[Git][security-tracker-team/security-tracker][master] 3 commits: Branch notes for CVE-2026-6019

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Apr 29 05:33:52 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cdd6ac54 by Stefano Rivera at 2026-04-29T00:04:57-04:00
Branch notes for CVE-2026-6019

- - - - -
08ff634f by Stefano Rivera at 2026-04-29T00:05:22-04:00
pypy3 issues that are alreday resolved / not-affected

- - - - -
6617f887 by Salvatore Bonaccorso at 2026-04-29T06:33:48+02:00
Merge branch 'pypy3-triage' into 'master'

pypy3 CVE triage

See merge request security-tracker-team/security-tracker!287
- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2294,7 +2294,9 @@ CVE-2026-6019 (http.cookies.Morsel.js_output() returns an inline <script> snippe
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/
 	NOTE: https://github.com/python/cpython/issues/90309
 	NOTE: https://github.com/python/cpython/pull/148848
-	NOTE: https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104 (main)
+	NOTE: Fixed by https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104 (main branch)
+	NOTE: Fixed by https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c (3.13 branch)
+	NOTE: Fixed by https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8 (3.14 branch)
 CVE-2026-5935 (IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9 ...)
 	NOT-FOR-US: IBM
 CVE-2026-5926 (IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Secur ...)
@@ -23462,7 +23464,7 @@ CVE-2026-4224 (When an Expat parser with a registered ElementDeclHandler parses
 	- python3.9 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
-	- pypy3 <unfixed>
+	- pypy3 <not-affected> (pypy uses a different implementation in pure Python)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
@@ -46940,7 +46942,7 @@ CVE-2026-0672 (When using http.cookies.Morsel, user-controlled cookie values and
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	- pypy3 <unfixed> (bug #1126763)
+	- pypy3 7.3.21+dfsg-1 (bug #1126763)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
@@ -47033,7 +47035,7 @@ CVE-2025-15282 (User-controlled data URLs parsed by urllib.request.DataHandler a
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	- pypy3 <unfixed> (bug #1126781)
+	- pypy3 7.3.21+dfsg-1 (bug #1126781)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
@@ -47057,7 +47059,7 @@ CVE-2025-11468 (When folding a long comment in an email header containing exclus
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	- python2.7 <not-affected> (E-mail folding API introduced in Python 3.3)
-	- pypy3 <unfixed> (bug #1126788)
+	- pypy3 7.3.21+dfsg-1 (bug #1126788)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
@@ -69357,7 +69359,7 @@ CVE-2025-12084 (When building nested elements using xml.dom.minidom methods such
 	- python3.9 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
-	- pypy3 <unfixed> (bug #1126784)
+	- pypy3 7.3.21+dfsg-1 (bug #1126784)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
@@ -70064,7 +70066,7 @@ CVE-2025-13837 (When loading a plist file, the plistlib module reads data in siz
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	- pypy3 <unfixed> (bug #1126782)
+	- pypy3 7.3.21+dfsg-1 (bug #1126782)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
@@ -70083,7 +70085,7 @@ CVE-2025-13836 (When reading an HTTP response from a server, if no read amount i
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	- pypy3 <unfixed> (bug #1126783)
+	- pypy3 7.3.21+dfsg-1 (bug #1126783)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <not-affected> (Vulnerable code introduced later)
@@ -77743,7 +77745,7 @@ CVE-2025-6075 (If the value passed to os.path.expandvars() is user-controlled a
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
-	- pypy3 <unfixed> (bug #1126777)
+	- pypy3 7.3.21+dfsg-1 (bug #1126777)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue, DoS)
@@ -85825,7 +85827,7 @@ CVE-2025-8291 (The 'zipfile' module would not check the validity of the ZIP64 En
 	[trixie] - jython <no-dsa> (Minor issue)
 	[bookworm] - jython <no-dsa> (Minor issue)
 	[bullseye] - jython <end-of-life> (EOL in bullseye LTS)
-	- pypy3 <unfixed> (bug #1118431)
+	- pypy3 7.3.21+dfsg-1 (bug #1118431)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/
@@ -111322,7 +111324,7 @@ CVE-2025-8194 (There is a defect in the CPython \u201ctarfile\u201d module affec
 	- python3.9 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
-	- pypy3 <unfixed> (bug #1126758)
+	- pypy3 7.3.21+dfsg-1 (bug #1126758)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	[bullseye] - pypy3 <postponed> (Minor issue)
@@ -124666,7 +124668,7 @@ CVE-2025-6069 (The html.parser.HTMLParser class had worse-case quadratic complex
 	- python3.9 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
-	- pypy3 <unfixed> (bug #1118430)
+	- pypy3 7.3.21+dfsg-1 (bug #1118430)
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
 	- jython <unfixed> (bug #1109376)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59a03c3cb928a83c1ca330643be9a98a5538e7f4...6617f8877b14ee90b918d83414afdb5840e8db12

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59a03c3cb928a83c1ca330643be9a98a5538e7f4...6617f8877b14ee90b918d83414afdb5840e8db12
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260429/6ea87d5d/attachment.htm>

More information about the debian-security-tracker-commits mailing list