Candidates for DTSAs

The table below lists packages which are fixed in unstable, but unfixed in testing. Use the testing migration checker to find out why they have not entered testing yet.

List of vulnerable packages in testing

Package	Migration	Bug	Urgency	Remote
bouncycastle	check	CVE-2024-29857	not yet assigned	no
		CVE-2024-30171	not yet assigned	no
		CVE-2024-30172	not yet assigned	no
		CVE-2024-34447	not yet assigned	no
chromium	check	CVE-2025-3066	not yet assigned	no	(fixed in stable?)
		CVE-2025-3619	not yet assigned	no	(fixed in stable?)
		CVE-2025-3620	not yet assigned	no	(fixed in stable?)
dcmtk	check	CVE-2025-2357	not yet assigned	no
epiphany-browser	check	CVE-2025-3839	not yet assigned	?
libfcgi	check	CVE-2025-23016	not yet assigned	no
mediawiki	check	CVE-2025-32072	not yet assigned	no
node-dompurify	check	CVE-2025-26791	not yet assigned	no
node-markdown-to-jsx	check	CVE-2024-21535	not yet assigned	no
openssh	check	CVE-2025-32728	not yet assigned	no
pgbouncer	check	CVE-2025-2291	not yet assigned	no
poppler	check	CVE-2025-43903	not yet assigned	no
qt6-base	check	CVE-2025-3512	not yet assigned	no
ruby3.3	check	CVE-2025-25186	not yet assigned	no
		CVE-2025-27219	not yet assigned	no
		CVE-2025-27220	not yet assigned	no
		CVE-2025-27221	not yet assigned	no
rust-ring	check	TEMP-0000000-7BF5DA	not yet assigned	?
twitter-bootstrap3	check	CVE-2024-6484	not yet assigned	no
		CVE-2024-6485	not yet assigned	no
upx-ucl	check	CVE-2025-2849	not yet assigned	no