[Git][security-tracker-team/security-tracker][master] roundcube,varnish,unbound,starlette DSAs

Wed May 27 21:57:49 BST 2026


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2929ed28 by Moritz Mühlenhoff at 2026-05-27T22:57:18+02:00
roundcube,varnish,unbound,starlette DSAs

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5605,6 +5605,7 @@ CVE-2026-8945 (Sandbox escape in Firefox and Firefox Focus for Android. This vul
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-46/#CVE-2026-8945
 CVE-2026-XXXX [VSV00019]
 	- varnish <unfixed>
+	[trixie] - varnish 7.7.0-3+deb13u1
 	[bookworm] - varnish <not-affected> (Vulnerable code not present, introduced in 7.6)
 	[bullseye] - varnish <not-affected> (Vulnerable code not present, introduced in 7.6)
 	NOTE: https://vinyl-cache.org/security/VSV00019.html
@@ -127030,7 +127031,6 @@ CVE-2025-8671 (A mismatch caused by client-triggered server-sent stream resets b
 	[bullseye] - h2o <postponed> (Minor issue)
 	- haproxy <not-affected> (Performs stream management correctly)
 	- varnish 7.7.2-1
-	[trixie] - varnish <no-dsa> (Minor issue; will be fixed via point release)
 	[bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
 	[bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://kb.cert.org/vuls/id/767506
@@ -133538,7 +133538,7 @@ CVE-2025-5681 (Authorization Bypass Through User-Controlled Key vulnerability in
 	NOT-FOR-US: Turtek Software Eyotek
 CVE-2025-54121 (Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface ...)
 	- starlette 0.46.1-3 (bug #1109805)
-	[bookworm] - starlette <no-dsa> (Minor issue)
+	[bookworm] - starlette 0.26.1-1+deb12u1
 	[bullseye] - starlette <postponed> (minor issue; Dos can be fixed in next update)
 	NOTE: https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73
 	NOTE: Fixed by: https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1 (0.47.2)
@@ -222934,7 +222934,7 @@ CVE-2024-47876 (Sakai is a Collaboration and Learning Environment. Starting in v
 	NOT-FOR-US: Sakai
 CVE-2024-47874 (Starlette is an Asynchronous Server Gateway Interface (ASGI) framework ...)
 	- starlette 0.41.0-1 (bug #1085295)
-	[bookworm] - starlette <no-dsa> (Minor issue)
+	[bookworm] - starlette 0.26.1-1+deb12u1
 	[bullseye] - starlette <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
 	NOTE: https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733 (0.40.0)
@@ -333844,7 +333844,7 @@ CVE-2023-30758 (Cross-site scripting vulnerability in Pleasanter 1.3.38.1 and ea
 	NOT-FOR-US: Pleasanter
 CVE-2023-29159 (Directory traversal vulnerability in Starlette versions 0.13.5 and lat ...)
 	- starlette 0.28.0-1
-	[bookworm] - starlette <no-dsa> (Minor issue)
+	[bookworm] - starlette 0.26.1-1+deb12u1
 	[bullseye] - starlette <no-dsa> (Minor issue)
 	NOTE: https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px
 	NOTE: https://github.com/encode/starlette/commit/1797de464124b090f10cf570441e8292936d63e3 (0.27.0)


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,17 @@
+[27 May 2026] DSA-6304-1 unbound - security update
+	{CVE-2026-33278 CVE-2026-42944 CVE-2026-42959 CVE-2026-32792 CVE-2026-40622 CVE-2026-41292 CVE-2026-42534 CVE-2026-42923 CVE-2026-42960 CVE-2026-44390 CVE-2026-44608}
+	[trixie] - unbound 1.22.0-2+deb13u3
+[27 May 2026] DSA-6303-1 varnish - security update
+	{CVE-2025-8671}
+	[trixie] - varnish 7.7.0-3+deb13u1
+[27 May 2026] DSA-6302-1 starlette - security update
+	{CVE-2026-48710}
+	[bookworm] - starlette 0.26.1-1+deb12u1
+	[trixie] - starlette 0.46.1-3+deb13u2
+[27 May 2026] DSA-6301-1 roundcube - security update
+	{CVE-2026-48842 CVE-2026-48843 CVE-2026-48844 CVE-2026-48845 CVE-2026-48846 CVE-2026-48847 CVE-2026-48848 CVE-2026-48849}
+	[bookworm] - roundcube 1.6.5+dfsg-1+deb12u9
+	[trixie] - roundcube 1.6.16+dfsg-0+deb13u1
 [26 May 2026] DSA-6300-1 node-shell-quote - security update
 	{CVE-2026-9277}
 	[bookworm] - node-shell-quote 1.7.4+~1.7.1-1+deb12u1


=====================================
data/dsa-needed.txt
=====================================
@@ -90,9 +90,6 @@ prometheus
 --
 python-aiohttp/oldstable
 --
-roundcube (jmm)
-  Maintainer working on updates
---
 rtpengine
   Victor Seva prepared a debdiff for trixie-security for review, bookworm-security debdiff missing
 --
@@ -106,8 +103,6 @@ runc
 rust-wasmtime
   for CVE-2026-34987 CVE-2026-34971, rest would also be fine to ignore
 --
-starlette (jmm)
---
 symfony (jmm)
   Maintainer is preparing updates
 --
@@ -117,11 +112,6 @@ tomcat10 (apo)
 --
 tomcat11/stable (apo)
 --
-unbound (jmm)
-  Maintiner proposed debdiff for trixie-security for review
---
-varnish (jmm)
---
 xrdp
 --
 yelp



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2929ed28b6bb083fbe7a2a71ebeba39376ddd855

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2929ed28b6bb083fbe7a2a71ebeba39376ddd855
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260527/ebe20dbc/attachment-0001.htm>
