[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed May 27 08:35:11 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
23e0ef2d by Moritz Muehlenhoff at 2026-05-27T09:26:47+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1478,6 +1478,7 @@ CVE-2026-9277 (shell-quote's `quote()` function did not validate object-token in
 	{DSA-6300-1}
 	- node-shell-quote 1.8.4+~1.7.5-1 (bug #1137372)
 	NOTE: https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p
+	NOTE: https://github.com/ljharb/shell-quote/commit/4378a6e613db5948168684864e49b42b83134d2d (v1.8.4)
 CVE-2026-9256 (NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ ...)
 	- nginx 1.30.1-3 (bug #1137339)
 	NOTE: https://my.f5.com/manage/s/article/K000161377
@@ -2253,12 +2254,16 @@ CVE-2026-9152 (A missing authentication vulnerability exists in the Altium 365 S
 	NOT-FOR-US: Altium
 CVE-2026-9150 (A flaw was found in libsolv. This stack-based buffer overflow vulnerab ...)
 	- libsolv 0.7.37-1
+	[trixie] - libsolv <no-dsa> (Minor issue)
+	[bookworm] - libsolv <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460379
 	NOTE: https://github.com/openSUSE/libsolv/pull/616
 	NOTE: Introduced with: https://github.com/openSUSE/libsolv/commit/c8164bfecf2ba8bcf4c24329534d3104f19da73c (0.6.4)
 	NOTE: Fixed by: https://github.com/openSUSE/libsolv/commit/c5b5db52aebde00bdeacecf4d0569c217ab3187d (0.7.37)
 CVE-2026-9149 (A flaw was found in libsolv. This heap buffer overflow vulnerability o ...)
 	- libsolv <unfixed> (bug #1137373)
+	[trixie] - libsolv <no-dsa> (Minor issue)
+	[bookworm] - libsolv <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2460380
 	NOTE: https://github.com/openSUSE/libsolv/pull/617
 	NOTE: https://github.com/openSUSE/libsolv/commit/210386037c892a720972ad35a3d8f7073b4d763b
@@ -5759,6 +5764,8 @@ CVE-2026-43997 (vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, i
 	NOT-FOR-US: Node.js vm2
 CVE-2026-43970 (Improper Handling of Highly Compressed Data (Data Amplification) vulne ...)
 	- erlang-cowlib <unfixed> (bug #1136649)
+	[trixie] - erlang-cowlib <no-dsa> (Minor issue)
+	[bookworm] - erlang-cowlib <no-dsa> (Minor issue)
 	NOTE: https://cna.erlef.org/cves/CVE-2026-43970.html
 	NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-43970
 	NOTE: https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282 (2.16.1)
@@ -8034,6 +8041,8 @@ CVE-2026-7813 (Authorization vulnerability in pgAdmin 4 server mode affecting Se
 	- pgadmin4 <itp> (bug #834129)
 CVE-2026-7790 (Uncontrolled Resource Consumption vulnerability in ninenines cowlib (c ...)
 	- erlang-cowlib <unfixed> (bug #1136446)
+	[trixie] - erlang-cowlib <no-dsa> (Minor issue)
+	[bookworm] - erlang-cowlib <no-dsa> (Minor issue)
 	NOTE: https://cna.erlef.org/cves/CVE-2026-7790.html
 	NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-7790
 	NOTE: https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369
@@ -13708,6 +13717,8 @@ CVE-2026-42796 (Arelle before 2.39.10 contains an unauthenticated remote code ex
 	NOT-FOR-US: Arelle
 CVE-2026-42440 (OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP ...)
 	- apache-opennlp 2.5.9-1 (bug #1135782)
+	[trixie] - apache-opennlp <no-dsa> (Minor issue)
+	[bookworm] - apache-opennlp <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/01/21
 	NOTE: https://issues.apache.org/jira/browse/OPENNLP-1821
 	NOTE: https://github.com/apache/opennlp/pull/1022
@@ -13825,6 +13836,8 @@ CVE-2026-42052 (Beets is the media library management system. Prior to version 2
 	NOTE: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
 CVE-2026-42027 (Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP Ext ...)
 	- apache-opennlp 2.5.9-1 (bug #1135782)
+	[trixie] - apache-opennlp <no-dsa> (Minor issue)
+	[bookworm] - apache-opennlp <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/01/20
 	NOTE: https://issues.apache.org/jira/browse/OPENNLP-1820
 	NOTE: https://github.com/apache/opennlp/pull/1021
@@ -13854,6 +13867,8 @@ CVE-2026-40797 (Improper Neutralization of Special Elements used in an SQL Comma
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-40682 (XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache ...)
 	- apache-opennlp 2.5.9-1 (bug #1135782)
+	[trixie] - apache-opennlp <no-dsa> (Minor issue)
+	[bookworm] - apache-opennlp <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/01/19
 	NOTE: https://issues.apache.org/jira/browse/OPENNLP-1819
 	NOTE: https://github.com/apache/opennlp/pull/1019
@@ -31639,6 +31654,8 @@ CVE-2026-34519 (AIOHTTP is an asynchronous HTTP client/server framework for asyn
 	NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b (v3.13.4)
 CVE-2026-34518 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp 3.13.5-1 (bug #1132582)
+	[trixie] - python-aiohttp <no-dsa> (Minor issue)
+	[bookworm] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9
 	NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6 (v3.13.4)
 CVE-2026-34517 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -88,7 +88,7 @@ prometheus
 --
 python-aiohttp/oldstable
 --
-roundcube
+roundcube (jmm)
   Maintainer working on updates
 --
 rtpengine



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23e0ef2d44eafc7a582da8ad217f83b25c0ab925

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23e0ef2d44eafc7a582da8ad217f83b25c0ab925
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260527/61b8fe63/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list