[Git][security-tracker-team/security-tracker][master] dla: prepare for bullseye+bookworm LTS during June 12th -> September 1st 2026
Sylvain Beucler (@beuc)
gitlab at salsa.debian.org
Wed Jun 3 18:22:15 BST 2026
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
fd93552f by Sylvain Beucler at 2026-06-03T19:21:43+02:00
dla: prepare for bullseye+bookworm LTS during June 12th -> September 1st 2026
- - - - -
1 changed file:
- data/dla-needed.txt
Changes:
=====================================
data/dla-needed.txt
=====================================
@@ -25,14 +25,14 @@ To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
-389-ds-base
+389-ds-base/bullseye
NOTE: 20260413: Added by Front-Desk (rouca)
NOTE: 20260413: Try to clean postponed CVE (rouca/FD)
--
-activemq
+activemq/bullseye
NOTE: 20260413: Added by Front-Desk (rouca)
--
-amd64-microcode
+amd64-microcode/bullseye
NOTE: 20250710: Added by Front-Desk (apo)
NOTE: 20250906: Reached out to maintainer, offering help.
NOTE: 20250906: Might need newer firmware on the computer or newer kernel (#1109035)
@@ -46,28 +46,28 @@ amd64-microcode
NOTE: 20251224: See also 1109035#52 for updates from maintainer,
NOTE: 20251224: I think the required kernel microcode driver patch are: https://lists.openwall.net/linux-kernel/2025/10/27/1012
--
-apache-log4j2
+apache-log4j2/bullseye
NOTE: 20260413: Added by Front-Desk (rouca)
--
-asterisk
+asterisk/bullseye
NOTE: 20260423: Added by Front-Desk (pochu)
--
-bind9
+bind9/bullseye
NOTE: 20260520: Added by Front-Desk (Beuc)
NOTE: 20260520: 6 new CVEs including 1 memory corruption, upcoming DSA (Beuc/front-desk)
--
-bouncycastle
+bouncycastle/bullseye
NOTE: 20260417: Added by Front-Desk (rouca)
NOTE: 20260417: Priority: Fix CVE-2026-5588 then try to fix other pilled CVE (rouca/FD)
--
-busybox
+busybox/bullseye
NOTE: 20260511: Added by Front-Desk (dleidert)
NOTE: 20260511: A bunch of issues has piled up and last update was in early 2025 (dleidert/front-desk)
--
-c3p0
+c3p0/bullseye
NOTE: 20260414: Added by Front-Desk (rouca)
--
-ca-certificates
+ca-certificates/bullseye
NOTE: 20250613: Added by Front-Desk (rouca)
NOTE: 20250613: Lack some certificates #1095913 (rouca/FD)
NOTE: 20250613: Coordinate with bookworm PU if needed (rouca/FD)
@@ -80,92 +80,92 @@ ca-certificates
NOTE: 20260216: partial update under debusine https://debusine.debian.net/debian/developers/work-request/446642/
NOTE: 20260220: Release partial DLA 4485-1
--
-calibre
+calibre/bullseye
NOTE: 20260222: Added by Front-Desk (rouca)
NOTE: 20260429: partial update (abhijith)
NOTE: 20260430: Revisit when rest of the CVEs are fixed upstream (abhijith)
--
-ckeditor
+ckeditor/bullseye
NOTE: 20241002: Added by Front-Desk (Beuc)
NOTE: 20241002: Multiple CVEs have been piling up (Beuc/front-desk)
--
-composer
+composer/bullseye
NOTE: 20260417: Added by Front-Desk (rouca)
--
-coturn
+coturn/bullseye
NOTE: 20260414: Added by Front-Desk (rouca)
--
-cups (Thorsten Alteholz)
+cups/bullseye (Thorsten Alteholz)
NOTE: 20260404: Added by Front-Desk (ta)
--
-dnsmasq
+dnsmasq/bullseye
NOTE: 20260513: Added by Front-Desk (pochu)
--
-docker-registry
+docker-registry/bullseye
NOTE: 20260419: Added by Front-Desk (rouca)
--
-docker.io
+docker.io/bullseye
NOTE: 20250805: Added by Front-Desk (rouca)
--
-dovecot (guilhem)
+dovecot/bullseye (guilhem)
NOTE: 20260517: Added by Front-Desk (pochu)
--
-dpkg
+dpkg/bullseye
NOTE: 20260522: Added by Front-Desk (Beuc)
NOTE: 20260522: See CVE and non-CVE security fixes from OSPU https://bugs.debian.org/1132553 (Beuc/front-desk)
--
-edk2
+edk2/bullseye
NOTE: 20251230: Added by Front-Desk (Beuc)
NOTE: 20251230: Lots of postponed issues piled-up (Beuc/front-desk)
--
-epiphany-browser (abhijith)
+epiphany-browser/bullseye (abhijith)
NOTE: 20251206: Added by Front-Desk (rouca)
NOTE: 20251206: Fix CVE-2023-26081 fixed in buster. Try to fix other CVEs postponed (fd/rouca)
NOTE: 20260128: package's test fails in builds (abhijith)
NOTE: 20260226: Latest upload of webkit2gtk broke epiphany-browser(abhijith)
NOTE: 20260421: Proposed EOL: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/341 (pochu)
--
-erlang
+erlang/bullseye
NOTE: 20260519: Added by Front-Desk (Beuc)
NOTE: 20260519: Re-added after DLA-4590-1, due to 3 newer CVEs, some of which high.
NOTE: 20260519: Also fully follow bookworm 12.14 (CVE-2025-48040)
NOTE: 20260519: and bookworm 12.12 (CVE-2025-46712).
NOTE: 20260519: Fix ELTS at the same time. (Beuc/front-desk)
--
-exim4
+exim4/bullseye
NOTE: 20260531: Added by Front-Desk (dleidert)
NOTE: 20260531: Follow DSA-6309-1 and possibly care about open CVEs (dleidert/front-desk)
--
-expat
+expat/bullseye
NOTE: 20260518: Added by Front-Desk (Beuc)
NOTE: 20260518: Upcoming DSA + many postponed CVE.
NOTE: 20260518: CVE-2026-41080 fix requires for python's CVE-2026-7210.
--
-firebird3.0
+firebird3.0/bullseye
NOTE: 20260418: Added by Front-Desk (rouca)
--
-firmware-nonfree
+firmware-nonfree/bullseye
NOTE: 20251130: Added by Front-Desk. Moreover, take care of postponed issue (rouca)
--
-flatpak
+flatpak/bullseye
NOTE: 20260413: Added by Front-Desk (rouca)
--
-fontforge
+fontforge/bullseye
NOTE: 20260216: Added by Front-Desk (rouca)
--
-freerdp2
+freerdp2/bullseye
NOTE: 20260127: Added by Front-Desk (Beuc)
NOTE: 20260127: Many CVEs fixed in 3.20.1 and 3.21, but missing fix commits (Beuc/front-desk)
--
-frr
+frr/bullseye
NOTE: 20251102: Added by Front-Desk (apo)
--
-gdal
+gdal/bullseye
NOTE: 20260419: Added by Front-Desk (rouca)
NOTE: 20260419: Investigate why embded zblib and maybe deemded beginning from sid (rouca/FD)
NOTE: 20260419: check other zlib CVE (rouca/FD)
--
-gdcm (eamanu)
+gdcm/bullseye (eamanu)
NOTE: 20251214: Added by Front-Desk (dleidert)
NOTE: 20251214: Take care of OSPU as well (dleidert/front-desk)
NOTE: 20251220: CVE-2024-* were fixed by Étienne Mollie. I fixed CVE-2025-11266 in salsa (eamanu).
@@ -176,19 +176,19 @@ gdcm (eamanu)
NOTE: 20260513: New ping to upstream to know about open CVEs.
NOTE: 20260528: Ping upstream again.
--
-giflib
+giflib/bullseye
NOTE: 20260405: Added by Front-Desk (ta)
NOTE: 20260405: no upstream fix yet
--
-glances
+glances/bullseye
NOTE: 20260518: Added by Front-Desk (Beuc)
NOTE: 20260518: Many postponed vulnerabilities piled-up (Beuc/front-desk)
--
-glibc (arnaudr)
+glibc/bullseye (arnaudr)
NOTE: 20260404: Added by Front-Desk (ta)
NOTE: 20260404: no upstream fix yet
--
-golang-github-gorilla-csrf
+golang-github-gorilla-csrf/bullseye
NOTE: 20250422: Added by Front-Desk (rouca)
NOTE: 20250422: Need to binNMU reverse depends (in that order): golang-github-alecthomas-chroma, golang-github-niklasfasching-go-org, golang-github-yuin-goldmark-highlighting, hugo (rouca)
NOTE: 20250621: Re-add as binNMUs are not all properly Installed in the archive, e.g.
@@ -198,13 +198,13 @@ golang-github-gorilla-csrf
NOTE: 20250621: still stuck at Uploaded phase, probably due to missing sources at security.debian.org (Beuc)
NOTE: 20251107: Please coordinate with FTP masters to unblock the situation (Beuc/front-desk)
--
-golang-glog
+golang-glog/bullseye
NOTE: 20250209: Added by Front-Desk (apo)
NOTE: 20251107: Re-add as binNMUs are not all properly Installed in the archive:
NOTE: 20251107: https://buildd.debian.org/status/package.php?p=+golang-github-grpc-ecosystem-grpc-gateway&suite=bullseye-security
NOTE: 20251107: Please coordinate with FTP masters to unblock the situation (Beuc/front-desk)
--
-grub2 (Emilio)
+grub2/bullseye (Emilio)
NOTE: 20250105: Added by Front-Desk (apo)
NOTE: 20250105: high-profile package but not enough details yet. (apo)
NOTE: 20250219: New batch of 21 CVEs, with fixes (Beuc/front-desk)
@@ -227,36 +227,36 @@ grub2 (Emilio)
NOTE: 20260406: grub2/bookworm approved https://bugs.debian.org/1132510 (partial update)
NOTE: 20260407: shim/bookworm approved https://bugs.debian.org/1131862 (but waiting for Microsoft signature)
--
-gsasl
+gsasl/bullseye
NOTE: 20260514: Added by Front-Desk (pochu)
--
-gst-plugins-good1.0
+gst-plugins-good1.0/bullseye
NOTE: 20260520: Added by Front-Desk (Beuc)
NOTE: 20260520: 6 CVEs piled up since December (Beuc)
--
-haveged
+haveged/bullseye
NOTE: 20260519: Added by Front-Desk (Beuc)
NOTE: 20260519: high / LPE (Beuc/front-desk)
--
-hplip (Thorsten Alteholz)
+hplip/bullseye (Thorsten Alteholz)
NOTE: 20260523: Added by maintainer (ta)
--
-jackson-core (Markus Koschany)
+jackson-core/bullseye (Markus Koschany)
NOTE: 20250707: Added by Front-Desk (apo)
NOTE: 20251016: A single patch is not possible to apply to fix the CVE. I'm working on backporting more than one.
NOTE: 20251121: Still working backporting patches to fix CVE-2025-52999.
--
-jetty9
+jetty9/bullseye
NOTE: 20260418: Added by Front-Desk. Fix CVE-2026-5795 maybe other (rouca)
--
-kamailio
+kamailio/bullseye
NOTE: 20260413: Added by Front-Desk (rouca)
--
-kitty
+kitty/bullseye
NOTE: 20260522: Added by Front-Desk (Beuc)
NOTE: 20260522: Upcoming DSA (Beuc/front-desk)
--
-knot-resolver
+knot-resolver/bullseye
NOTE: 20251206: Added by Front-Desk (rouca)
NOTE: 20251206: Close CVE-2022-40188 buster regression. Try to fix other non ignored CVEs.
NOTE: 20251223: complicated to backport no-dsa CVEs as CVE-2023-46317 reverts much of the patch
@@ -266,25 +266,25 @@ knot-resolver
NOTE: 20250104: still waiting to hear back. will upload to debusine for extra pipelines to run. (utkarsh)
NOTE: 20250119: still waiting to hear back. (utkarsh)
--
-ldap-account-manager
+ldap-account-manager/bullseye
NOTE: 20260418: Added by Front-Desk (rouca)
--
-libcaca
+libcaca/bullseye
NOTE: 20260519: Added by Front-Desk (Beuc)
NOTE: 20260519: Fix unstable first. (Beuc/front-desk)
NOTE: 20260601: Unstable fixed and OSPU ready https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138538
--
-libcryptx-perl
+libcryptx-perl/bullseye
NOTE: 20260531: Added by Front-Desk (dleidert)
--
-libraw
+libraw/bullseye
NOTE: 20260417: Added by Front-Desk (rouca)
--
-libreoffice
+libreoffice/bullseye
NOTE: 20260508: Added by Front-Desk (dleidert)
NOTE: 20260508: Follow DSA-6251-1 (dleidert/front-desk)
--
-libsoup2.4
+libsoup2.4/bullseye
NOTE: 20250408: Added by Front-Desk (Beuc)
NOTE: 20250427: libsoup2.4 2.72.0-2+deb11u2 (bullseye) uploaded ...
NOTE: 20250427: ... without CVE-2025-32907 and CVE-2025-32049.
@@ -315,58 +315,58 @@ libsoup2.4
NOTE: 20251209: possibly also look into wip by spwitton, thus unclaiming
NOTE: 20251209: rather than removing this entry. (ah)
--
-libstb
+libstb/bullseye
NOTE: 20251206: Added by Front-Desk (rouca)
NOTE: 20251206: avoid regresion from buster (rouca/front-desk)
NOTE: 20251206: try to fix other CVEs and help with PU if needed (rouca/front-desk)
NOTE: 20260226: Fixed CVE-2021-28021 CVE-2021-37789 CVE-2021-42715 CVE-2022-28041 CVE-2022-28042 with DLA-4493-1 (abhijith)
NOTE: 20260429: Revisit when upstream merge the proposed fixes. Though other embed libstb projects patched (abhijith)
--
-libtext-csv-xs-perl
+libtext-csv-xs-perl/bullseye
NOTE: 20260519: Added by Front-Desk (Beuc)
NOTE: 20260519: Follow trixie 13.5 (1 CVE) (Beuc/front-desk)
--
-libxml2 (guilhem)
+libxml2/bullseye (guilhem)
NOTE: 20260519: Added by Front-Desk (Beuc)
NOTE: 20260519: CVE-2026-6732 looks serious, also fixed postponed CVEs (Beuc/front-desk)
--
-libxmltok
+libxmltok/bullseye
NOTE: 20250421: Added by Front-Desk (ta)
NOTE: 20250421: Also review all other expat CVEs. (bunk)
NOTE: 20250421: Fixing the expat copy in xmlrpc-c at the same time would make sense. (bunk)
NOTE: 20250505: WIP there are lots of CVEs to review (ta)
--
-libxslt
+libxslt/bullseye
NOTE: 20250930: Added by Front-Desk (rouca)
NOTE: 20251020: In progress, waiting for upstream action (guilhem)
NOTE: 20251104: Done, but waiting for upstream to merge before uploading and issuing the DLA (guilhem)
--
-linux (Ben Hutchings)
+linux/bullseye (Ben Hutchings)
NOTE: 20230111: Perma-added, Linux package specifically delegated to bwh (LTS Team)
--
-mbedtls
+mbedtls/bullseye
NOTE: 20260427: Added by Front-Desk (lamby)
--
-mediawiki (guilhem)
+mediawiki/bullseye (guilhem)
NOTE: 20260404: Added by Front-Desk (ta)
--
-mesa (tobi)
+mesa/bullseye (tobi)
NOTE: 20260418: Added by Front-Desk. Fix CVE-2026-40393 (rouca)
--
-mimetex
+mimetex/bullseye
NOTE: 20250422: Added by Front-Desk (rouca)
NOTE: 20250629: There doesn't seem to be a fix so far according to #1103801 (dleidert)
NOTE: 20250629: Best course of action seems to be some kind of mitigation similar to https://moodle.org/mod/forum/discuss.php?d=467592 (dleidert)
--
-mongo-c-driver
+mongo-c-driver/bullseye
NOTE: 20260522: Added by Front-Desk (Beuc)
NOTE: 20260522: Follow bookworm 12.14 (4+1 CVEs) (Beuc/front-desk)
--
-nagios4
+nagios4/bullseye
NOTE: 20260529: Added by Front-Desk (dleidert)
NOTE: 20260529: Follow recent upload of 4.4.6-4+deb12u1/4.4.6-4.1+deb13u1 (dleidert/front-desk)
--
-nagvis
+nagvis/bullseye
NOTE: 20250117: Added by Front-Desk (rouca)
NOTE: 20250119: Also check/fix https://bugs.debian.org/1061044
NOTE: 20250119: when testing your fix for bookworm. (bunk)
@@ -376,73 +376,73 @@ nagvis
NOTE: 20250629: Next DLA for 2 new issues has been released (dleidert)
NOTE: 20250629: PU is ready and will be tested before sending the PU request (dleidert)
--
-netatalk
+netatalk/bullseye
NOTE: 20260518: Added by Front-Desk (Beuc)
NOTE: 20260518: DSA-6280-1 released fixing 20 patches for trixie.
NOTE: 20260518: ~low popcon, no sponsors, only fix if backporting the single
NOTE: 20260518: consolidated patch is straightforward enough (Beuc/front-desk)
--
-netty (rouca)
+netty/bullseye (rouca)
NOTE: 20250814: Added by Front-Desk (lamby)
NOTE: 20251115: Partial release for sid. Fix all CVEs except CVE-2025-58056 (rouca)
NOTE: 20251127: all CVEs fixed under sid (rouca)
NOTE: 20260114: fix remaining CVE wait DSA (rouca)
NOTE: 20260331: release DLA-4519-1 netty. Unfortunatly partial due to new CVEs (rouca)
--
-nginx (charles)
+nginx/bullseye (charles)
NOTE: 20260530: Added by Front-Desk (dleidert)
NOTE: 20260530: Fix CVE-2026-9256 (dleidert/front-desk)
--
-node-lodash (utkarsh)
+node-lodash/bullseye (utkarsh)
NOTE: 20260131: Added by Front-Desk (Beuc)
NOTE: 20260201: this package is pure madness - 290 vendored sources and origtars. :)
NOTE: 20260201: what did i get into? d'oh. anyway, preparing unstable update first. (utkarsh)
NOTE: 20260201: uploaded to sid. would like for it to settle there first. (utkarsh)
NOTE: 20260302: no regressions reported, will start to upload to stable releases. (utkarsh)
--
-nss
+nss/bullseye
NOTE: 20260518: Added by Front-Desk (Beuc)
NOTE: 20260518: Upcoming DSA (3 CVEs) (Beuc/front-desk)
NOTE: 20260521: DSA-6290-1 (Beuc/front-desk)
--
-nvidia-cuda-toolkit
+nvidia-cuda-toolkit/bullseye
NOTE: 20241004: Added by Front-Desk (Beuc)
--
-nvidia-graphics-drivers
+nvidia-graphics-drivers/bullseye
NOTE: 20250505: Added by Front-Desk (Beuc)
NOTE: 20250505: Non-free, but sponsored (Beuc/front-desk)
NOTE: 20250623: Reached out to maintainer, asking for some input on several CVEs. (tobi)
NOTE: 20250630: With reply from maintainer, tiraged some CVEs accordingly and updated the security tracker (tobi)
NOTE: 20250707: Maintainer offered to prepare a backport of upstream R515, offered to test them, after DebConf (tobi)
--
-ocaml
+ocaml/bullseye
NOTE: 20260419: Added by Front-Desk (rouca)
--
-openexr
+openexr/bullseye
NOTE: 20260413: Added by Front-Desk (rouca)
--
-openssl
+openssl/bullseye
NOTE: 20260411: Added by Front-Desk (utkarsh)
NOTE: 20260411: Follow DSA-6201-1 (CVE-2026-28387 CVE-2026-28388 CVE-2026-28389
NOTE: 20260411: CVE-2026-28390 CVE-2026-31789). Check which CVEs affect 1.1.1w.
NOTE: 20260411: CVE-2026-31790 (RSASVE) is 3.x-only, already marked not-affected.
--
-openvpn (dleidert)
+openvpn/bullseye (dleidert)
NOTE: 20260517: Added by Front-Desk (pochu)
NOTE: 20260521: DSA-6289-1 (2 CVEs) (Beuc/front-desk)
--
-openvswitch
+openvswitch/bullseye
NOTE: 20260405: Added by Front-Desk (ta)
NOTE: 20260422: Cf. OSPU (if approved) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133882 (Beuc)
--
-orthanc
+orthanc/bullseye
NOTE: 20260419: Added by Front-Desk (rouca)
--
-perl
+perl/bullseye
NOTE: 20260527: Added by Front-Desk (santiago)
NOTE: 20260527: wait for the DSA before releasing
--
-php-laravel-framework
+php-laravel-framework/bullseye
NOTE: 20250307: Added by Front-Desk (rouca)
NOTE: 20251027: History of upstream branch fixing v12: git log 9de75259..2d133034^2.
NOTE: 20251027: There was an attempt to backport to v9, but it got rejected upstream
@@ -451,64 +451,64 @@ php-laravel-framework
NOTE: 20251027: tests is required to prevent regressions, but I could not get the upstream
NOTE: 20251027: test suite to work. It is not exercised as part of Debian packages build. (paride)
--
-php-phpseclib (utkarsh)
+php-phpseclib/bullseye (utkarsh)
NOTE: 20260327: Added by Front-Desk (Beuc)
NOTE: 20260327: Upcoming DSA; fix also the 2023 postponed issue (Beuc/front-desk)
NOTE: 20260329: DSA-6186-1
NOTE: 20260518: Also follow bookworm 12.14 (2 CVEs) (Beuc/front-desk)
--
-php-twig
+php-twig/bullseye
NOTE: 20260521: Added by Front-Desk (Beuc)
NOTE: 20260521: Cf. symfony batch of CVEs, upcoming DSA (Beuc/front-desk)
--
-phpseclib
+phpseclib/bullseye
NOTE: 20260518: Added by Front-Desk (Beuc)
NOTE: 20260518: Follow bookworm 12.14 (2 CVEs) (Beuc/front-desk)
--
-postgresql-13 (eamanu)
+postgresql-13/bullseye (eamanu)
NOTE: 20260514: Added by Front-Desk (pochu)
--
-proftpd-dfsg
+proftpd-dfsg/bullseye
NOTE: 20260511: Added by Beuc for maintainer (Hilmar Preuße)
NOTE: 20260511: https://lists.debian.org/debian-lts/2026/05/msg00015.html
NOTE: 20260511: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commits/bullseye
--
-prosody
+prosody/bullseye
NOTE: 20260511: Added by Front-Desk (dleidert)
NOTE: 20260511: Follow DSA 6252-1 fixing 4 CVEs (dleidert/front-desk)
--
-pypdf2 (dleidert)
+pypdf2/bullseye (dleidert)
NOTE: 20260328: Added by Front-Desk (Beuc)
NOTE: 20260328: 6 new CVEs, and lots of postponed issues piled-up (Beuc/front-desk)
--
-qemu
+qemu/bullseye
NOTE: 20260520: Added by Front-Desk (Beuc)
NOTE: 20260520: Many postponed CVEs piled up (Beuc/front-desk)
NOTE: 20260520: Also SPU/OSPU included a rebuild with updated glibc/glib2.0 (Beuc/front-desk)
--
-qtsvg-opensource-src
+qtsvg-opensource-src/bullseye
NOTE: 20260522: Added by Front-Desk (Beuc)
NOTE: 20260522: Many postponed CVEs piled up (Beuc/front-desk)
--
-rabbitmq-server
+rabbitmq-server/bullseye
NOTE: 20260504: Added by coordinator (santiago)
NOTE: 20260504: Added to address out-standing minor issues
--
-redis (Chris Lamb)
+redis/bullseye (Chris Lamb)
NOTE: 20260515: Added by Front-Desk (pochu)
NOTE: 20260601: Awaiting upstream patches and DSA determination on severity. (lamby)
--
-request-tracker4
+request-tracker4/bullseye
NOTE: 20260529: Added by Front-Desk (dleidert)
NOTE: 20260529: Follow DSA in preparation by maintainer (dleidert/front-desk)
--
-ruby-rack (Abhijith PA)
+ruby-rack/bullseye (Abhijith PA)
NOTE: 20260413: Added by Front-Desk (rouca)
--
-ruby2.7 (Abhijith PA)
+ruby2.7/bullseye (Abhijith PA)
NOTE: 20260419: Added by Front-Desk (rouca)
--
-runc
+runc/bullseye
NOTE: 20251105: Added by Front-Desk (Beuc)
NOTE: 20251105: 3 high-severity container breakouts. Used by docker.io.
NOTE: 20251105: This could be hard to backport so maybe check with the security team
@@ -521,62 +521,62 @@ runc
NOTE: 20260212: Try to rebuild new upstream versions against Trixie, update #1120140 (arnaudr)
NOTE: 20260223: Updated #1120140 with some thoughts, asking for more opinions (kanashiro)
--
-rust-openssl
+rust-openssl/bullseye
NOTE: 20250209: Added by Front-Desk (apo)
NOTE: 20251107: Re-add as binNMUs are not all properly Installed in the archive:
NOTE: 20251107: https://buildd.debian.org/status/package.php?p=rust-condure&suite=bullseye-security
NOTE: 20251107: https://buildd.debian.org/status/package.php?p=rust-debcargo&suite=bullseye-security
NOTE: 20251107: Please coordinate with FTP masters to unblock the situation (Beuc/front-desk)
--
-samba
+samba/bullseye
NOTE: 20260321: Added by Front-Desk (charles)
NOTE: 20260321: Fix #1108904 in lts first then elts. The upstream bug has a
NOTE: 20260321: lot of information: https://bugzilla.samba.org/show_bug.cgi?id=15876.
NOTE: 20260321: Red hat has backported the fix to 4.15 and there is a note
NOTE: 20260321: about pre-4.15: "Samba < 4.15 doesn't have async dns lookups!" (charles)
--
-shim (Emilio)
+shim/bullseye (Emilio)
NOTE: 20260511: Added by pochu
--
-smb4k
+smb4k/bullseye
NOTE: 20251217: Added by Front-Desk (pochu)
--
-snapd
+snapd/bullseye
NOTE: 20260324: Added by Front-Desk (Beuc)
NOTE: 20260324: See DSA-6170-1 (root LPE) (Beuc/front-desk)
NOTE: 20260324: Debian <=bookworm doesn't prune /tmp by default (cf. /usr/lib/tmpfiles.d/tmp.conf),
NOTE: 20260324: but a local administrator could change that, so I'd suggest fixing anyway (Beuc/front-desk)
--
-spip
+spip/bullseye
NOTE: 20260220: Added by Front-Desk (rouca)
NOTE: 20260326: EOL candidate? Many issues pile-up, 3.2 EOL'd upstream,
NOTE: 20260326: not in bookworm, trixie updated through upstream 4.4 LTS releases,
NOTE: 20260326: very low popcon (Beuc/front-desk)
NOTE: 20260422: https://salsa.debian.org/lts-team/lts-updates-tasks/-/work_items/342
--
-starlette (dleidert)
+starlette/bullseye (dleidert)
NOTE: 20260528: Added by Front-Desk (dleidert)
NOTE: 20260528: follow DSA-6302-1 (dleidert/front-desk)
--
-strongswan
+strongswan/bullseye
NOTE: 20260423: Added by Front-Desk (pochu)
--
-sudo (ah)
+sudo/bullseye (ah)
NOTE: 20260522: Added by Front-Desk (Beuc)
NOTE: 20260522: Follow bookworm 12.14, CVE-2026-35535 part of the high-profile
NOTE: 20260522: CrackArmor PoC from Qualys (Beuc/front-desk)
--
-suricata
+suricata/bullseye
NOTE: 20250331: re added to fix next bunch of CVEs (ta)
NOTE: 20250825: testing package (ta)
--
-symfony
+symfony/bullseye
NOTE: 20260521: Added by Front-Desk (Beuc)
NOTE: 20260521: >20 CVEs disclosed, 10 not-affected,
NOTE: 20260521: at least 1 SQLI and 1 stored XSS.
NOTE: 20260521: Upcoming DSA (Beuc/front-desk)
--
-trafficserver
+trafficserver/bullseye
NOTE: 20241120: Added by Front-Desk (Beuc)
NOTE: 20241120: Upcoming DSA (Beuc/front-desk)
NOTE: 20241203: Upstream announcement does not mention 8.1 for any of the 3 CVEs.
@@ -587,47 +587,47 @@ trafficserver
NOTE: 20250403: There are multiple new CVEs. But none of them is addresses in Sid and maintainers didn't reply to me last time (dleidert)
NOTE: 20250405: DSA 5896-1 is out (Beuc/front-desk)
--
-u-boot
+u-boot/bullseye
NOTE: 20260522: Added by Front-Desk (Beuc)
NOTE: 20260522: Fix postponed CVEs along with buster (Beuc/front-desk)
--
-unbound
+unbound/bullseye
NOTE: 20260520: Added by Front-Desk (Beuc)
NOTE: 20260520: 11 new CVEs including 2 memory corruption (Beuc/front-desk)
--
-uriparser
+uriparser/bullseye
NOTE: 20260519: Added by Front-Desk (Beuc)
NOTE: 20260519: Many postponed CVEs piled-up (Beuc/front-desk)
--
-vim
+vim/bullseye
NOTE: 20260217: Added by Front-Desk (rouca)
NOTE: 20260228: I enabled the salsa pipeline, there are (previously undetected)
NOTE: 20260228: test failures. Working on ignoring them so the pipeline will be
NOTE: 20260228: useful to spot regressions. (paride)
--
-vips
+vips/bullseye
NOTE: 20260522: Added by Front-Desk (Beuc)
NOTE: 20260522: Follow bookworm 12.14 (8 CVEs) (Beuc/front-desk)
--
-vitrage
+vitrage/bullseye
NOTE: 20260419: Added by Front-Desk. Get in touch with zigo/upstream before (rouca)
NOTE: 20260419: CVE-2026-28370 is RCE
--
-watcher
+watcher/bullseye
NOTE: 20250908: Added by Front-Desk (apo)
NOTE: 20250908: See also nova. (apo)
NOTE: 20251023: See notes <aPqc5NoWRLG3jKLw at isildor2.loewenhoehle.ip>
NOTE: 20251027: Maintainer contacted (tobi)
NOTE: 20251106: Part of OpenStack (Beuc/front-desk)
--
-webkit2gtk (Emilio)
+webkit2gtk/bullseye (Emilio)
NOTE: 20260419: Added by Front-Desk (rouca)
NOTE: 20260421: Proposed EOL: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/340 (pochu)
--
-wireshark
+wireshark/bullseye
NOTE: 20260430: Added by Front-Desk (lamby)
--
-xmlrpc-c
+xmlrpc-c/bullseye
NOTE: 20250411: Added by Front-Desk (Beuc)
NOTE: 20250411: See issues with old embedded expat library:
NOTE: 20250411: https://www.openwall.com/lists/oss-security/2025/04/09/4
@@ -637,21 +637,21 @@ xmlrpc-c
NOTE: 20250705: Ping'd secteam asking for current bookworm plans. (Beuc)
NOTE: 20250705: https://lists.debian.org/debian-lts/2025/07/msg00006.html
--
-xorg-server
+xorg-server/bullseye
NOTE: 20260522: Added by Front-Desk (Beuc)
NOTE: 20260522: Follow bookworm 12.14 (5 CVEs) (Beuc/front-desk)
--
-xrdp (Abhijith PA)
+xrdp/bullseye (Abhijith PA)
NOTE: 20260418: Added by Front-Desk (rouca)
--
-yelp (dleidert)
+yelp/bullseye (dleidert)
NOTE: 20260522: Added by Front-Desk (Beuc)
--
-zabbix
+zabbix/bullseye
NOTE: 20260328: Added by Front-Desk (Beuc)
NOTE: 20260328: CVE-2026-23919->24 appear to be in supported scope (Beuc/front-desk)
--
-zulucrypt
+zulucrypt/bullseye
NOTE: 20250727: Added by Front-Desk (ta)
NOTE: 20251203: sent a mail to the maintainer asking about plans to address #1108288 (dleidert)
NOTE: 20260130: removed from archive without patch; Debian-specific CVE (root escalalation); consider dropping from all active dists (Beuc)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd93552f803082281d58e57cf9fee7426832a5fd
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd93552f803082281d58e57cf9fee7426832a5fd
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260603/f8df374c/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list