Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
938bcd5a by Moritz Muehlenhoff at 2026-06-21T19:45:02+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1230,6 +1230,7 @@ CVE-2026-49502 (Dell PowerFlex Manager, version(s) 
[Versions], contain(s) an Imp
        NOT-FOR-US: Dell / EMC
 CVE-2026-49268 (A remote attacker can inject LDAP special characters into the 
Distingu ...)
        - shiro <unfixed>
+       [trixie] - shiro <no-dsa> (Minor issue)
 CVE-2026-49108 (Unauthenticated PHP Object Injection in Moderno < 1.43 
versions.)
        NOT-FOR-US: WordPress plugin or theme
 CVE-2026-49107 (Unauthenticated PHP Object Injection in Thrive Apprentice < 
10.8.10.2  ...)
@@ -3232,9 +3233,10 @@ CVE-2026-52722 (A signed integer overflow vulnerability 
was found in GStreamer's
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2486733
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5107 (private)
 CVE-2026-52721 (Multiple out-of-bounds read vulnerabilities were found in 
GStreamer's  ...)
-       - gst-plugins-bad1.0 <unfixed>
+       - gst-plugins-bad1.0 <unfixed> (unimportant)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2486732
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5106 (private)
+       NOTE: Negligible security impact
 CVE-2026-52720 (A heap buffer overflow vulnerability was found in GStreamer's 
librfb ( ...)
        - gst-plugins-bad1.0 <unfixed>
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2486731
@@ -3831,7 +3833,7 @@ CVE-2026-52718 (A denial of service vulnerability was 
found in GStreamer's AV1 c
        NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0039.html
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11803
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11827 
(1.28.4)
-       NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11829 (1.26 
branch)
+       NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fe5f81163e4f207d50c28f510c524e2e8e1c15ab
 (1.26 branch)
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11830 (1.24 
branch)
 CVE-2026-52717
        {DSA-6353-1}
@@ -4609,6 +4611,7 @@ CVE-2026-49347 (Quest Bot is an opensource Discord Bot. 
Prior to version 1.1.8,
        NOT-FOR-US: Quest Bot
 CVE-2026-48914 (A flaw was found in QEMU's virtio-blk device. The issue arises 
because ...)
        - qemu <unfixed> (bug #1139923)
+       [trixie] - qemu <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2488283
        NOTE: Introduced with: 
https://gitlab.com/qemu-project/qemu/-/commit/f34e73cd69bdbdb9b1d56b288c5e14d6fff58165
 (v1.1.0-rc3)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/aeea0c2804c42f24915467a1e4c70e649e39b8e0
@@ -5119,6 +5122,7 @@ CVE-2026-53723 (Guzzle Services provides an 
implementation of the Guzzle Command
        NOT-FOR-US: Guzzle Services
 CVE-2026-53702 (A stack buffer overflow flaw was found in the GStreamer H.265 
codec pa ...)
        - gst-plugins-bad1.0 1.28.3-1
+       [trixie] - gst-plugins-bad1.0 <no-dsa> (Minor issue)
        NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0041.html
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11334
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/48c11b7b014aad4fa67385df68220a03cb49ae5d
 (main)
@@ -6018,9 +6022,11 @@ CVE-2026-46411 (FlashMQ is a MQTT broker/server, 
designed for multi-CPU environm
        - flashmq <itp> (bug #1100047)
 CVE-2026-46374 (SQLFluff is a modular SQL linter and auto-formatter with 
support for m ...)
        - sqlfluff <unfixed> (bug #1139640)
+       [trixie] - sqlfluff <no-dsa> (Minor issue)
        NOTE: 
https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-73jc-5mrq-prw7
 CVE-2026-46373 (SQLFluff is a modular SQL linter and auto-formatter with 
support for m ...)
        - sqlfluff <unfixed> (bug #1139640)
+       [trixie] - sqlfluff <no-dsa> (Minor issue)
        NOTE: 
https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh
 CVE-2026-45782 (Cloud Hypervisor is a Virtual Machine Monitor for Cloud 
workloads. Fro ...)
        NOT-FOR-US: Cloud Hypervisor
@@ -16343,6 +16349,7 @@ CVE-2026-48092 (7-Zip is a file archiver with a high 
compression ratio. Versions
        NOTE: Crash in CLI tool, no security impact
 CVE-2026-48095 (7-Zip is a file archiver with a high compression ratio. 
Versions 26.00 ...)
        - 7zip 26.01+dfsg-1
+       [trixie] - 7zip <no-dsa> (Minor issue)
        - p7zip 16.02+transitional.1
        NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source 
package
        NOTE: depending on 7zip. Mark this version as fixed version.
@@ -19120,6 +19127,7 @@ CVE-2026-44729 (Twenty is an open source CRM. In 1.18.0 
and earlier, the file se
        NOT-FOR-US: Twenty CRM
 CVE-2026-44728 (Babel is a compiler for writing next generation JavaScript. 
From 7.12. ...)
        - node-babel7 <unfixed> (bug #1138712)
+       [trixie] - node-babel7 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp
 CVE-2026-44723 (Vowpal Wabbit is a machine learning system. The workflow 
.github/workf ...)
        NOT-FOR-US: Vowpal Wabbit
@@ -47324,6 +47332,7 @@ CVE-2026-35533 (mise manages dev tools like node, 
python, cmake, and terraform.
        NOT-FOR-US: mise
 CVE-2026-35406 (Aardvark-dns is an authoritative dns server for A/AAAA 
container recor ...)
        - aardvark-dns 1.16.0-3
+       [trixie] - aardvark-dns <no-dsa> (Minor issue)
        NOTE: 
https://github.com/containers/aardvark-dns/security/advisories/GHSA-hfpq-x728-986j
        NOTE: Fixed by: 
https://github.com/containers/aardvark-dns/commit/3b49ea7b38bdea134b7f03256f2e13f44ce73bb1
 (main)
        NOTE: Fixed by: 
https://github.com/containers/aardvark-dns/commit/b66c50e88ead4416ae3cd86044e5905cb33f2d4b
 (v1.17.1)
@@ -212096,7 +212105,7 @@ CVE-2025-21312 (Windows Smart Card Reader Information 
Disclosure Vulnerability)
        NOT-FOR-US: Microsoft
 CVE-2025-21311 (Windows NTLM V1 Elevation of Privilege Vulnerability)
        - squid 7.1-1
-       [trixie] - squid <no-dsa> (Minor issue)
+       [trixie] - squid <ignored> (Minor issue, generic protocol flaw being 
deprecated)
        [bookworm] - squid <no-dsa> (Minor issue)
        [bullseye] - squid <postponed> (Minor issue, generic deprecation of 
NTLMv1 auth)
        NOTE: 7.1 removes the ntlm_smb_lm_auth module


=====================================
data/dsa-needed.txt
=====================================
@@ -29,14 +29,14 @@ expat (aron)
 --
 fastnetmon (jmm)
 --
-ffmpeg
+ffmpeg (jmm)
   for 7.1.5
 --
 firebird3.0
 --
 firebird4.0
 --
-gst-plugins-bad1.0
+gst-plugins-bad1.0 (jmm)
 --
 jetty9
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/938bcd5a6f7669da5ab4d079816da2c106f5de42

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/938bcd5a6f7669da5ab4d079816da2c106f5de42
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to