[Git][security-tracker-team/security-tracker][master] 3 commits: Triage openssl DSA-6201-1, cockpit CVE-2026-4631, openexr CVE-2026-34378

Sat Apr 11 01:39:28 BST 2026


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fe0f283b by Utkarsh Gupta at 2026-04-11T06:09:06+05:30
Triage openssl DSA-6201-1, cockpit CVE-2026-4631, openexr CVE-2026-34378

- openssl: CVE-2026-31790 not-affected for bullseye (RSASVE only in 3.x)
- openssl: add to dla-needed for remaining CVEs from DSA-6201-1
  (CVE-2026-28387/88/89/90, CVE-2026-31789) to check 1.1.1w impact
- cockpit: CVE-2026-4631 not-affected for bullseye (beiboot helper
  only used since version 326)
- openexr: CVE-2026-34378 not-affected for bullseye (code not present)

- - - - -
bb0e51d0 by Utkarsh Gupta at 2026-04-11T06:09:07+05:30
Triage more CVEs: mark postponed/ignored for bullseye

- discount, libcap2, libraw, libtheora, modsecurity-crs: <postponed>
- mongo-c-driver (2 CVEs): <postponed>
- nltk (6 CVEs): <postponed>
- node-handlebars (5 CVEs): <postponed>
- onnx (3 CVEs): <postponed>
- plexus-utils2: <postponed>
- python-django (5 CVEs): <postponed>
- python-ecdsa: <postponed>
- python-lupa: <postponed>
- ruby-bcrypt: <postponed>
- clamav: <postponed>
- squid (3 CVEs): <postponed>
- vips (7 CVEs): <postponed>
- sleuthkit: <postponed>
- ruby-icalendar: <ignored> (package removed from sid)

- - - - -
d3ddb9da by Utkarsh Gupta at 2026-04-11T06:09:07+05:30
Triage more CVEs: tor EOL, golang limited support, hdf5

- tor (TROVE-2026-004, TROVE-2025-015): <end-of-life> in bullseye (see DSA 5562)
- golang-1.15 (9 CVEs: CVE-2026-32289/88/83/82/81/80, CVE-2026-27144/43/40):
  <postponed> (Limited support, minor issue)
- golang-github-hashicorp-go-getter (CVE-2026-4660): <postponed> (Minor issue)
- golang-gopkg-square-go-jose.v1/v2 (CVE-2026-34986): <postponed> (Minor issue)
- hdf5 (CVE-2026-34734): <postponed> (Minor issue)

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
Binary files a/data/CVE/list and b/data/CVE/list differ


=====================================
data/dla-needed.txt
=====================================
@@ -339,6 +339,12 @@ openssh
   NOTE: 20260319: available in oss-security - but it needs to be
   NOTE: 20260319: double-checked. (charles)
 --
+openssl
+  NOTE: 20260411: Added by Front-Desk (utkarsh)
+  NOTE: 20260411: Follow DSA-6201-1 (CVE-2026-28387 CVE-2026-28388 CVE-2026-28389
+  NOTE: 20260411: CVE-2026-28390 CVE-2026-31789). Check which CVEs affect 1.1.1w.
+  NOTE: 20260411: CVE-2026-31790 (RSASVE) is 3.x-only, already marked not-affected.
+--
 openvswitch
   NOTE: 20260405: Added by Front-Desk (ta)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/11eda2a9cb56c88c7abb2519a201f4cfc354b636...d3ddb9daaf79367f79c4ac1a50161db164704d4a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/11eda2a9cb56c88c7abb2519a201f4cfc354b636...d3ddb9daaf79367f79c4ac1a50161db164704d4a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260411/da997070/attachment.htm>
