[Git][security-tracker-team/security-tracker][master] 4 commits: lts: mark CVE-2026-41150,CVE-2026-41159/node-mermaid as postponed

Mon Jun 1 02:55:28 BST 2026


Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2890c6a0 by Daniel Leidert at 2026-06-01T03:54:52+02:00
lts: mark CVE-2026-41150,CVE-2026-41159/node-mermaid as postponed

- - - - -
567a40ed by Daniel Leidert at 2026-06-01T03:54:53+02:00
lts: mark CVE-2026-48850..CVE-2026-48852/putty as postponed

- - - - -
5c837c3b by Daniel Leidert at 2026-06-01T03:54:53+02:00
lts: mark CVE-2026-46644/php-symfony-polyfill as postponed

- - - - -
30aa26be by Daniel Leidert at 2026-06-01T03:54:53+02:00
lts: mark CVE-2026-49299/neutron as postponed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -576,11 +576,13 @@ CVE-2026-42929 (Danelec MacGregor Voyage Data Recorder includes default accounts
 	NOT-FOR-US: Danelec
 CVE-2026-41159 (Mermaid is a JavaScript tool that uses Markdown-inspired text to creat ...)
 	- node-mermaid <removed>
+	[bullseye] - node-mermaid <postponed> (Minor issue, no rdeps)
 	NOTE: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p
 	NOTE: https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa (mermaid at 11.15.0)
 	NOTE: https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 (v10.9.6)
 CVE-2026-41150 (Mermaid is a JavaScript tool that uses Markdown-inspired text to creat ...)
 	- node-mermaid <removed>
+	[bullseye] - node-mermaid <postponed> (Minor issue, no rdeps)
 	NOTE: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh
 	NOTE: https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e (mermaid at 11.15.0)
 	NOTE: https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6 (v10.9.6)
@@ -1229,6 +1231,7 @@ CVE-2026-49299 (In OpenStack Neutron before 28.0.1, the tagging controller enfor
 	- neutron 2:28.0.0-4 (bug #1138172)
 	[trixie] - neutron <no-dsa> (Minor issue)
 	[bookworm] - neutron <no-dsa> (Minor issue)
+	[bullseye] - neutron <postponed> (Minor issue; can be fixed with next upload)
 	NOTE: https://security.openstack.org/ossa/OSSA-2026-016.html
 CVE-2026-49130 (Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injec ...)
 	- mpd <unfixed> (bug #1138215)
@@ -5151,6 +5154,7 @@ CVE-2025-14361 (Missing Authorization vulnerability in AA-Team Woocommerce Envat
 CVE-2026-46644 [insecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels]
 	- php-symfony-polyfill 1.38.1-1
 	[bookworm] - php-symfony-polyfill <no-dsa> (Minor issue)
+	[bullseye] - php-symfony-polyfill <postponed> (Minor issue; can be fixed with next upload)
 	NOTE: https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-polyfill-intl-idn-for-ascii-only-xn-labels
 	NOTE: https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq
 CVE-2026-48962 (IO::Compress versions before 2.220 for Perl can execute arbitrary code ...)
@@ -5704,6 +5708,7 @@ CVE-2026-48852 (PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signatu
 	- putty 0.84-1
 	[trixie] - putty <no-dsa> (Minor issue)
 	[bookworm] - putty <no-dsa> (Minor issue)
+	[bullseye] - putty <postponed> (Minor issue; can be fixed with next upload)
 	NOTE: https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
 	NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ecdsa-remotely-triggerable-assertion.html
 	NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=65b8f37c34cd80680693e813e0081cdafaf58324 (0.84)
@@ -5711,6 +5716,7 @@ CVE-2026-48851 (PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a trust
 	- putty 0.84-1
 	[trixie] - putty <no-dsa> (Minor issue)
 	[bookworm] - putty <no-dsa> (Minor issue)
+	[bullseye] - putty <postponed> (Minor issue; can be fixed with next upload)
 	NOTE: https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
 	NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/telnet-trust-sigil.html
 	NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=64712be3cbc4a02bda4a92ca97e8d4f294abbe9a (0.84)
@@ -5718,6 +5724,7 @@ CVE-2026-48850 (PuTTY 0.72 before 0.84 has a double free in RSA KEX.)
 	- putty 0.84-1
 	[trixie] - putty <no-dsa> (Minor issue)
 	[bookworm] - putty <no-dsa> (Minor issue)
+	[bullseye] - putty <postponed> (Minor issue; can be fixed with next upload)
 	NOTE: https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
 	NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rsakex-double-free.html
 	NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=ba3ed53e0bf6682f89940bc2c3e83da6b1524024 (0.84)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9d661b54b9989d19768a1abf292be3da2289827b...30aa26be0f77e1dbaa1c173e7c14784f17777e03

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9d661b54b9989d19768a1abf292be3da2289827b...30aa26be0f77e1dbaa1c173e7c14784f17777e03
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260601/03b91509/attachment.htm>
