[Git][security-tracker-team/security-tracker][master] pypy3: bullseye postponed

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Mon Jan 26 21:14:45 GMT 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a0a86a12 by Sylvain Beucler at 2026-01-26T22:14:37+01:00
pypy3: bullseye postponed

Follow bookworm triage.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2178,6 +2178,7 @@ CVE-2025-12781 (When passing data to the b64decode(), standard_b64decode(), and
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <ignored> (Minor issue, no fix, only additional warnings)
 	NOTE: https://github.com/python/cpython/issues/125346
 	NOTE: https://github.com/python/cpython/pull/141128
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/
@@ -2493,6 +2494,7 @@ CVE-2026-0865 (User-controlled header names and values containing newlines can a
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	- jython <unfixed>
 	[trixie] - jython <no-dsa> (Minor issue)
 	[bookworm] - jython <no-dsa> (Minor issue)
@@ -2515,6 +2517,7 @@ CVE-2026-0672 (When using http.cookies.Morsel, user-controlled cookie values and
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/pull/143920
 	NOTE: https://github.com/python/cpython/issues/143919
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/
@@ -2554,6 +2557,7 @@ CVE-2025-15367 (The poplib module, when passed a user-controlled command, can ha
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- jython <unfixed>
@@ -2573,6 +2577,7 @@ CVE-2025-15366 (The imaplib module, when passed a user-controlled command, can h
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- jython <unfixed>
@@ -2592,6 +2597,7 @@ CVE-2025-15282 (User-controlled data URLs parsed by urllib.request.DataHandler a
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- jython <unfixed>
@@ -2614,6 +2620,7 @@ CVE-2025-11468 (When folding a long comment in an email header containing exclus
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	- jython <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/python/cpython/issues/143935
 	NOTE: https://github.com/python/cpython/pull/143936
@@ -25269,7 +25276,7 @@ CVE-2025-13837 (When loading a plist file, the plistlib module reads data in siz
 	- pypy3 <unfixed>
 	[trixie] - pypy3 <no-dsa> (Minor issue)
 	[bookworm] - pypy3 <no-dsa> (Minor issue)
-	[bullseye] - pypy3 <no-dsa> (Minor issue)
+	[bullseye] - pypy3 <postponed> (Minor issue)
 	NOTE: https://github.com/python/cpython/issues/119342
 	NOTE: https://github.com/python/cpython/pull/119343
 	NOTE: https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70 (main)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0a86a1281df5825629304aed2047a1bd07f64a7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0a86a1281df5825629304aed2047a1bd07f64a7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260126/392b3cf9/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list