[Git][security-tracker-team/security-tracker][master] 9 commits: add openvswitch

Thorsten Alteholz (@alteholz) alteholz at debian.org
Sun Apr 5 10:41:02 BST 2026 


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
eecfb29f by Thorsten Alteholz at 2026-04-05T11:08:03+02:00
add openvswitch

- - - - -
e088448b by Thorsten Alteholz at 2026-04-05T11:11:21+02:00
add derby

- - - - -
ceb68057 by Thorsten Alteholz at 2026-04-05T11:13:43+02:00
mark CVE-2026-5124, CVE-2026-5123 and CVE-2026-5122 as postponed for Bullseye (limited support)

- - - - -
2dfc8707 by Thorsten Alteholz at 2026-04-05T11:16:25+02:00
mark CVE-2026-33809 as postponed for Bullseye (limited support)

- - - - -
4a9db532 by Thorsten Alteholz at 2026-04-05T11:17:18+02:00
mark CVE-2026-33186 as postponed for Bullseye (limited support)

- - - - -
86fca8dc by Thorsten Alteholz at 2026-04-05T11:19:34+02:00
mark CVE-2026-34475 as postponed for Bullseye

- - - - -
015527e7 by Thorsten Alteholz at 2026-04-05T11:32:51+02:00
folloe security team and mark CVE-2017-20225 as ignored for Bullseye

- - - - -
2e8d5170 by Thorsten Alteholz at 2026-04-05T11:35:49+02:00
add sudo

- - - - -
adacc24c by Thorsten Alteholz at 2026-04-05T11:39:39+02:00
add rails

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2857,14 +2857,17 @@ CVE-2026-5125 (A vulnerability was detected in raine consult-llm-mcp up to 2.5.3
 	NOT-FOR-US: raine consult-llm-mcp
 CVE-2026-5124 (A security vulnerability has been detected in osrg GoBGP up to 4.3.0.  ...)
 	- gobgp <unfixed> (bug #1132653)
+	[bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
 	NOTE: https://github.com/osrg/gobgp/pull/3340
 	NOTE: Fixed by: https://github.com/osrg/gobgp/commit/f0f24a2a901cbf159260698211ab15c583ced131 (v4.4.0)
 CVE-2026-5123 (A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts ...)
 	- gobgp <unfixed> (bug #1132653)
+	[bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
 	NOTE: https://github.com/osrg/gobgp/pull/3342
 	NOTE: Fixed by: https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f (v4.4.0)
 CVE-2026-5122 (A security flaw has been discovered in osrg GoBGP up to 4.3.0. This af ...)
 	- gobgp <unfixed> (bug #1132653)
+	[bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
 	NOTE: https://github.com/osrg/gobgp/pull/3343
 	NOTE: Fixed by: https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d (v4.4.0)
 CVE-2026-5121 (A flaw was found in libarchive. On 32-bit systems, an integer overflow ...)
@@ -3285,6 +3288,7 @@ CVE-2017-20226 (Mapscrn 2.0.3 contains a stack-based buffer overflow vulnerabili
 CVE-2017-20225 (TiEmu 2.08 and prior contains a stack-based buffer overflow vulnerabil ...)
 	- tiemu <removed>
 	[bookworm] - tiemu <ignored> (Minor issue)
+	[bullseye] - tiemu <ignored> (Minor issue)
 	NOTE: https://www.exploit-db.com/exploits/42087
 CVE-2016-20049 (JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vul ...)
 	- jad <removed>
@@ -3475,6 +3479,7 @@ CVE-2026-34475 (Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r
 	- varnish <unfixed> (bug #1132231)
 	[trixie] - varnish <no-dsa> (Minor issue; can be mitigated by VCL rule)
 	[bookworm] - varnish <no-dsa> (Minor issue; can be mitigated by VCL rule)
+	[bullseye] - varnish <postponed> (Minor issue; can be mitigated by VCL rule)
 	NOTE: https://vinyl-cache.org/security/VSV00018.html
 CVE-2026-34411 (Appsmith versions prior to 1.98 expose sensitive instance management A ...)
 	NOT-FOR-US: Appsmith
@@ -4757,6 +4762,7 @@ CVE-2026-34085 (fontconfig before 2.17.1 has an off-by-one error in allocation d
 	NOTE: Introduced by: https://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/bf3fbad0ffa955a63bc7b515da002d363cf4d5fc (2.17.0)
 CVE-2026-33809 (A maliciously crafted TIFF file can cause image decoding to attempt to ...)
 	- golang-golang-x-image 0.38.0-1
+	[bullseye] - golang-golang-x-image <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://github.com/golang/go/issues/78267
 	NOTE: Fixed by: https://github.com/golang/image/commit/23ae9ed61c1d3343fb95015810f62dcbf444976e (v0.38.0)
 CVE-2026-33751 (n8n is an open source workflow automation platform. Prior to versions  ...)
@@ -8087,6 +8093,7 @@ CVE-2026-33194 (SiYuan is a personal knowledge management system. Prior to versi
 	NOT-FOR-US: SiYuan
 CVE-2026-33186 (gRPC-Go is the Go language implementation of gRPC. Versions prior to 1 ...)
 	- golang-google-grpc <unfixed> (bug #1132228)
+	[bullseye] - golang-google-grpc <postponed> (Limited support, follow bookworm security updates)
 	NOTE: https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3
 	NOTE: Fixed by: https://github.com/grpc/grpc-go/commit/72186f163e75a065c39e6f7df9b6dea07fbdeff5 (v1.79.3)
 CVE-2026-33180 (HAPI FHIR is a complete implementation of the HL7 FHIR standard for he ...)


=====================================
data/dla-needed.txt
=====================================
@@ -66,6 +66,9 @@ ckeditor
 cups (Thorsten Alteholz)
   NOTE: 20260404: Added by Front-Desk (ta)
 --
+derby (Thorsten Alteholz)
+  NOTE: 20260405: Added by Front-Desk (ta)
+--
 docker.io
   NOTE: 20250805: Added by Front-Desk (rouca)
 --
@@ -328,6 +331,9 @@ openssh
   NOTE: 20260319: available in oss-security - but it needs to be
   NOTE: 20260319: double-checked. (charles)
 --
+openvswitch
+  NOTE: 20260405: Added by Front-Desk (ta)
+--
 p7zip (Sylvain Beucler)
   NOTE: 20251020: Added by Front-Desk (dleidert)
   NOTE: 20251020: I disagree with the low-severity ratings; but finding the patches might be a hard (dleidert/front-desk)
@@ -405,6 +411,10 @@ python3.9 (arnaudr)
   NOTE: 20260402: now we need to wait for upstream to apply those patches (PRs are not merged yet),
   NOTE: 20260402: and then for Debian (old)stable to follow suit (arnaudr)
 --
+rails
+  NOTE: 20260405: Added by Front-Desk (ta)
+  NOTE: 20260405: too many issues piled up
+--
 redis
   NOTE: 20260402: Added by Front-Desk (ta)
 --
@@ -453,6 +463,9 @@ spip
   NOTE: 20260326: not in bookworm, trixie updated through upstream 4.4 LTS releases,
   NOTE: 20260326: very low popcon (Beuc/front-desk)
 --
+sudo
+  NOTE: 20260405: Added by Front-Desk (ta)
+--
 suricata
   NOTE: 20250331: re added to fix next bunch of CVEs (ta)
   NOTE: 20250825: testing package (ta)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/69433b5d1d0e2d9ae0c8d796a425c6e63471e98e...adacc24c01368e36abe6910e07cdb419a0608815

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/69433b5d1d0e2d9ae0c8d796a425c6e63471e98e...adacc24c01368e36abe6910e07cdb419a0608815
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260405/d212d82a/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list