bookworm triage

Moritz Muehlenhoff (@jmm) Fri, 27 Feb 2026 02:09:40 -0800


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
fcf62004 by Moritz Muehlenhoff at 2026-02-27T10:52:28+01:00
trixie/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -279,7 +279,7 @@ CVE-2021-4456 (Net::CIDR versions before 0.24 for Perl 
mishandle leading zeros i
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/37425715/
        NOTE: Fixed by: 
https://github.com/svarshavchik/Net-CIDR/commit/e3648c6bc6bdd018f90cca4149c467017d42bd10
 CVE-2025-40932 (Apache::SessionX versions through 2.01 for Perl create 
insecure sessio ...)
-       - libapache-sessionx-perl <unfixed>
+       - libapache-sessionx-perl <unfixed> (bug #930660)
        NOTE: https://lists.security.metacpan.org/cve-announce/msg/37425045/
 CVE-2026-3071 (Deserialization of untrusted data in the LanguageModel class of 
Flair  ...)
        NOT-FOR-US: LanguageModel class of Flair
@@ -523,6 +523,8 @@ CVE-2026-27812 (Sub2API is an AI API gateway platform 
designed to distribute and
        NOT-FOR-US: Sub2API
 CVE-2026-27809 (psd-tools is a Python package for working with Adobe Photoshop 
PSD fil ...)
        - psd-tools <unfixed> (bug #1129098)
+       [trixie] - psd-tools <no-dsa> (Minor issue)
+       [bookworm] - psd-tools <no-dsa> (Minor issue)
        NOTE: 
https://github.com/psd-tools/psd-tools/security/advisories/GHSA-24p2-j2jr-386w
        NOTE: Fixed by: 
https://github.com/psd-tools/psd-tools/commit/6c0a78f195b5942757886a1863793fd5946c1fb1
 (v1.12.2)
 CVE-2026-27808 (Mailpit is an email testing tool and API for developers. Prior 
to vers ...)
@@ -660,6 +662,8 @@ CVE-2026-3206 (Improper Resource Shutdown or Release 
vulnerability in KrakenD, S
        NOT-FOR-US: KrakenD
 CVE-2026-3203 (RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 
4.6.3 and ...)
        - wireshark <unfixed>
+       [trixie] - wireshark <no-dsa> (Minor issue)
+       [bookworm] - wireshark <no-dsa> (Minor issue)
        NOTE: https://www.wireshark.org/security/wnpa-sec-2026-07.html
        NOTE: https://gitlab.com/wireshark/wireshark/-/issues/21009
 CVE-2026-3202 (NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 
allows den ...)
@@ -671,6 +675,8 @@ CVE-2026-3202 (NTS-KE protocol dissector crash in Wireshark 
4.6.0 to 4.6.3 allow
        NOTE: https://gitlab.com/wireshark/wireshark/-/issues/21000
 CVE-2026-3201 (USB HID protocol dissector memory exhaustion in Wireshark 4.6.0 
to 4.6 ...)
        - wireshark <unfixed>
+       [trixie] - wireshark <no-dsa> (Minor issue)
+       [bookworm] - wireshark <no-dsa> (Minor issue)
        NOTE: https://www.wireshark.org/security/wnpa-sec-2026-05.html
        NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20972
 CVE-2026-3197
@@ -1063,6 +1069,8 @@ CVE-2026-27607 (RustFS is a distributed object storage 
system built in Rust. In
        NOT-FOR-US: RustFS
 CVE-2026-27606 (Rollup is a module bundler for JavaScript. Versions prior to 
2.80.0, 3 ...)
        - node-rollup <unfixed>
+       [trixie] - node-rollup <no-dsa> (Minor issue)
+       [bookworm] - node-rollup <no-dsa> (Minor issue)
        NOTE: 
https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgc
        NOTE: Fixed by: 
https://github.com/rollup/rollup/commit/c60770d7aaf750e512c1b2774989ea4596e660b2
 (v4.59.0)
        NOTE: Fixed by: 
https://github.com/rollup/rollup/commit/c8cf1f9c48c516285758c1e11f08a54f304fd44e
 (v3.30.0)
@@ -1133,7 +1141,11 @@ CVE-2026-3121
        - keycloak <itp> (bug #1088287)
 CVE-2026-3099
        - libsoup3 <unfixed>
+       [trixie] - libsoup3 <no-dsa> (Minor issue)
+       [bookworm] - libsoup3 <no-dsa> (Minor issue)
        - libsoup2.4 <removed>
+       [trixie] - libsoup2.4 <no-dsa> (Minor issue)
+       [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
        NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/495
 CVE-2026-27195 (Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 
39.0.0,  ...)
        - rust-wasmtime <not-affected> (Vulnerable code introduced later)
@@ -155665,6 +155677,7 @@ CVE-2024-10567 (The TI WooCommerce Wishlist plugin 
for WordPress is vulnerable t
        NOT-FOR-US: WordPress plugin
 CVE-2024-53908 (An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 
5.0.10, ...)
        - python-django 3:4.2.17-1
+       [bookworm] - python-django <postponed> (Minor issue, fix along in 
future DSA)
        [bullseye] - python-django <not-affected> (Vulnerable code introduce 
later)
        NOTE: 
https://www.djangoproject.com/weblog/2024/dec/04/security-releases/
        NOTE: Fixed by: 
https://github.com/django/django/commit/7376bcbf508883282ffcc0f0fac5cf0ed2d6cbc5
 (4.2.17)


=====================================
data/DSA/list
=====================================
@@ -11,7 +11,7 @@
        [bookworm] - nss 2:3.87.1-1+deb12u2
        [trixie] - nss 2:3.110-1+deb13u1
 [25 Feb 2026] DSA-6148-1 firefox-esr - security update
-       {CVE-2026-2757 CVE-2026-2758 CVE-2026-2759 CVE-2026-2760 CVE-2026-2761 
CVE-2026-2762 CVE-2026-2763 CVE-2026-2764 CVE-2026-2765 CVE-2026-2766 
CVE-2026-2767 CVE-2026-2768 CVE-2026-2769 CVE-2026-2770 CVE-2026-2771 
CVE-2026-2772 CVE-2026-2773 CVE-2026-2774 CVE-2026-2775 CVE-2026-2777 
CVE-2026-2778 CVE-2026-2779 CVE-2026-2780 CVE-2026-2781 CVE-2026-2782 
CVE-2026-2783 CVE-2026-2784 CVE-2026-2785 CVE-2026-2786 CVE-2026-2787 
CVE-2026-2788 CVE-2026-2789 CVE-2026-2790 CVE-2026-2791 CVE-2026-2792 
CVE-2026-2793}
+       {CVE-2026-2757 CVE-2026-2758 CVE-2026-2759 CVE-2026-2760 CVE-2026-2761 
CVE-2026-2762 CVE-2026-2763 CVE-2026-2764 CVE-2026-2765 CVE-2026-2766 
CVE-2026-2767 CVE-2026-2768 CVE-2026-2769 CVE-2026-2770 CVE-2026-2771 
CVE-2026-2772 CVE-2026-2773 CVE-2026-2774 CVE-2026-2775 CVE-2026-2777 
CVE-2026-2778 CVE-2026-2779 CVE-2026-2780 CVE-2026-2781 CVE-2026-2782 
CVE-2026-2783 CVE-2026-2784 CVE-2026-2785 CVE-2026-2786 CVE-2026-2787 
CVE-2026-2788 CVE-2026-2789 CVE-2026-2790 CVE-2026-2791 CVE-2026-2792 
CVE-2026-2793 CVE-2026-2776}
        [bookworm] - firefox-esr 140.8.0esr-1~deb12u1
        [trixie] - firefox-esr 140.8.0esr-1~deb13u1
 [20 Feb 2026] DSA-6147-1 pillow - security update



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcf620044e12bccdd95a115c1a6443ae3b21fbf7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcf620044e12bccdd95a115c1a6443ae3b21fbf7
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] trixie/bookworm triage

Reply via email to