Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
938bcd5a by Moritz Muehlenhoff at 2026-06-21T19:45:02+02:00
trixie triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1230,6 +1230,7 @@ CVE-2026-49502 (Dell PowerFlex Manager, version(s)
[Versions], contain(s) an Imp
NOT-FOR-US: Dell / EMC
CVE-2026-49268 (A remote attacker can inject LDAP special characters into the
Distingu ...)
- shiro <unfixed>
+ [trixie] - shiro <no-dsa> (Minor issue)
CVE-2026-49108 (Unauthenticated PHP Object Injection in Moderno < 1.43
versions.)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-49107 (Unauthenticated PHP Object Injection in Thrive Apprentice <
10.8.10.2 ...)
@@ -3232,9 +3233,10 @@ CVE-2026-52722 (A signed integer overflow vulnerability
was found in GStreamer's
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2486733
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5107 (private)
CVE-2026-52721 (Multiple out-of-bounds read vulnerabilities were found in
GStreamer's ...)
- - gst-plugins-bad1.0 <unfixed>
+ - gst-plugins-bad1.0 <unfixed> (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2486732
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5106 (private)
+ NOTE: Negligible security impact
CVE-2026-52720 (A heap buffer overflow vulnerability was found in GStreamer's
librfb ( ...)
- gst-plugins-bad1.0 <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2486731
@@ -3831,7 +3833,7 @@ CVE-2026-52718 (A denial of service vulnerability was
found in GStreamer's AV1 c
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0039.html
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11803
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11827
(1.28.4)
- NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11829 (1.26
branch)
+ NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fe5f81163e4f207d50c28f510c524e2e8e1c15ab
(1.26 branch)
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11830 (1.24
branch)
CVE-2026-52717
{DSA-6353-1}
@@ -4609,6 +4611,7 @@ CVE-2026-49347 (Quest Bot is an opensource Discord Bot.
Prior to version 1.1.8,
NOT-FOR-US: Quest Bot
CVE-2026-48914 (A flaw was found in QEMU's virtio-blk device. The issue arises
because ...)
- qemu <unfixed> (bug #1139923)
+ [trixie] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2488283
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/f34e73cd69bdbdb9b1d56b288c5e14d6fff58165
(v1.1.0-rc3)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/aeea0c2804c42f24915467a1e4c70e649e39b8e0
@@ -5119,6 +5122,7 @@ CVE-2026-53723 (Guzzle Services provides an
implementation of the Guzzle Command
NOT-FOR-US: Guzzle Services
CVE-2026-53702 (A stack buffer overflow flaw was found in the GStreamer H.265
codec pa ...)
- gst-plugins-bad1.0 1.28.3-1
+ [trixie] - gst-plugins-bad1.0 <no-dsa> (Minor issue)
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0041.html
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11334
NOTE:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/48c11b7b014aad4fa67385df68220a03cb49ae5d
(main)
@@ -6018,9 +6022,11 @@ CVE-2026-46411 (FlashMQ is a MQTT broker/server,
designed for multi-CPU environm
- flashmq <itp> (bug #1100047)
CVE-2026-46374 (SQLFluff is a modular SQL linter and auto-formatter with
support for m ...)
- sqlfluff <unfixed> (bug #1139640)
+ [trixie] - sqlfluff <no-dsa> (Minor issue)
NOTE:
https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-73jc-5mrq-prw7
CVE-2026-46373 (SQLFluff is a modular SQL linter and auto-formatter with
support for m ...)
- sqlfluff <unfixed> (bug #1139640)
+ [trixie] - sqlfluff <no-dsa> (Minor issue)
NOTE:
https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh
CVE-2026-45782 (Cloud Hypervisor is a Virtual Machine Monitor for Cloud
workloads. Fro ...)
NOT-FOR-US: Cloud Hypervisor
@@ -16343,6 +16349,7 @@ CVE-2026-48092 (7-Zip is a file archiver with a high
compression ratio. Versions
NOTE: Crash in CLI tool, no security impact
CVE-2026-48095 (7-Zip is a file archiver with a high compression ratio.
Versions 26.00 ...)
- 7zip 26.01+dfsg-1
+ [trixie] - 7zip <no-dsa> (Minor issue)
- p7zip 16.02+transitional.1
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
@@ -19120,6 +19127,7 @@ CVE-2026-44729 (Twenty is an open source CRM. In 1.18.0
and earlier, the file se
NOT-FOR-US: Twenty CRM
CVE-2026-44728 (Babel is a compiler for writing next generation JavaScript.
From 7.12. ...)
- node-babel7 <unfixed> (bug #1138712)
+ [trixie] - node-babel7 <no-dsa> (Minor issue)
NOTE:
https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp
CVE-2026-44723 (Vowpal Wabbit is a machine learning system. The workflow
.github/workf ...)
NOT-FOR-US: Vowpal Wabbit
@@ -47324,6 +47332,7 @@ CVE-2026-35533 (mise manages dev tools like node,
python, cmake, and terraform.
NOT-FOR-US: mise
CVE-2026-35406 (Aardvark-dns is an authoritative dns server for A/AAAA
container recor ...)
- aardvark-dns 1.16.0-3
+ [trixie] - aardvark-dns <no-dsa> (Minor issue)
NOTE:
https://github.com/containers/aardvark-dns/security/advisories/GHSA-hfpq-x728-986j
NOTE: Fixed by:
https://github.com/containers/aardvark-dns/commit/3b49ea7b38bdea134b7f03256f2e13f44ce73bb1
(main)
NOTE: Fixed by:
https://github.com/containers/aardvark-dns/commit/b66c50e88ead4416ae3cd86044e5905cb33f2d4b
(v1.17.1)
@@ -212096,7 +212105,7 @@ CVE-2025-21312 (Windows Smart Card Reader Information
Disclosure Vulnerability)
NOT-FOR-US: Microsoft
CVE-2025-21311 (Windows NTLM V1 Elevation of Privilege Vulnerability)
- squid 7.1-1
- [trixie] - squid <no-dsa> (Minor issue)
+ [trixie] - squid <ignored> (Minor issue, generic protocol flaw being
deprecated)
[bookworm] - squid <no-dsa> (Minor issue)
[bullseye] - squid <postponed> (Minor issue, generic deprecation of
NTLMv1 auth)
NOTE: 7.1 removes the ntlm_smb_lm_auth module
=====================================
data/dsa-needed.txt
=====================================
@@ -29,14 +29,14 @@ expat (aron)
--
fastnetmon (jmm)
--
-ffmpeg
+ffmpeg (jmm)
for 7.1.5
--
firebird3.0
--
firebird4.0
--
-gst-plugins-bad1.0
+gst-plugins-bad1.0 (jmm)
--
jetty9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/938bcd5a6f7669da5ab4d079816da2c106f5de42
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/938bcd5a6f7669da5ab4d079816da2c106f5de42
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits