[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2026-44903/prometheus: introductory commit + bullseye not-affected (bookworm neither)

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Mon Jun 1 20:14:50 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
63049986 by Sylvain Beucler at 2026-06-01T21:14:43+02:00
CVE-2026-44903/prometheus: introductory commit + bullseye not-affected (bookworm neither)

Matches the GHSA versions:
https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28

- - - - -
796e7cd5 by Sylvain Beucler at 2026-06-01T21:14:43+02:00
dla: drop prometheus

2 not-affected and 1 DoS, not worth a DLA right now

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5175,8 +5175,10 @@ CVE-2026-44905 (Vanetza is an open-source implementation of the ETSI C-ITS proto
 	NOT-FOR-US: Vanetza
 CVE-2026-44903 (Prometheus is an open-source monitoring system and time series databas ...)
 	- prometheus <unfixed> (bug #1138261)
+	[bullseye] - prometheus <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28
 	NOTE: Fixed by: https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d
+	NOTE: Introduced by: https://github.com/prometheus/prometheus/commit/2e205ee95c121d8d6da0d8984f0b3bc599acaa2a (v2.49.0-rc.0)
 CVE-2026-44900 (epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telemat ...)
 	NOT-FOR-US: epa4all-client
 CVE-2026-44899 (Mistune is a Python Markdown parser with renderers and plugins. Prior  ...)


=====================================
data/dla-needed.txt
=====================================
@@ -472,10 +472,6 @@ proftpd-dfsg
   NOTE: 20260511: https://lists.debian.org/debian-lts/2026/05/msg00015.html
   NOTE: 20260511: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commits/bullseye
 --
-prometheus
-  NOTE: 20260601: Added by Front-Desk (dleidert)
-  NOTE: 20260601: Follow DSA or support secteam with DSA (dleidert/front-desk)
---
 prosody
   NOTE: 20260511: Added by Front-Desk (dleidert)
   NOTE: 20260511: Follow DSA 6252-1 fixing 4 CVEs (dleidert/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/db9a56819f1536ad996e820975c5c6f35eeded64...796e7cd5c2441b2272faae2e530271bade0609b4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/db9a56819f1536ad996e820975c5c6f35eeded64...796e7cd5c2441b2272faae2e530271bade0609b4
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260601/b44fe449/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list