Hi, giving this a try for the trixie release: If anyone wants to help getting trixie in good shape: Here's a list of open security issues below the RC threshold which would still be useful to fix before the release. Many of these haven't seen recent updates, so if anyone has time, check their status and apply/backport patches as needed and submit them in the BTS or as MRs or NMU if appropriate:
If anyone of these are bogus, don't apply to how we ship them in Debian or cannot be addressed in some manner, you can also leave a note in the bug or bounce a note to t...@security.debian.org so that we update the Security Tracker data accordingly. augeas: https://security-tracker.debian.org/tracker/CVE-2025-2588 containerd: https://security-tracker.debian.org/tracker/CVE-2024-40635 corosync: https://security-tracker.debian.org/tracker/CVE-2025-30472 cvc5: https://security-tracker.debian.org/tracker/CVE-2024-37794 https://security-tracker.debian.org/tracker/CVE-2024-37795 djvulibre: https://security-tracker.debian.org/tracker/CVE-2021-46310 freeipa: https://security-tracker.debian.org/tracker/CVE-2024-11029 giflib: https://security-tracker.debian.org/tracker/CVE-2025-31344 golang-github-antonmedv-expr: https://security-tracker.debian.org/tracker/CVE-2025-29786 golang-github-cli-go-gh-v2: https://security-tracker.debian.org/tracker/CVE-2024-53859 golang-github-dvsekhvalnov-jose2go: https://security-tracker.debian.org/tracker/CVE-2023-50658 golang-github-gin-contrib-cors: https://security-tracker.debian.org/tracker/CVE-2019-25211 golang-github-gomarkdown-markdown: https://security-tracker.debian.org/tracker/CVE-2024-44337 golang-github-hashicorp-go-retryablehttp: https://security-tracker.debian.org/tracker/CVE-2024-6104 golang-github-notaryproject-notation-go: https://security-tracker.debian.org/tracker/CVE-2024-56138 golang-go.crypto: https://security-tracker.debian.org/tracker/CVE-2024-45337 https://security-tracker.debian.org/tracker/CVE-2025-22869 golang-golang-x-net: https://security-tracker.debian.org/tracker/CVE-2024-45338 https://security-tracker.debian.org/tracker/CVE-2025-22872 grpc: https://security-tracker.debian.org/tracker/CVE-2023-32732 https://security-tracker.debian.org/tracker/CVE-2023-33953 https://security-tracker.debian.org/tracker/CVE-2023-44487 https://security-tracker.debian.org/tracker/CVE-2023-4785 https://security-tracker.debian.org/tracker/CVE-2024-11407 https://security-tracker.debian.org/tracker/CVE-2024-7246 hugo: https://security-tracker.debian.org/tracker/CVE-2024-55601 invesalius: https://security-tracker.debian.org/tracker/CVE-2024-42845 jboss-xnio: https://security-tracker.debian.org/tracker/CVE-2023-5685 jenkins-json: https://security-tracker.debian.org/tracker/CVE-2023-5072 jline3: https://security-tracker.debian.org/tracker/CVE-2023-50572 libcoap3: https://security-tracker.debian.org/tracker/CVE-2023-51847 https://security-tracker.debian.org/tracker/CVE-2024-0962 https://security-tracker.debian.org/tracker/CVE-2024-31031 https://security-tracker.debian.org/tracker/CVE-2024-46304 libcrypto++: https://security-tracker.debian.org/tracker/CVE-2023-50980 libowasp-antisamy-java: https://security-tracker.debian.org/tracker/CVE-2024-23635 libwoodstox-java: https://security-tracker.debian.org/tracker/CVE-2022-40152 libxml-security-java: https://security-tracker.debian.org/tracker/CVE-2023-44483 logback: https://security-tracker.debian.org/tracker/CVE-2024-12798 https://security-tracker.debian.org/tracker/CVE-2024-12801 mina2: https://security-tracker.debian.org/tracker/CVE-2024-52046 node-dompurify: https://security-tracker.debian.org/tracker/CVE-2025-26791 node-katex: https://security-tracker.debian.org/tracker/CVE-2025-23207 node-prismjs: https://security-tracker.debian.org/tracker/CVE-2024-53382 openimageio: https://security-tracker.debian.org/tracker/CVE-2024-55192 https://security-tracker.debian.org/tracker/CVE-2024-55193 https://security-tracker.debian.org/tracker/CVE-2024-55194 php-laravel-framework: https://security-tracker.debian.org/tracker/CVE-2024-13918 https://security-tracker.debian.org/tracker/CVE-2024-13919 https://security-tracker.debian.org/tracker/CVE-2025-27515 protobuf: https://security-tracker.debian.org/tracker/CVE-2024-7254 qtbase-opensource-src-gles: https://security-tracker.debian.org/tracker/CVE-2024-39936 quickjs: https://security-tracker.debian.org/tracker/CVE-2024-13903 rclone: https://security-tracker.debian.org/tracker/CVE-2024-52522 ros-dynamic-reconfigure: https://security-tracker.debian.org/tracker/CVE-2024-39780 ruby-fugit: https://security-tracker.debian.org/tracker/CVE-2024-43380 rust-gix-features: https://security-tracker.debian.org/tracker/CVE-2025-31130 sqlite3: https://security-tracker.debian.org/tracker/CVE-2025-29088 squirrel3: https://security-tracker.debian.org/tracker/CVE-2021-41556 wabt: https://security-tracker.debian.org/tracker/CVE-2023-46332 xorg-server: https://security-tracker.debian.org/tracker/CVE-2022-49737 And if anyone uses GDM on Trixie, it would be useful to test if https://security-tracker.debian.org/tracker/CVE-2016-1000002 is still applicable and update #849432 as neeed. Cheers, Moritz
