE-2026-42475 (SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via cr ...)
 	NOT-FOR-US: MixPHP Framework


=====================================
data/dla-needed.txt
=====================================
@@ -643,6 +643,10 @@ vim
   NOTE: 20260228: test failures. Working on ignoring them so the pipeline will be
   NOTE: 20260228: useful to spot regressions. (paride)
 --
+vips
+  NOTE: 20260522: Added by Front-Desk (Beuc)
+  NOTE: 20260522: Follow bookworm 12.14 (8 CVEs) (Beuc/front-desk)
+--
 vitrage
   NOTE: 20260419: Added by Front-Desk. Get in touch with zigo/upstream before (rouca)
   NOTE: 20260419: CVE-2026-28370 is RCE
@@ -671,6 +675,10 @@ xmlrpc-c
   NOTE: 20250705: Ping'd secteam asking for current bookworm plans. (Beuc)
   NOTE: 20250705: https://lists.debian.org/debian-lts/2025/07/msg00006.html
 --
+xorg-server
+  NOTE: 20260522: Added by Front-Desk (Beuc)
+  NOTE: 20260522: Follow bookworm 12.14 (5 CVEs) (Beuc/front-desk)
+--
 xrdp
   NOTE: 20260418: Added by Front-Desk (rouca)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a0644c9ddce63636ac3734db47d33d371e566c16...e369db4ced4d87a15fe426e214cd1eebc4b0e5b0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a0644c9ddce63636ac3734db47d33d371e566c16...e369db4ced4d87a15fe426e214cd1eebc4b0e5b0
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260522/6349b9e2/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list