[Git][security-tracker-team/security-tracker][master] 4 commits: add patch/mr link for CVE-2026-0989/libxml2

Daniel Leidert (@dleidert) dleidert at debian.org
Fri Jan 16 02:12:00 GMT 2026 


Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bfcf22b9 by Daniel Leidert at 2026-01-16T01:55:12+01:00
add patch/mr link for CVE-2026-0989/libxml2

- - - - -
b3032a8e by Daniel Leidert at 2026-01-16T02:07:24+01:00
lts: mark CVE-2025-68114/capstone as postponed

- - - - -
aa3cb203 by Daniel Leidert at 2026-01-16T02:11:07+01:00
lts: mark CVE-2025-67873/capstone as postponed

- - - - -
05e86190 by Daniel Leidert at 2026-01-16T02:53:57+01:00
add mr link to fix for CVE-2024-50615,CVE-2024-50614/tinyxml2

CVE-2024-50615 is only accessible via debug build. Thus, maybe #1088814 should
be closed...

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -97,6 +97,7 @@ CVE-2026-0990 (A flaw was found in libxml2, an XML parsing library. This uncontr
 CVE-2026-0989 (A flaw was identified in the RelaxNG parser of libxml2 related to how  ...)
 	- libxml2 <unfixed>
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/998
+	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/374
 CVE-2026-0976 (A flaw was found in Keycloak. This improper input validation vulnerabi ...)
 	- keycloak <itp> (bug #1088287)
 CVE-2026-0897 (Allocation of Resources Without Limits or Throttling in the HDF5 weigh ...)
@@ -11992,6 +11993,7 @@ CVE-2025-68114 (Capstone is a disassembly framework. In versions 6.0.0-Alpha5 an
 	- capstone <unfixed> (bug #1123739)
 	[trixie] - capstone <no-dsa> (Minor issue)
 	[bookworm] - capstone <no-dsa> (Minor issue)
+	[bullseye] - capstone <postponed> (Minor issue)
 	NOTE: https://github.com/capstone-engine/capstone/security/advisories/GHSA-85f5-6xr3-q76r
 	NOTE: Fixed by: https://github.com/capstone-engine/capstone/commit/2c7797182a1618be12017d7d41e0b6581d5d529e (next)
 CVE-2025-68112 (ChurchCRM is an open-source church management system. In versions prio ...)
@@ -12012,6 +12014,7 @@ CVE-2025-67873 (Capstone is a disassembly framework. In versions 6.0.0-Alpha5 an
 	- capstone <unfixed> (bug #1123740)
 	[trixie] - capstone <no-dsa> (Minor issue)
 	[bookworm] - capstone <no-dsa> (Minor issue)
+	[bullseye] - capstone <postponed> (Minor issue)
 	NOTE: https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg
 	NOTE: Fixed by: https://github.com/capstone-engine/capstone/commit/cbef767ab33b82166d263895f24084b75b316df3 (next)
 CVE-2025-67794 (An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 before  ...)
@@ -149526,12 +149529,14 @@ CVE-2024-50615 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/d
 	[bookworm] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/leethomason/tinyxml2/issues/997
+	NOTE: Fixed by: https://github.com/leethomason/tinyxml2/pull/1009 (10.1.0)
 CVE-2024-50614 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/16, tha ...)
 	- tinyxml2 <unfixed> (bug #1088813)
 	[trixie] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/leethomason/tinyxml2/issues/996
+	NOTE: Fixed by: https://github.com/leethomason/tinyxml2/pull/1009 (10.1.0)
 CVE-2024-50613 (libsndfile through 1.2.2 has a reachable assertion, that may lead to a ...)
 	- libsndfile <unfixed> (bug #1088691)
 	[trixie] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/417e7d5b2896c6243723b6443a9c17445a6f8cc8...05e86190061ec459fbdc9d2a09e88bbdaa578339

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/417e7d5b2896c6243723b6443a9c17445a6f8cc8...05e86190061ec459fbdc9d2a09e88bbdaa578339
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260116/b3acf00e/attachment.htm>

More information about the debian-security-tracker-commits mailing list