<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en" style='--code-editor-font: var(--default-mono-font, "GitLab Mono"), JetBrains Mono, Menlo, DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>
<style data-premailer="ignore" type="text/css">
a { color: #1068bf; }
</style>
<style>img {
max-width: 100%; height: auto;
}
body {
font-size: .875rem;
}
body {
-webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px;
}
body {
font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;
}
</style>
</head>
<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px; font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>
<div class="content">
<h3 style="margin-top: 20px; margin-bottom: 10px;">
Carlos Henrique Lima Melara pushed to branch master at <a href="https://salsa.debian.org/security-tracker-team/security-tracker">Debian Security Tracker / security-tracker</a>
</h3>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
Commits:
</h4>
<ul>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14896cb572282c41be67f9eb46f425b949e14073">14896cb5</a></strong>
<div>
<span> by Carlos Henrique Lima Melara </span> <i> at 2026-03-17T21:18:11-03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #3a383f; position: relative; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>CVE-2026-4186/gpac: mark eol for bullseye
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0736a8260e3f1bde1119bc5d49fea9adb377ad37">0736a826</a></strong>
<div>
<span> by Carlos Henrique Lima Melara </span> <i> at 2026-03-17T21:24:52-03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #3a383f; position: relative; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>CVE-2026-4224/python2.7: mark eol in bullseye
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9923f2473473c6cee04fba12199c048625c6a579">9923f247</a></strong>
<div>
<span> by Carlos Henrique Lima Melara </span> <i> at 2026-03-17T21:56:52-03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #3a383f; position: relative; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>CVE-2026-30875/gobgp: postpone for bullseye
It's a limited support package and the issue is a DoS like others before
marked as minor issues.
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/920ad912d6b1f0d74b35d15f65c641a95a2b9456">920ad912</a></strong>
<div>
<span> by Carlos Henrique Lima Melara </span> <i> at 2026-03-17T22:47:15-03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #3a383f; position: relative; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>CVE-2026-25679/go: mark bullseye as not-affected, add introductory commit
The vulnerability was introduced in go1.26rc1 [1] as part of a fix to
another vulnerability (CVE-2025-47912), that is why it got backported to
1.25.2 [2] and 1.24.8 [3].
[1] https://github.com/golang/go/commit/f6f4e8b3ef21299db1ea3a343c3e55e91365a7fd
[2] https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e
[3] https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83803655922e1431d0c43cb26463b127a7556cc2">83803655</a></strong>
<div>
<span> by Carlos Henrique Lima Melara </span> <i> at 2026-03-17T23:05:25-03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #3a383f; position: relative; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>CVE-2026-27139/golang-1.15: postpone for bullseye
Minor issue in support limited package, one can read only file metadata
outside the directory listed.
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76d0dfa1ad4dc0f8f138b413da2862028571ddc2">76d0dfa1</a></strong>
<div>
<span> by Carlos Henrique Lima Melara </span> <i> at 2026-03-17T23:21:50-03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #3a383f; position: relative; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>CVE-2026-27142/golang-1.15: mark as postponed for bullseye
Limited support package, minor issue.
</pre>
</li>
<li>
<strong style="font-weight: 600;"><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7cb195748d7f0d6c517c393ab655cc54371cdfd">a7cb1957</a></strong>
<div>
<span> by Carlos Henrique Lima Melara </span> <i> at 2026-03-18T00:08:29-03:00 </i>
</div>
<pre class="commit-message" style='white-space: pre-wrap; display: block; font-size: 14px; color: #3a383f; position: relative; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; border-radius: 2px; margin: 0; padding: 8px 12px; border: 1px solid #dcdcde;'>CVE-2026-23925/zabbix: postpone for bullseye
Follow secteam triage, it requires authenticated "user role" and write
permission to trigger this vulnerability. It's unclear what commit fixes
it, but as far as I could search and correlate cf7c038497b [1] might be
it.
[1] https://github.com/zabbix/zabbix/commit/cf7c038497bfa503c8ff391e99018c7d16700422
</pre>
</li>
</ul>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
1 changed file:
</h4>
<ul>
<li class="file-stats">
<a href="#4716ef5aa8f2742228ba3b3633215c8b808565e3">
data/CVE/list
</a>
</li>
</ul>
<h4 style="margin-top: 10px; margin-bottom: 10px;">
Changes:
</h4>
<li id="4716ef5aa8f2742228ba3b3633215c8b808565e3">
<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/294ceded9bb9731574ec6f16b36283f0efa73229...a7cb195748d7f0d6c517c393ab655cc54371cdfd#4716ef5aa8f2742228ba3b3633215c8b808565e3"><strong style="font-weight: 600;">data/CVE/list</strong></a>
<hr style="overflow: hidden; border: 1px solid #dcdcde;">
No preview for this file type
<br>
</li>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #626168;">
—
<br>
<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/294ceded9bb9731574ec6f16b36283f0efa73229...a7cb195748d7f0d6c517c393ab655cc54371cdfd">View it on GitLab</a>.
<br>
You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://salsa.debian.org">salsa.debian.org</a>. <a href="https://salsa.debian.org/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://salsa.debian.org/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>
<span style="color: transparent; font-size: 0; display: none; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0;">
Notification message regarding https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/294ceded9bb9731574ec6f16b36283f0efa73229...a7cb195748d7f0d6c517c393ab655cc54371cdfd at 1773803438
</span>
</p>
</div>
</body>
</html>