[Git][security-tracker-team/security-tracker][master] 3 commits: lts: jython and python2.7 EOL on bullseye

Emilio Pozuelo Monfort (@pochu) pochu at debian.org
Fri Jan 23 13:13:22 GMT 2026 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
722b5287 by Emilio Pozuelo Monfort at 2026-01-23T14:13:10+01:00
lts: jython and python2.7 EOL on bullseye

- - - - -
60be70b3 by Emilio Pozuelo Monfort at 2026-01-23T14:13:11+01:00
lts: postpone golang issues

They are either minor (DoS) or hard to trigger.

- - - - -
e2340263 by Emilio Pozuelo Monfort at 2026-01-23T14:13:12+01:00
lts: add modsecurity-crs

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1541,6 +1541,7 @@ CVE-2026-0865 (User-controlled header names and values containing newlines can a
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- pypy3 <unfixed>
 	- jython <unfixed>
+	[bullseye] - jython <end-of-life> (EOL in bullseye LTS)
 	NOTE: https://github.com/python/cpython/pull/143917
 	NOTE: https://github.com/python/cpython/issues/143916
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/
@@ -1593,7 +1594,9 @@ CVE-2025-15367 (The poplib module, when passed a user-controlled command, can ha
 	- python3.9 <removed>
 	- pypy3 <unfixed>
 	- python2.7 <removed>
+	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- jython <unfixed>
+	[bullseye] - jython <end-of-life> (EOL in bullseye LTS)
 	NOTE: https://github.com/python/cpython/issues/143923
 	NOTE: https://github.com/python/cpython/pull/143924
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/
@@ -1605,7 +1608,9 @@ CVE-2025-15366 (The imaplib module, when passed a user-controlled command, can h
 	- python3.9 <removed>
 	- pypy3 <unfixed>
 	- python2.7 <removed>
+	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- jython <unfixed>
+	[bullseye] - jython <end-of-life> (EOL in bullseye LTS)
 	NOTE: https://github.com/python/cpython/issues/143921
 	NOTE: https://github.com/python/cpython/pull/143922
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/
@@ -1617,7 +1622,9 @@ CVE-2025-15282 (User-controlled data URLs parsed by urllib.request.DataHandler a
 	- python3.9 <removed>
 	- pypy3 <unfixed>
 	- python2.7 <removed>
+	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- jython <unfixed>
+	[bullseye] - jython <end-of-life> (EOL in bullseye LTS)
 	NOTE: https://github.com/python/cpython/issues/143925
 	NOTE: https://github.com/python/cpython/pull/143926
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/
@@ -2914,6 +2921,7 @@ CVE-2025-61730 [crypto/tls: handshake messages may be processed at the incorrect
 	- golang-1.24 <unfixed> (bug #1125917)
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
 	NOTE: https://github.com/golang/go/issues/76443
 	NOTE: Fixed by: https://github.com/golang/go/commit/525dd853633f90d6038719d9a48cba3770ca71ea (go1.25.6)
@@ -2923,6 +2931,7 @@ CVE-2025-68119 [cmd/go: unexpected code execution when invoking toolchain]
 	- golang-1.24 <unfixed>
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
 	NOTE: https://github.com/golang/go/issues/77099
 	NOTE: Fixed by: https://github.com/golang/go/commit/082365aa552a7e2186f79110d5311dce70749cc0 (go1.25.6)
@@ -2932,6 +2941,7 @@ CVE-2025-61731 [cmd/go: bypass of flag sanitization can lead to arbitrary code e
 	- golang-1.24 <unfixed> (bug #1125917)
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
 	NOTE: https://github.com/golang/go/issues/77100
 	NOTE: Fixed by: https://github.com/golang/go/commit/2526187481ee31241b72f491992accbdd66c2655 (go1.25.6)
@@ -2943,6 +2953,7 @@ CVE-2025-68121 [crypto/tls: Config.Clone copies automatically generated session
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
 	NOTE: https://github.com/golang/go/issues/77113
 	NOTE: Fixed by: https://github.com/golang/go/commit/4be38528a68a8b0c4e101576df200c214ad49c26 (go1.25.6)
@@ -2954,6 +2965,7 @@ CVE-2025-61726 [net/http: memory exhaustion in Request.ParseForm]
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <postponed> (Limited support, DoS, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
 	NOTE: https://github.com/golang/go/issues/77101
 	NOTE: Fixed by: https://github.com/golang/go/commit/afa9b66ac081d3b239d8c1a226b5e884c8435185 (go1.25.6)
@@ -2963,6 +2975,7 @@ CVE-2025-61728 [archive/zip: denial of service when parsing arbitrary ZIP archiv
 	- golang-1.24 <unfixed> (bug #1125917)
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <postponed> (Limited support, DoS, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
 	NOTE: https://github.com/golang/go/issues/77102
 	NOTE: Fixed by: https://github.com/golang/go/commit/9d497df196d66553ae844c22a53fb86cd422e80c (go1.25.6)


=====================================
data/dla-needed.txt
=====================================
@@ -244,6 +244,9 @@ mimetex
   NOTE: 20250629: There doesn't seem to be a fix so far according to #1103801 (dleidert)
   NOTE: 20250629: Best course of action seems to be some kind of mitigation similar to https://moodle.org/mod/forum/discuss.php?d=467592 (dleidert)
 --
+modsecurity-crs
+  NOTE: 20260123: Added by Front-Desk (pochu)
+--
 nagvis
   NOTE: 20250117: Added by Front-Desk (rouca)
   NOTE: 20250119: Also check/fix https://bugs.debian.org/1061044



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/476d1889d46dcdbd322ceebd80e8618f433d4768...e23402636619f4b02c79516039470d7302a30225

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/476d1889d46dcdbd322ceebd80e8618f433d4768...e23402636619f4b02c79516039470d7302a30225
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260123/d73d342a/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list