bookworm triage

Moritz Muehlenhoff (@jmm) Fri, 20 Feb 2026 08:14:38 -0800


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
2ea6b76b by Moritz Muehlenhoff at 2026-02-20T16:47:06+01:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -246,6 +246,8 @@ CVE-2026-2274 (A SSRF and Arbitrary File Read vulnerability 
in AppSheet Core in
        NOT-FOR-US: Google AppSheet
 CVE-2026-2243 (A flaw was found in QEMU. A specially crafted VMDK image could 
trigger ...)
        - qemu <unfixed> (bug #1128478)
+       [trixie] - qemu <no-dsa> (Minor issue)
+       [bookworm] - qemu <no-dsa> (Minor issue)
        NOTE: 
https://lore.kernel.org/qemu-devel/caj9qjssswxkmevethg57-ph6maefbutsav-r07ma9_x1sp6...@mail.gmail.com/
 CVE-2026-2232 (The Product Table and List Builder for WooCommerce Lite plugin 
for Wor ...)
        NOT-FOR-US: WordPress plugin
@@ -760,9 +762,13 @@ CVE-2026-2706 (A flaw has been found in code-projects 
Patient Record Management
        NOT-FOR-US: code-projects
 CVE-2026-2705 (A vulnerability was detected in Open Babel up to 3.1.1. The 
impacted e ...)
        - openbabel <unfixed>
+       [trixie] - openbabel <no-dsa> (Minor issue)
+       [bookworm] - openbabel <no-dsa> (Minor issue)
        NOTE: https://github.com/openbabel/openbabel/issues/2848
 CVE-2026-2704 (A security vulnerability has been detected in Open Babel up to 
3.1.1.  ...)
        - openbabel <unfixed>
+       [trixie] - openbabel <no-dsa> (Minor issue)
+       [bookworm] - openbabel <no-dsa> (Minor issue)
        NOTE: https://github.com/openbabel/openbabel/issues/2848
 CVE-2026-2703 (A weakness has been identified in xlnt-community xlnt up to 
1.6.1. Imp ...)
        NOT-FOR-US: xlnt-community xlnt
@@ -1097,6 +1103,8 @@ CVE-2026-2654 (A weakness has been identified in 
huggingface smolagents 1.24.0.
        NOT-FOR-US: huggingface smolagents
 CVE-2026-2653 (A security flaw has been discovered in admesh up to 0.98.5. 
This issue ...)
        - admesh <unfixed>
+       [trixie] - admesh <no-dsa> (Minor issue)
+       [bookworm] - admesh <no-dsa> (Minor issue)
        NOTE: https://github.com/admesh/admesh/issues/65
 CVE-2026-2507 (When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed 
traffic can ...)
        NOT-FOR-US: F5
@@ -1398,6 +1406,7 @@ CVE-2026-23212 (In the Linux kernel, the following 
vulnerability has been resolv
        NOTE: 
https://git.kernel.org/linus/f6c3665b6dc53c3ab7d31b585446a953a74340ef (6.19-rc8)
 CVE-2026-2625
        - rust-rpm-sequoia <unfixed> (bug #1128418)
+       [trixie] - rust-rpm-sequoia <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2440357
 CVE-2026-2644 (A weakness has been identified in niklasso minisat up to 2.2.0. 
This i ...)
        - minisat2 <unfixed> (unimportant)
@@ -1605,6 +1614,7 @@ CVE-2026-25903 (Apache NiFi 1.1.0 through 2.7.2 are 
missing authorization when u
 CVE-2026-24734 (Improper Input Validation vulnerability in Apache Tomcat 
Native, Apach ...)
        {DSA-6120-1}
        - tomcat11 11.0.18-1
+       [trixie] - tomcat11 <postponed> (Minor issue, fix along with next DSA)
        - tomcat10 10.1.52-1
        - tomcat9 9.0.70-2
        NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server 
stack, using that as the fixed version
@@ -12566,7 +12576,9 @@ CVE-2025-15366 (The imaplib module, when passed a 
user-controlled command, can h
        {DLA-4455-1}
        - python3.14 <unfixed>
        - python3.13 <unfixed>
+       [trixie] - python3.13 <no-dsa> (Minor issue)
        - python3.11 <removed>
+       [bookworm] - python3.11 <no-dsa> (Minor issue)
        - python3.9 <removed>
        - pypy3 <unfixed>
        [trixie] - pypy3 <no-dsa> (Minor issue)


=====================================
data/dsa-needed.txt
=====================================
@@ -62,7 +62,7 @@ pillow/stable (jmm)
 --
 python-aiohttp
 --
-python-django
+python-django (jmm)
 --
 python-tornado (jmm)
   Daniel Leidert is proposing to work on an update, asked to send debdiffs to 
team for review
@@ -70,6 +70,8 @@ python-tornado (jmm)
 rtpengine
   Victor Seva prepared a debdiff for trixie-security for review, 
bookworm-security debdiff missing
 --
+ruby-rack
+--
 ruby-saml/oldstable
   Utkarsh Gupta might work on an update
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea6b76b29c03cd6996d92fb7b5b1b828424ae22

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea6b76b29c03cd6996d92fb7b5b1b828424ae22
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Reply via email to