[Git][security-tracker-team/security-tracker][master] 10 commits: mark CVE-2026-33671 and CVE-2026-33672 as postponed for Bullseye

Thorsten Alteholz (@alteholz) alteholz at debian.org
Sun Apr 5 18:16:48 BST 2026 


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9afe31f1 by Thorsten Alteholz at 2026-04-05T18:51:58+02:00
mark CVE-2026-33671 and CVE-2026-33672 as postponed for Bullseye

- - - - -
ba0867c1 by Thorsten Alteholz at 2026-04-05T18:53:20+02:00
mark CVE-2026-29063 as postponed for Bullseye

- - - - -
864b0452 by Thorsten Alteholz at 2026-04-05T18:58:44+02:00
mark CVE-2026-4926 as postponed for Bullseye

- - - - -
6acd6b65 by Thorsten Alteholz at 2026-04-05T19:00:07+02:00
mark CVE-2026-4923 as postponed for Bullseye

- - - - -
14852368 by Thorsten Alteholz at 2026-04-05T19:01:39+02:00
mark CVE-2026-33151 as postponed for Bullseye

- - - - -
f4c14c10 by Thorsten Alteholz at 2026-04-05T19:03:52+02:00
add osslsigncode

- - - - -
03750d3e by Thorsten Alteholz at 2026-04-05T19:05:32+02:00
mark CVE-2026-4539 as postponed for Bullseye

- - - - -
0f0a1925 by Thorsten Alteholz at 2026-04-05T19:12:21+02:00
mark CVE-2026-4519, CVE-2026-3479, CVE-2025-69534 and CVE-2026-2297 as postponed for Bullseye

- - - - -
d010f3a1 by Thorsten Alteholz at 2026-04-05T19:14:11+02:00
mark CVE-2026-34155 as postponed for Bullseye

- - - - -
e9b8538d by Thorsten Alteholz at 2026-04-05T19:16:16+02:00
mark CVE-2026-27456 as postponed for Bullseye

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1470,6 +1470,7 @@ CVE-2026-27456 (util-linux is a random collection of Linux utilities. Prior to v
 	- util-linux 2.42-1
 	[trixie] - util-linux <no-dsa> (Minor issue)
 	[bookworm] - util-linux <no-dsa> (Minor issue)
+	[bullseye] - util-linux <postponed> (Minor issue)
 	NOTE: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g
 	NOTE: Fixed by: https://github.com/util-linux/util-linux/commit/0ba0f14caa812349424df0da00ac2d97fee9d972 (v2.42)
 CVE-2026-23417 (In the Linux kernel, the following vulnerability has been resolved:  b ...)
@@ -2374,6 +2375,7 @@ CVE-2026-34155 (RAUC controls the update process on embedded Linux systems. Prio
 	- rauc 1.15.2-1
 	[trixie] - rauc <no-dsa> (Minor issue)
 	[bookworm] - rauc <no-dsa> (Minor issue)
+	[bullseye] - rauc <postponed> (Minor issue)
 	NOTE: https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx
 	NOTE: Fixed by: https://github.com/rauc/rauc/commit/4fb7c798d6ae412344fb8f8d310d773046af3441 (v1.15.2)
 CVE-2026-33762 (go-git is an extensible git implementation library written in pure Go. ...)
@@ -3776,6 +3778,7 @@ CVE-2026-33672 (Picomatch is a glob matcher written JavaScript. Versions prior t
 	- node-anymatch 3.1.3+~cs8.0.6-1 (bug #1132160)
 	[trixie] - node-anymatch <no-dsa> (Minor issue)
 	[bookworm] - node-anymatch <no-dsa> (Minor issue)
+	[bullseye] - node-anymatch <postponed> (Minor issue)
 	NOTE: https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p
 	NOTE: Fixed by: https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903
 	NOTE: node-anymatch provides node-picomatch
@@ -3783,6 +3786,7 @@ CVE-2026-33671 (Picomatch is a glob matcher written JavaScript. Versions prior t
 	- node-anymatch 3.1.3+~cs8.0.6-1 (bug #1132160)
 	[trixie] - node-anymatch <no-dsa> (Minor issue)
 	[bookworm] - node-anymatch <no-dsa> (Minor issue)
+	[bullseye] - node-anymatch <postponed> (Minor issue)
 	NOTE: https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj
 	NOTE: Fixed by: https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d
 	NOTE: node-anymatch provides node-picomatch
@@ -4172,12 +4176,14 @@ CVE-2026-4926 (Impact:  A bad regular expression is generated any time you have
 	- node-path-to-regexp 8.4.0-1 (bug #1132020)
 	[trixie] - node-path-to-regexp <no-dsa> (Minor issue)
 	[bookworm] - node-path-to-regexp <no-dsa> (Minor issue)
+	[bullseye] - node-path-to-regexp <postponed> (Minor issue)
 	NOTE: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f
 	NOTE: Fixed by: https://github.com/pillarjs/path-to-regexp/commit/22a967901afc8b2b42eefe456faa7b6773dcc415 (v8.4.0)
 CVE-2026-4923 (Impact:  When using multiple wildcards, combined with at least one par ...)
 	- node-path-to-regexp 8.4.0-1 (bug #1132020)
 	[trixie] - node-path-to-regexp <no-dsa> (Minor issue)
 	[bookworm] - node-path-to-regexp <no-dsa> (Minor issue)
+	[bullseye] - node-path-to-regexp <postponed> (Minor issue)
 	NOTE: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7
 	NOTE: Fixed by: https://github.com/pillarjs/path-to-regexp/commit/48646547da685c1ccb76a95fe23373975a91e200 (v8.4.0)
 CVE-2026-4897 (A flaw was found in polkit. A local user can exploit this by providing ...)
@@ -7857,6 +7863,7 @@ CVE-2026-4539 (A security flaw has been discovered in pygments up to 2.19.2. The
 	- pygments <unfixed> (bug #1132233)
 	[trixie] - pygments <no-dsa> (Minor issue)
 	[bookworm] - pygments <no-dsa> (Minor issue)
+	[bullseye] - pygments <postponed> (Minor issue)
 	NOTE: https://github.com/pygments/pygments/issues/3058
 	NOTE: https://github.com/pygments/pygments/pull/3064
 	NOTE: Fixed by: https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc (2.20.0)
@@ -8224,6 +8231,7 @@ CVE-2026-33151 (Socket.IO is an open source, real-time, bidirectional, event-bas
 	- node-socket.io-parser 4.2.1+~3.1.0-4 (bug #1131477)
 	[trixie] - node-socket.io-parser <no-dsa> (Minor issue)
 	[bookworm] - node-socket.io-parser <no-dsa> (Minor issue)
+	[bullseye] - node-socket.io-parser <postponed> (Minor issue)
 	NOTE: https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9
 	NOTE: Fixed by: https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78 (main)
 	NOTE: Fixed by: https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4 (socket.io-parser at 3.4.4)
@@ -8459,6 +8467,7 @@ CVE-2026-4519 (The webbrowser.open() API would accept leading dashes in the URL
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
 	NOTE: https://github.com/python/cpython/issues/143930
 	NOTE: https://github.com/python/cpython/pull/143931
@@ -9712,6 +9721,7 @@ CVE-2026-3479 (pkgutil.get_data() did not validate the resource argument as docu
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/
 	NOTE: https://github.com/python/cpython/issues/146121
 	NOTE: https://github.com/python/cpython/pull/146133 (3.14)
@@ -14892,6 +14902,7 @@ CVE-2026-29063 (Immutable.js provides many Persistent Immutable data structures.
 	- node-immutable 4.3.8-1
 	[trixie] - node-immutable <no-dsa> (Minor issue)
 	[bookworm] - node-immutable <no-dsa> (Minor issue)
+	[bullseye] - node-immutable <postponed> (Minor issue)
 	NOTE: Fixed by: https://github.com/immutable-js/immutable-js/commit/faeb58b0cc71ed351dc51f672a95ae21bc859ef5 (v4.3.8)
 	NOTE: Fixed by: https://github.com/immutable-js/immutable-js/commit/94bcd3c79972db4afffd8d1e5aab415880098b05 (v4.3.8)
 	NOTE: Fixed by: https://github.com/immutable-js/immutable-js/commit/6e2cf1cfe6137e72dfa48fc2cfa8f4d399d113f9 (v3.8.3)
@@ -15634,6 +15645,7 @@ CVE-2025-69534 (Python-Markdown version 3.8 contain a vulnerability where malfor
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	NOTE: While reported against python-markdown, the actual issue in in Python itself
@@ -15700,6 +15712,7 @@ CVE-2026-2297 (The import hook in CPython that handles legacy *.pyc files (Sourc
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	- python2.7 <not-affected> (PEP 578 not introduced yet)
 	NOTE: https://github.com/python/cpython/issues/145506
 	NOTE: https://github.com/python/cpython/pull/145507


=====================================
data/dla-needed.txt
=====================================
@@ -334,6 +334,9 @@ openssh
 openvswitch
   NOTE: 20260405: Added by Front-Desk (ta)
 --
+osslsigncode
+  NOTE: 20260405: Added by Front-Desk (ta)
+--
 p7zip (Sylvain Beucler)
   NOTE: 20251020: Added by Front-Desk (dleidert)
   NOTE: 20251020: I disagree with the low-severity ratings; but finding the patches might be a hard (dleidert/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3ae28295182b160245377c87a2c2a146d3f9feb3...e9b8538d5808decc92a8e6213a77b3819ae4f39e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3ae28295182b160245377c87a2c2a146d3f9feb3...e9b8538d5808decc92a8e6213a77b3819ae4f39e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260405/ff6ca85c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list