[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2026-4154 & CVE-2026-40915 in gimp for bullseye LTS.

Chris Lamb (@lamby) lamby at debian.org
Tue Apr 28 17:39:42 BST 2026 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1ecbd794 by Chris Lamb at 2026-04-28T09:32:25-07:00
Triage CVE-2026-4154 & CVE-2026-40915 in gimp for bullseye LTS.

- - - - -
c4331b85 by Chris Lamb at 2026-04-28T09:33:59-07:00
Triage CVE-2026-3219 in python-pip for bullseye LTS.

- - - - -
0c2c009c by Chris Lamb at 2026-04-28T09:35:36-07:00
Triage CVE-2026-5958 in sed for bullseye LTS.

- - - - -
d2cd2e46 by Chris Lamb at 2026-04-28T09:37:40-07:00
Triage CVE-2026-6019 in pypy3 for bullseye LTS.

- - - - -
db96c8f2 by Chris Lamb at 2026-04-28T09:39:21-07:00
Triage CVE-2026-40606 in mitmproxy for bullseye LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2088,6 +2088,7 @@ CVE-2026-6019 (http.cookies.Morsel.js_output() returns an inline <script> snippe
 	- pypy3 <unfixed> (bug #1135116)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/
 	NOTE: https://github.com/python/cpython/issues/90309
 	NOTE: https://github.com/python/cpython/pull/148848
@@ -4076,6 +4077,7 @@ CVE-2026-40606 (mitmproxy is a interactive TLS-capable intercepting HTTP proxy f
 	- mitmproxy <unfixed> (bug #1134620)
 	[trixie] - mitmproxy <no-dsa> (Minor issue)
 	[bookworm] - mitmproxy <no-dsa> (Minor issue)
+	[bullseye] - mitmproxy <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv
 	NOTE: https://github.com/mitmproxy/mitmproxy/commit/71c9234057922bc29b9734ec408d712113d294d2 (v12.2.2)
 CVE-2026-40604 (ClearanceKit intercepts file-system access events on macOS and enforce ...)
@@ -4700,6 +4702,7 @@ CVE-2026-5958 (When sed is invoked with both -i (in-place edit) and --follow-sym
 	- sed 4.9-3 (bug #1134495)
 	[trixie] - sed <no-dsa> (Minor issue)
 	[bookworm] - sed <no-dsa> (Minor issue)
+	[bullseye] - sed <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git;a=commit;h=6b9b43c55ccd3beadbc0094b983c82bdb389f33b
 CVE-2026-5760 (SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Executio ...)
 	NOT-FOR-US: SGLang
@@ -4733,6 +4736,7 @@ CVE-2026-3219 (pip handles concatenated tar and ZIP files as ZIP files regardles
 	- python-pip <unfixed> (bug #1134492)
 	[trixie] - python-pip <no-dsa> (Minor issue)
 	[bookworm] - python-pip <no-dsa> (Minor issue)
+	[bullseye] - python-pip <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/
 	NOTE: https://github.com/pypa/pip/pull/13870
 CVE-2026-39918 (Vvveb prior to1.0.8.1 contains a code injection vulnerability in the i ...)
@@ -6172,6 +6176,7 @@ CVE-2026-40915 (A flaw was found in GIMP. A remote attacker could exploit an int
 	- gimp 3.2.2-1
 	[trixie] - gimp <no-dsa> (Minor issue, fix along with future DSA)
 	[bookworm] - gimp <no-dsa> (Minor issue, fix along with future DSA)
+	[bullseye] - gimp <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/16051
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gimp/-/commit/e0bd82f290d42af4018b0ab3f4367ae0435a207f (GIMP_3_2_2)
 CVE-2026-6364 (Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 al ...)
@@ -8036,6 +8041,7 @@ CVE-2026-4154 (GIMP XPM File Parsing Integer Overflow Remote Code Execution Vuln
 	- gimp 3.2.0-1
 	[trixie] - gimp <no-dsa> (Minor issue)
 	[bookworm] - gimp <no-dsa> (Minor issue)
+	[bullseye] - gimp <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-26-221/
 	NOTE: https://gitlab.gnome.org/GNOME/gimp/-/issues/15971
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gimp/-/commit/2e7ed91793792d9e980b2df4c829e9aa60459253 (GIMP_3_2_0)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bccd3f9480f6f1f9129368b2f900af9b8892e8af...db96c8f266c1b8e26b817132b81b7ec26db28a14

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bccd3f9480f6f1f9129368b2f900af9b8892e8af...db96c8f266c1b8e26b817132b81b7ec26db28a14
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260428/3a6af490/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list