[Git][security-tracker-team/security-tracker][master] 5 commits: lts: triage CVE-2025-13837/pypy3 as no-dsa

Emilio Pozuelo Monfort (@pochu) pochu at debian.org
Wed Jan 21 09:20:39 GMT 2026 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e9bd88d1 by Emilio Pozuelo Monfort at 2026-01-21T10:20:10+01:00
lts: triage CVE-2025-13837/pypy3 as no-dsa

- - - - -
20652010 by Emilio Pozuelo Monfort at 2026-01-21T10:20:10+01:00
lts: drop pypy3

- - - - -
3998433f by Emilio Pozuelo Monfort at 2026-01-21T10:20:12+01:00
lts: triage CVE-2026-0992/libxml2 as postponed

- - - - -
5a0122f9 by Emilio Pozuelo Monfort at 2026-01-21T10:20:12+01:00
lts: add vlc

- - - - -
99ccd237 by Emilio Pozuelo Monfort at 2026-01-21T10:20:13+01:00
lts: triage CVE-2025-56225/fluidsynth as postponed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1591,6 +1591,7 @@ CVE-2026-0992 (A flaw was found in the libxml2 library. This uncontrolled resour
 	- libxml2 <unfixed> (bug #1125696)
 	[trixie] - libxml2 <no-dsa> (Minor issue)
 	[bookworm] - libxml2 <no-dsa> (Minor issue)
+	[bullseye] - libxml2 <postponed> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d
 CVE-2026-0990 (A flaw was found in libxml2, an XML parsing library. This uncontrolled ...)
@@ -4072,6 +4073,7 @@ CVE-2025-56225 (fluidsynth-2.4.6 and earlier versions is vulnerable to Null poin
 	- fluidsynth 2.4.7+dfsg-1
 	[trixie] - fluidsynth <no-dsa> (Minor issue)
 	[bookworm] - fluidsynth <no-dsa> (Minor issue)
+	[bullseye] - fluidsynth <postponed> (Minor issue)
 	NOTE: https://github.com/FluidSynth/fluidsynth/issues/1602
 	NOTE: https://github.com/FluidSynth/fluidsynth/pull/1607
 	NOTE: Fixed by: https://github.com/FluidSynth/fluidsynth/commit/45f2a79f4265dcc4f98cfbafdb10727fb1c0d411 (v2.4.7)
@@ -22773,6 +22775,7 @@ CVE-2025-13837 (When loading a plist file, the plistlib module reads data in siz
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/119342
 	NOTE: https://github.com/python/cpython/pull/119343
 	NOTE: https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70 (main)


=====================================
data/dla-needed.txt
=====================================
@@ -313,13 +313,6 @@ pyasn1 (utkarsh)
   NOTE: 20260119: Added by Front-Desk (dleidert)
   NOTE: 20260119: Follow DSA and maybe help the security team here (dleidert)
 --
-pypy3
-  NOTE: 20260102: Added by Front-Desk (Beuc)
-  NOTE: 20260102: Lots of postponed CVEs pile-up
-  NOTE: 20260102: Consider fixing bookworm/trixie too (Beuc/front-desk)
-  NOTE: 20260102: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/274
-  NOTE: 20260102: No more sponsors for pypy/pypy3 in bullseye, hence low priority (Beuc)
---
 python-aiohttp (dleidert)
   NOTE: 20260106: Added by Front-Desk (lamby)
 --
@@ -380,6 +373,10 @@ trafficserver
   NOTE: 20250403: There are multiple new CVEs. But none of them is addresses in Sid and maintainers didn't reply to me last time (dleidert)
   NOTE: 20250405: DSA 5896-1 is out (Beuc/front-desk)
 --
+vlc
+  NOTE: 20260120: Added by Front-Desk (pochu)
+  NOTE: 20260120: Update to 3.0.23 (pochu)
+--
 watcher
   NOTE: 20250908: Added by Front-Desk (apo)
   NOTE: 20250908: See also nova. (apo)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8356c40e0dee29d334c28e7b82616ebc163fe150...99ccd237a7ea3e54257c224258f4b8e99371421a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8356c40e0dee29d334c28e7b82616ebc163fe150...99ccd237a7ea3e54257c224258f4b8e99371421a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260121/23bf97c2/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list