[Git][security-tracker-team/security-tracker][master] Add two uTLS issues

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sun Feb 22 19:21:03 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4bbaddef by Salvatore Bonaccorso at 2026-02-22T20:20:37+01:00
Add two uTLS issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1012,7 +1012,10 @@ CVE-2026-27317
 CVE-2026-27114 (NanaZip is an open source file archive Starting in version 5.0.1252.0  ...)
 	NOT-FOR-US: NanaZip
 CVE-2026-27017 (uTLS is a fork of crypto/tls, created to customize ClientHello for fin ...)
-	TODO: check
+	- golang-refraction-networking-utls <not-affected> (Vulnerable code introduced later)
+	NOTE: https://github.com/refraction-networking/utls/security/advisories/GHSA-7m29-f4hw-g2vx
+	NOTE: Introduced after: https://github.com/refraction-networking/utls/commit/b4de442d0250c0f55d8873d95e589ff9206a3ae7 (v1.6.0)
+	NOTE: Fixed by: https://github.com/refraction-networking/utls/commit/24bd1e05a788c1add7f3037f4532ea552b2cee07 (v1.8.1)
 CVE-2026-27016 (LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitorin ...)
 	NOT-FOR-US: LibreNMS
 CVE-2026-27014 (NanaZip is an open source file archive Starting in version 5.0.1252.0  ...)
@@ -1040,7 +1043,9 @@ CVE-2026-26996 (minimatch is a minimal matching utility for converting glob expr
 CVE-2026-26995
 	REJECTED
 CVE-2026-26994 (uTLS is a fork of crypto/tls, created to customize ClientHello for fin ...)
-	TODO: check
+	- golang-refraction-networking-utls <unfixed>
+	NOTE: https://github.com/refraction-networking/utls/security/advisories/GHSA-pmc3-p9hx-jq96
+	NOTE: Fixed by: https://github.com/refraction-networking/utls/commit/f8892761e2a4d29054264651d3a86fda83bc83f9 (v1.7.0)
 CVE-2026-26993 (Flare is a Next.js-based, self-hostable file sharing platform that int ...)
 	NOT-FOR-US: Next.js
 CVE-2026-26992 (LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitorin ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bbaddefa26ec861d6101a6b266494b19cf5a97d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bbaddefa26ec861d6101a6b266494b19cf5a97d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260222/eb6a9e86/attachment.htm>

More information about the debian-security-tracker-commits mailing list