[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri May 29 09:21:48 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7fc36e8e by Moritz Muehlenhoff at 2026-05-29T10:21:25+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4070,6 +4070,8 @@ CVE-2026-6268 (The EventPress WordPress theme before 22.2 does not sanitize or e
 	NOT-FOR-US: WordPress plugin
 CVE-2026-49017 (In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters a ...)
 	- swift 2.37.1-4 (bug #1138170)
+	[bookworm] - swift <not-affected> (Support for aws-chunked introduced in 2.35.1)
+	[bullseye] - swift <not-affected> (Support for aws-chunked introduced in 2.35.1)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/27/9
 	NOTE: https://bugs.launchpad.net/swift/+bug/2152205
 CVE-2026-49014 (In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF  ...)
@@ -4217,6 +4219,7 @@ CVE-2026-48962 (IO::Compress versions before 2.220 for Perl can execute arbitrar
 	NOTE: Fixed by: https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610 (v2.220)
 CVE-2026-48961 (IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetai ...)
 	- libio-compress-perl 2.220-1 (bug #1138052)
+	[trixie] - libio-compress-perl <no-dsa> (Minor issue)
 	[bookworm] - libio-compress-perl <not-affected> (Vulnerable code introduced later)
 	[bullseye] - libio-compress-perl <not-affected> (Vulnerable code introduced later)
 	- perl <unfixed>
@@ -4277,6 +4280,7 @@ CVE-2026-9542 (A weakness has been identified in CodeAstro Leave Management Syst
 	NOT-FOR-US: CodeAstro
 CVE-2026-9541 (A security flaw has been discovered in Squirrel up to 3.2. Impacted is ...)
 	- squirrel3 <unfixed>
+	[trixie] - squirrel3 <ignored> (Minor issue)
 	[bullseye] - squirrel3 <postponed> (Minor issue)
 	NOTE: https://github.com/albertodemichelis/squirrel/issues/327
 CVE-2026-9540 (A vulnerability was identified in vllm-project vllm 0.19.0. This issue ...)
@@ -4829,8 +4833,9 @@ CVE-2025-62745 (Improper Neutralization of Input During Web Page Generation ('Cr
 CVE-2026-48099
 	- python-wsgidav <itp> (bug #1032213)
 CVE-2026-48715 [Stack Buffer Overflow in radvdump Route Information Option Parser]
-	- radvd <unfixed> (bug #1138049)
+	- radvd <unfixed> (bug #1138049; unimportant)
 	NOTE: https://github.com/radvd-project/radvd/security/advisories/GHSA-52px-gh9p-m379
+	NOTE: Crash in CLI tool, no security impact
 CVE-2026-9538 (Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...)
 	- perl <unfixed>
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40396448/
@@ -5220,6 +5225,8 @@ CVE-2026-9366 (A vulnerability was found in NousResearch hermes-agent 2026.4.23.
 	NOT-FOR-US: NousResearch hermes-agent
 CVE-2026-9365 (A vulnerability has been found in Ettercap up to 0.8.3. The affected e ...)
 	- ettercap <unfixed>
+	[trixie] - ettercap <no-dsa> (Minor issue)
+	[bookworm] - ettercap <no-dsa> (Minor issue)
 	NOTE: https://github.com/Ettercap/ettercap/issues/1306
 	NOTE: https://github.com/Ettercap/ettercap/pull/1307
 	NOTE: https://github.com/Ettercap/ettercap/commit/feeae6fa366e01a3dd9f1857ec6aae847b2ae00c
@@ -7880,6 +7887,8 @@ CVE-2026-8724 (A security flaw has been discovered in Dataease 2.10.20. Impacted
 	NOT-FOR-US: Dataease
 CVE-2026-8723 (### Summary    `qs.stringify` throws `TypeError` when called with `arr ...)
 	- node-qs <unfixed> (bug #1137257)
+	[trixie] - node-qs <no-dsa> (Minor issue)
+	[bookworm] - node-qs <no-dsa> (Minor issue)
 	[bullseye] - node-qs <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
 	NOTE: Fixed by: https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41 (v6.15.2)
@@ -22101,6 +22110,7 @@ CVE-2026-XXXX [RUSTSEC-2026-0104]
 	NOTE: https://github.com/advisories/GHSA-82j2-j2ch-gfr8
 CVE-2026-42254 (Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone pois ...)
 	- rust-hickory-recursor <unfixed> (bug #1134954)
+	[trixie] - rust-hickory-recursor <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0106.html
 	NOTE: https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-83hf-93m4-rgwq
 CVE-2026-XXXX [RUSTSEC-2026-0109]


=====================================
data/dsa-needed.txt
=====================================
@@ -22,6 +22,8 @@ botan3/stable
 ceph (carnil)
  for CVE-2024-47866, rest harmless
 --
+chromium (dilinger)
+--
 cups
 --
 dovecot
@@ -109,6 +111,8 @@ runc
 rust-wasmtime
   for CVE-2026-34987 CVE-2026-34971, rest would also be fine to ignore
 --
+swift/stable (jmm)
+--
 symfony (jmm)
   Maintainer is preparing updates
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc36e8ed8d09a325c83b830598394db82678869

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc36e8ed8d09a325c83b830598394db82678869
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260529/af190a7f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list