Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8e58ac97 by Moritz Muehlenhoff at 2026-06-27T23:42:52+02:00
trixie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -174,6 +174,7 @@ CVE-2026-46710 (Notepad++ is a free and open-source source 
code editor. From 8.9
        NOT-FOR-US: Notepad++
 CVE-2026-46604 (The TIFF decoder can panic when decoding an invalid image with 
an out- ...)
        - golang-golang-x-image <unfixed>
+       [trixie] - golang-golang-x-image <no-dsa> (Minor issue)
        NOTE: https://github.com/golang/go/issues/80122
        NOTE: Fixed by: 
https://github.com/golang/image/commit/7c04344368b6bcc71df693702522f4f03af45250 
(v0.43.0)
 CVE-2026-46386 (OpenProject is open-source, web-based project management 
software. Pri ...)
@@ -521,6 +522,7 @@ CVE-2026-57920 (Peplink InControl 2 through 2.14.2 before 
2026-06-03 allows use
        NOT-FOR-US: Peplink InControl
 CVE-2026-57918 (libnfs through 6.0.2 before 935b8db has an xid integer 
underflow in RE ...)
        - libnfs <unfixed>
+       [trixie] - libnfs <no-dsa> (Minor issue)
        NOTE: 
https://github.com/sahlberg/libnfs/commit/935b8db712b3c6649bc57ddc276526c4a31680de
 CVE-2026-57915 (It is possible to bypass the Kerberos pre-authentication check 
in Apac ...)
        NOT-FOR-US: Apache software not packaged in Debian
@@ -964,6 +966,7 @@ CVE-2026-11625 (Bytes::Random::Secure versions through 0.29 
for Perl share inter
        NOTE: 
https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch
 CVE-2026-13324
        - geary <unfixed>
+       [trixie] - geary <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2492860
 CVE-2026-9222 (Setracker2 Android Companion App com.tgelec.setracker versions 
3.1.5 a ...)
        NOT-FOR-US: Setracker2 Android Companion App com.tgelec.setracker
@@ -1062,10 +1065,12 @@ CVE-2026-50176 (The WebSocket Application Programming 
Interface lacks restrictio
        NOT-FOR-US: Evoke
 CVE-2026-46602 (The TIFF decoder does not set a limit on the size of tiles in 
tiled im ...)
        - golang-golang-x-image <unfixed>
+       [trixie] - golang-golang-x-image <no-dsa> (Minor issue)
        NOTE: https://github.com/golang/go/issues/79905
        NOTE: Fixed by: 
https://github.com/golang/image/commit/304d4cc4ee82f96f864f1a4c9a3ae30a4016c9ce 
(v0.43.0)
 CVE-2026-46601 (The webp decoder can panic when processing a VP8 chunk with 
dimensions ...)
        - golang-golang-x-image <unfixed>
+       [trixie] - golang-golang-x-image <no-dsa> (Minor issue)
        NOTE: https://github.com/golang/go/issues/79869
        NOTE: Fixed by: 
https://github.com/golang/image/commit/c5511df3ee92e86ce3fa383fdd247080019257c7 
(v0.43.0)
 CVE-2026-44622 (Charging station authentication identifiers are publicly 
accessible vi ...)
@@ -1251,6 +1256,7 @@ CVE-2026-XXXX [ZSA-2026-12]
        NOTE: https://www.znuny.org/en/advisories/zsa-2026-12
 CVE-2026-55520
        - python-protego 0.6.2+dfsg-1
+       [trixie] - python-protego <no-dsa> (Minor issue)
        NOTE: 
https://github.com/scrapy/protego/security/advisories/GHSA-wjmf-p669-5m5p
        NOTE: Fixed by: 
https://github.com/scrapy/protego/commit/785940181659bf440ba82f1da148fade5087e858
 (0.6.2)
 CVE-2026-9800 (A flaw was found in Keycloak Policy Enforcer. This 
vulnerability allow ...)
@@ -2733,6 +2739,7 @@ CVE-2026-1606 (GitLab has remediated an issue in GitLab 
CE/EE affecting all vers
        NOT-FOR-US: GitLab (used to be packaged in the Debian archive as 
src:gitlab, but never in a stable release)
 CVE-2026-13311 (shell-quote prior to 1.8.5 finalizes parsed tokens in parse() 
using Ar ...)
        - node-shell-quote <unfixed>
+       [trixie] - node-shell-quote <no-dsa> (Minor issue)
        NOTE: 
https://github.com/ljharb/shell-quote/security/advisories/GHSA-395f-4hp3-45gv
        NOTE: Fixed by: 
https://github.com/ljharb/shell-quote/commit/7ff5488599d01c323514f02f5efb74088dd134ec
 (v1.9.0)
 CVE-2026-13038 (Use after free in Autofill in Google Chrome on Windows prior 
to 149.0. ...)
@@ -3060,6 +3067,7 @@ CVE-2026-50698 (A Stored Cross-Site Scripting (XSS) 
vulnerability exists in Frap
        NOT-FOR-US: Frappe
 CVE-2026-49980 (Rclone is a command-line program to sync files and directories 
to and  ...)
        - rclone <unfixed> (bug #1140817)
+       [trixie] - rclone <no-dsa> (Minor issue)
        NOTE: 
https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv
 CVE-2026-49851 (Mistune is a Python Markdown parser with renderers and 
plugins. Prior  ...)
        - mistune <unfixed>
@@ -63695,6 +63703,7 @@ CVE-2026-33155 (DeepDiff is a project focused on Deep 
Difference and search of a
        NOTE: Fixed by: 
https://github.com/qlustered/deepdiff/commit/0d07ec21d12b46ef4e489383b363eadc22d990fb
 (8.6.2)
 CVE-2026-33154 (dynaconf is a configuration management tool for Python. Prior 
to versi ...)
        - python-dynaconf 3.2.13-1 (bug #1131476)
+       [trixie] - python-dynaconf <no-dsa> (Minor issue)
        NOTE: 
https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p
        NOTE: Fixed by: 
https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7
 (3.2.13)
 CVE-2026-33151 (Socket.IO is an open source, real-time, bidirectional, 
event-based, co ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -17,6 +17,9 @@ amd64-microcode (carnil)
 --
 botan3 (aron)
 --
+cacti
+  probably best to move to 1.2.31
+--
 chromium (dilinger)
 --
 containerd



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e58ac9764636f931600a71ba253843698a3e471

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e58ac9764636f931600a71ba253843698a3e471
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to