[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri May 29 14:53:56 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9ff1059b by Moritz Muehlenhoff at 2026-05-29T15:46:32+02:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -444,6 +444,8 @@ CVE-2026-5343 (Improper Check for Unusual or Exceptional Conditions vulnerabilit
 	NOT-FOR-US: Drupal core and addons
 CVE-2026-49299 (In OpenStack Neutron before 28.0.1, the tagging controller enforces pl ...)
 	- neutron 2:28.0.0-4 (bug #1138172)
+	[trixie] - neutron <no-dsa> (Minor issue)
+	[bookworm] - neutron <no-dsa> (Minor issue)
 	NOTE: https://security.openstack.org/ossa/OSSA-2026-016.html
 CVE-2026-49130 (Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injec ...)
 	- mpd <unfixed>
@@ -804,7 +806,10 @@ CVE-2026-49237 (An issue was discovered in Canonical Multipass for macOS before
 	NOT-FOR-US: Multipass
 CVE-2026-48735 (pypdf is a free and open-source pure-python PDF library. Prior to 6.12 ...)
 	- pypdf <unfixed> (bug #1138192)
+	[trixie] - pypdf <no-dsa> (Minor issue)
+	[bookworm] - pypdf <no-dsa> (Minor issue)
 	- pypdf2 <removed>
+	[bookworm] - pypdf2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjqc-6w8f-h24c
 	NOTE: https://github.com/py-pdf/pypdf/pull/3796
 CVE-2026-48526 (PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, w ...)
@@ -824,12 +829,18 @@ CVE-2026-48522 (PyJWT is a JSON Web Token implementation in Python. Prior to 2.1
 	NOTE: https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4
 CVE-2026-48156 (pypdf is a free and open-source pure-python PDF library. Prior to 6.12 ...)
 	- pypdf <unfixed> (bug #1138193)
+	[trixie] - pypdf <no-dsa> (Minor issue)
+	[bookworm] - pypdf <no-dsa> (Minor issue)
 	- pypdf2 <removed>
+	[bookworm] - pypdf2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6
 	NOTE: https://github.com/py-pdf/pypdf/pull/3791
 CVE-2026-48155 (pypdf is a free and open-source pure-python PDF library. Prior to 6.12 ...)
 	- pypdf <unfixed> (bug #1138194)
+	[trixie] - pypdf <no-dsa> (Minor issue)
+	[bookworm] - pypdf <no-dsa> (Minor issue)
 	- pypdf2 <removed>
+	[bookworm] - pypdf2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-cj93-chg6-vgv8
 	NOTE: https://github.com/py-pdf/pypdf/pull/3790
 CVE-2026-47762 (TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, an ...)
@@ -19662,7 +19673,10 @@ CVE-2026-31694 (In the Linux kernel, the following vulnerability has been resolv
 	NOTE: https://git.kernel.org/linus/51a8de6c50bf947c8f534cd73da4c8f0a13e7bed (7.1-rc1)
 CVE-2026-5056 [Integer overflows and out-of-bounds access in MOV/MP4 demuxer]
 	- gst-plugins-good1.0 1.28.2-1
+	[bookworm] - gst-plugins-good1.0 <not-affected> (Vulnerable code not present)
+	[bullseye] - gst-plugins-good1.0 <not-affected> (Vulnerable code not present)
 	NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0016.html
+	NOTE: Introduced by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/54830e7c0a61773c0d099d0c2896b6ca09b709d4 (1.25.50)
 	NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f9567e3e26c98fd7687f806e2317a12c705a3bb4 (main)
 	NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/bad6721ca4901123e5cb57eec9d8e84d69c08597 (1.28.2)
 CVE-2026-7555 (A vulnerability was identified in itsourcecode Electronic Judging Syst ...)
@@ -35156,6 +35170,8 @@ CVE-2026-34877 (An issue was discovered in Mbed TLS versions from 2.19.0 up to 3
 	NOTE: Fixed by clarified documentation.
 CVE-2026-34876 (An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds ...)
 	- mbedtls 3.6.6-0.1 (bug #1132577)
+	[trixie] - mbedtls <no-dsa> (Minor issue)
+	[bookworm] - mbedtls <no-dsa> (Minor issue)
 	[bullseye] - mbedtls <not-affected> (Vulnerable code not present)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ccm-finish-boundary-check/
 CVE-2026-34835 (Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 ...)
@@ -35687,9 +35703,13 @@ CVE-2026-3882
 	REJECTED
 CVE-2026-34873 (An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impers ...)
 	- mbedtls 3.6.6-0.1 (bug #1132577)
+	[trixie] - mbedtls <no-dsa> (Minor issue)
+	[bookworm] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/
 CVE-2026-34872 (An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and  ...)
 	- mbedtls 3.6.6-0.1 (bug #1132577)
+	[trixie] - mbedtls <no-dsa> (Minor issue)
+	[bookworm] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-peerkey-checks/
 CVE-2026-34750 (Payload is a free and open source headless content management system.  ...)
 	NOT-FOR-US: Payload CMS
@@ -35923,13 +35943,19 @@ CVE-2026-34889 (Improper Neutralization of Input During Web Page Generation ('Cr
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-34875 (An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1. ...)
 	- mbedtls 3.6.6-0.1 (bug #1132577)
+	[trixie] - mbedtls <no-dsa> (Minor issue)
+	[bookworm] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-buffer-overflow/
 CVE-2026-34874 (An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0. ...)
 	- mbedtls 3.6.6-0.1 (bug #1132577)
+	[trixie] - mbedtls <no-dsa> (Minor issue)
+	[bookworm] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-null-pointer-dereference-x509/
 CVE-2026-34871 (An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0  ...)
 	{DLA-4551-1}
 	- mbedtls 3.6.6-0.1 (bug #1132577; unimportant)
+	[trixie] - mbedtls <no-dsa> (Minor issue)
+	[bookworm] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/
 	NOTE: Builds using Glibc or uClibc, running on a kernel where getrandom() is available, are safe.
 CVE-2026-34751 (Payload is a free and open source headless content management system.  ...)
@@ -87191,6 +87217,7 @@ CVE-2024-2104 (Due to improper BLE security configurations on the device's GATT
 CVE-2025-66003 (An External Control of File Name or Path vulnerability in smb4k allows ...)
 	{DSA-6092-1}
 	- smb4k 4.0.5-1 (bug #1122381)
+	[bookworm] - smb4k <ignored> (Will be removed in final Bookworm point release)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/12/10/6
 	NOTE: Fixed by: https://invent.kde.org/network/smb4k/-/commit/0dea60194ab6eb8f6e34ca2e6cb0f97b90c46f1e
 	NOTE: Fixed by: https://invent.kde.org/network/smb4k/-/commit/0aeabfa9d0f041479589dd855cbfe7cdebedfdb6 (4.0.5)
@@ -87200,6 +87227,7 @@ CVE-2025-66003 (An External Control of File Name or Path vulnerability in smb4k
 CVE-2025-66002 (An  Improper Neutralization of Argument Delimiters in a Command ('Argu ...)
 	{DSA-6092-1}
 	- smb4k 4.0.5-1 (bug #1122381)
+	[bookworm] - smb4k <ignored> (Will be removed in final Bookworm point release)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/12/10/6
 	NOTE: Fixed by: https://invent.kde.org/network/smb4k/-/commit/0dea60194ab6eb8f6e34ca2e6cb0f97b90c46f1e
 	NOTE: Fixed by: https://invent.kde.org/network/smb4k/-/commit/0aeabfa9d0f041479589dd855cbfe7cdebedfdb6 (4.0.5)


=====================================
data/dsa-needed.txt
=====================================
@@ -26,7 +26,9 @@ chromium (dilinger)
 --
 cups
 --
-dovecot
+cyborg/stable (jmm)
+--
+dovecot (jmm)
   Noah Meyerhans proposing updates for review, wait for exposure in unstable for regressions
 --
 expat
@@ -42,7 +44,9 @@ frr
 gh/oldstable
   Santiago Vila might work on preparing an update
 --
-imagemagick/oldstable
+gst-plugins-good1.0 (jmm)
+--
+imagemagick/oldstable (jmm)
 --
 inkscape/oldstable
 --
@@ -122,6 +126,8 @@ tomcat10 (apo)
 --
 tomcat11/stable (apo)
 --
+unbound/oldstable
+--
 xrdp
 --
 yelp



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ff1059bb8b9e873c0aa2b2c51810ca5d6186bf7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ff1059bb8b9e873c0aa2b2c51810ca5d6186bf7
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260529/9e54de0d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list