[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue May 26 11:40:17 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d8499b4d by Moritz Muehlenhoff at 2026-05-26T12:37:20+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -70,16 +70,22 @@ CVE-2026-4795 (A missing authorization vulnerability in Zyxel GS1200-5v3 firmwar
 	NOT-FOR-US: Zyxel
 CVE-2026-48852 (PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signature ver ...)
 	- putty 0.84-1
+	[trixie] - putty <no-dsa> (Minor issue)
+	[bookworm] - putty <no-dsa> (Minor issue)
 	NOTE: https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
 	NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ecdsa-remotely-triggerable-assertion.html
 	NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=65b8f37c34cd80680693e813e0081cdafaf58324 (0.84)
 CVE-2026-48851 (PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a trust indica ...)
 	- putty 0.84-1
+	[trixie] - putty <no-dsa> (Minor issue)
+	[bookworm] - putty <no-dsa> (Minor issue)
 	NOTE: https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
 	NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/telnet-trust-sigil.html
 	NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=64712be3cbc4a02bda4a92ca97e8d4f294abbe9a (0.84)
 CVE-2026-48850 (PuTTY 0.72 before 0.84 has a double free in RSA KEX.)
 	- putty 0.84-1
+	[trixie] - putty <no-dsa> (Minor issue)
+	[bookworm] - putty <no-dsa> (Minor issue)
 	NOTE: https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
 	NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rsakex-double-free.html
 	NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=ba3ed53e0bf6682f89940bc2c3e83da6b1524024 (0.84)
@@ -1798,10 +1804,14 @@ CVE-2026-45753
 	NOTE: https://symfony.com/blog/cve-2026-45753-htmlsanitizer-urlattributesanitizer-omits-action-formaction-poster-cite-javascript-uri-survives-sanitization-xss
 CVE-2026-47373 (Crypt::SaltedHash versions through 0.09 for Perl is susceptible to tim ...)
 	- libcrypt-saltedhash-perl 0.11-1 (bug #1137253)
+	[trixie] - libcrypt-saltedhash-perl <no-dsa> (Minor issue)
+	[bookworm] - libcrypt-saltedhash-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40249915/
 	NOTE: Fixed by: https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a (0.10)
 CVE-2026-47372 (Crypt::SaltedHash versions through 0.09 for Perl generate insecure ran ...)
 	- libcrypt-saltedhash-perl 0.11-1 (bug #1137253)
+	[trixie] - libcrypt-saltedhash-perl <no-dsa> (Minor issue)
+	[bookworm] - libcrypt-saltedhash-perl <no-dsa> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40252126/
 	NOTE: Fixed by: https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5 (0.10)
 CVE-2026-9101 (Prototype pollution in csv parsing logic during import can lead to unt ...)
@@ -2734,6 +2744,8 @@ CVE-2026-8945 (Sandbox escape in Firefox and Firefox Focus for Android. This vul
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-46/#CVE-2026-8945
 CVE-2026-XXXX [VSV00019]
 	- varnish <unfixed>
+	[bookworm] - varnish <not-affected> (Vulnerable code not present, introduced in 7.6)
+	[bullseye] - varnish <not-affected> (Vulnerable code not present, introduced in 7.6)
 	NOTE: https://vinyl-cache.org/security/VSV00019.html
 	NOTE: https://code.vinyl-cache.org/vinyl-cache/vinyl-cache/commit/dfc27fb4e7bf110945f5c145ce95b8de14ead77f (master)
 	NOTE: https://code.vinyl-cache.org/vinyl-cache/vinyl-cache/commit/037031d429e3d309ae66ebabff33aa591402f20e (6.0)
@@ -4441,6 +4453,7 @@ CVE-2026-44586 (SiYuan is an open-source personal knowledge management system. F
 	NOT-FOR-US: SiYuan
 CVE-2026-44544 (gittuf is a platform-agnostic Git security system. Prior to 0.14.0, an ...)
 	- gittuf <unfixed> (bug #1136704)
+	[trixie] - gittuf <no-dsa> (Minor issue)
 	NOTE: https://github.com/gittuf/gittuf/security/advisories/GHSA-vxvc-cg7j-rwqj
 	NOTE: Fixed by (merge): https://github.com/gittuf/gittuf/commit/dd76efa505f9137a4a9a625c5ac67b333365a1b8 (v0.14.0)
 CVE-2026-44542 (FileBrowser Quantum is a free, self-hosted, web-based file manager. Pr ...)
@@ -9861,7 +9874,9 @@ CVE-2026-39826 (If a trusted template author were to write a <script> tag contai
 	- golang-1.25 1.25.10-1
 	- golang-1.26 1.26.3-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://go-review.googlesource.com/c/go/+/771180
@@ -9871,7 +9886,9 @@ CVE-2026-39825 (ReverseProxy can forward queries containing parameters not visib
 	- golang-1.25 1.25.10-1
 	- golang-1.26 1.26.3-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://go-review.googlesource.com/c/go/+/770541
@@ -9881,7 +9898,9 @@ CVE-2026-39823 (CVE-2026-27142 fixed a vulnerability in which URLs were not corr
 	- golang-1.25 1.25.10-1
 	- golang-1.26 1.26.3-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://go-review.googlesource.com/c/go/+/769920
@@ -9891,7 +9910,9 @@ CVE-2026-39820 (Well-crafted inputs reaching ParseAddress, ParseAddressList, and
 	- golang-1.25 1.25.10-1
 	- golang-1.26 1.26.3-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://go-review.googlesource.com/c/go/+/759940
@@ -9901,7 +9922,9 @@ CVE-2026-39819 (The "go bug" command writes to two files with predictable names
 	- golang-1.25 1.25.10-1
 	- golang-1.26 1.26.3-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://go-review.googlesource.com/c/go/+/763882
@@ -9911,7 +9934,9 @@ CVE-2026-39817 (The "go tool pack" subcommand (usually used only by the compiler
 	- golang-1.25 1.25.10-1
 	- golang-1.26 1.26.3-1
 	- golang-1.24 <removed>
+	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://go-review.googlesource.com/c/go/+/767520
@@ -25164,6 +25189,8 @@ CVE-2026-34727 (Vikunja is an open-source self-hosted task management platform.
 	NOT-FOR-US: Vikunja
 CVE-2026-34481 (Apache Log4j's  JsonTemplateLayout https://logging.apache.org/log4j/2. ...)
 	- apache-log4j2 <unfixed> (bug #1133846)
+	[trixie] - apache-log4j2 <no-dsa> (Minor issue)
+	[bookworm] - apache-log4j2 <no-dsa> (Minor issue)
 	- apache-log4j1.2 <not-affected> (Vulnerable code not present)
 	NOTE: https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv
 	NOTE: https://logging.apache.org/security.html#CVE-2026-34481
@@ -25171,13 +25198,19 @@ CVE-2026-34481 (Apache Log4j's  JsonTemplateLayout https://logging.apache.org/lo
 	NOTE: Fixed by: https://github.com/apache/logging-log4j2/commit/2c4dd1db372c59ad73aca88e281635fe30072268 (rel/2.25.4)
 CVE-2026-34480 (Apache Log4j Core's  XmlLayout https://logging.apache.org/log4j/2.x/ma ...)
 	- apache-log4j2 <unfixed> (bug #1133847)
+	[trixie] - apache-log4j2 <no-dsa> (Minor issue)
+	[bookworm] - apache-log4j2 <no-dsa> (Minor issue)
 	- apache-log4j1.2 <unfixed> (bug #1136032)
+	[trixie] - apache-log4j1.2 <no-dsa> (Minor issue)
+	[bookworm] - apache-log4j1.2 <no-dsa> (Minor issue)
 	NOTE: https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
 	NOTE: https://logging.apache.org/security.html#CVE-2026-34480
 	NOTE: https://github.com/apache/logging-log4j2/pull/4077
 	NOTE: Fixed by: https://github.com/apache/logging-log4j2/commit/4f5014229825d8be977662e0743205bb8a67f989 (rel/2.25.4)
 CVE-2026-34479 (The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to ...)
 	- apache-log4j2 <unfixed> (bug #1133848)
+	[trixie] - apache-log4j2 <no-dsa> (Minor issue)
+	[bookworm] - apache-log4j2 <no-dsa> (Minor issue)
 	- apache-log4j1.2 <not-affected> (Vulnerable code not present)
 	NOTE: https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on
 	NOTE: https://logging.apache.org/security.html#CVE-2026-34479


=====================================
data/dsa-needed.txt
=====================================
@@ -52,7 +52,7 @@ jetty12/stable
 --
 kamailio
 --
-kdenlive
+kdenlive (jmm)
   Maintainer preparing updates
 --
 kitty
@@ -105,7 +105,7 @@ runc
 rust-wasmtime
   for CVE-2026-34987 CVE-2026-34971, rest would also be fine to ignore
 --
-symfony
+symfony (jmm)
   Maintainer is preparing updates
 --
 sympa/oldstable
@@ -117,6 +117,8 @@ tomcat11/stable (apo)
 unbound
   Maintiner proposed debdiff for trixie-security for review
 --
+varnish (jmm)
+--
 xrdp
 --
 yelp



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8499b4d5cec490f14e801a3e560338def01f691

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8499b4d5cec490f14e801a3e560338def01f691
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260526/d84239d0/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list