[Git][security-tracker-team/security-tracker][master] lts: bullseye triage
Emilio Pozuelo Monfort (@pochu)
pochu at debian.org
Fri Jun 5 11:35:30 BST 2026
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker
Commits:
79319cb6 by Emilio Pozuelo Monfort at 2026-06-05T12:35:20+02:00
lts: bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3,6 +3,7 @@ CVE-2026-50593
NOTE: Fixed by: https://github.com/silnrsi/graphite/commit/ad78c6b7319909e1540c1b134e115ced03417866 (1.3.15)
CVE-2026-49837
- gobgp 4.6.0-1
+ [bullseye] - gobgp <postponed> (Limited support)
NOTE: https://github.com/osrg/gobgp/security/advisories/GHSA-gjrg-jjr3-56cm
CVE-2026-8916 (Out-of-bounds write vulnerability in Samsung Open Source rlottie allow ...)
- rlottie <unfixed>
@@ -180,6 +181,7 @@ CVE-2026-41010 (ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs
NOT-FOR-US: VMware
CVE-2026-40898 (quic-go is an implementation of the QUIC protocol in Go. Prior to vers ...)
- golang-github-lucas-clemente-quic-go <unfixed>
+ [bullseye] - golang-github-lucas-clemente-quic-go <postponed> (Limited support, minor issue)
NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-vvgj-x9jq-8cj9
CVE-2026-40605 (Tautulli is a Python based monitoring and tracking tool for Plex Media ...)
NOT-FOR-US: Tautulli
@@ -503,6 +505,7 @@ CVE-2026-39107 (A Cross Site Scripting vulnerability exists in the Kimi AI v1.0
NOT-FOR-US: Kimi AI
CVE-2026-37462 (An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/b ...)
- gobgp 4.4.0-1
+ [bullseye] - gobgp <postponed> (Limited support)
NOTE: https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d (v4.4.0)
CVE-2026-37460 (Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) ...)
- frr 10.6.1-1
@@ -620,6 +623,7 @@ CVE-2026-3276 (unicodedata.normalize() can take excessive CPU time when processi
- python3.13 <unfixed>
- python3.11 <removed>
- python3.9 <removed>
+ [bullseye] - python3.9 <postponed> (Minor issue)
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
- pypy3 <unfixed>
@@ -1038,6 +1042,7 @@ CVE-2026-27145 ((*x509.Certificate).VerifyHostname previously called matchHostna
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue)
NOTE: https://github.com/golang/go/issues/79694
NOTE: https://github.com/golang/go/commit/ce5a3e718cac440defae617dc6ed72a6e94cd0af (go1.26.4)
NOTE: https://github.com/golang/go/commit/c5d18e479475e251c8593b1113fb53836117d5d3 (go1.25.11)
@@ -1047,6 +1052,7 @@ CVE-2026-42507 (When returning errors, functions in the net/textproto package wo
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue)
NOTE: https://github.com/golang/go/issues/79346
NOTE: https://github.com/golang/go/commit/ec1c380418ec6a0da28d4519872e2b81ba9152ba (go1.26.4)
NOTE: https://github.com/golang/go/commit/449dafea7264878e73acc58cbd330e0ee6630030 (go1.25.11)
@@ -1056,6 +1062,7 @@ CVE-2026-42504 (Decoding a maliciously-crafted MIME header containing many inval
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue)
NOTE: https://github.com/golang/go/issues/79217
NOTE: https://github.com/golang/go/commit/7f24db453a60faf6a3546d60bb02917a0a7aace0 (go1.26.4)
NOTE: https://github.com/golang/go/commit/b79e0339290e14b3b2de1dc4942b8a88701ddb02 (go1.25.11)
@@ -2290,6 +2297,7 @@ CVE-2026-41440
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/4139cf452f546b95172b3bad93714d380cd0f4ef (v11.0.1)
CVE-2026-35563 (It was identified that the LDAP client implementation in version 2.1.7 ...)
- apache-directory-api <unfixed>
+ [bullseye] - apache-directory-api <postponed> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2026/06/01/2
CVE-2026-48827 (Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack ...)
- mina2 <unfixed> (bug #1138634)
@@ -8519,6 +8527,7 @@ CVE-2026-5223 (Cargo incorrectly handled symlinks inside of crate tarballs downl
- rust-cargo 0.91.0-3
[trixie] - rust-cargo <no-dsa> (Minor issue)
[bookworm] - rust-cargo <no-dsa> (Minor issue)
+ [bullseye] - rust-cargo <postponed> (Minor issue)
- rustc 1.95.0+dfsg1-2
[trixie] - rustc <no-dsa> (Minor issue)
[bookworm] - rustc <no-dsa> (Minor issue)
@@ -8530,6 +8539,7 @@ CVE-2026-5222 (Cargo between 1.68 and 1.96 incorrectly normalized the URLs of th
- rust-cargo 0.91.0-3
[trixie] - rust-cargo <no-dsa> (Minor issue)
[bookworm] - rust-cargo <no-dsa> (Minor issue)
+ [bullseye] - rust-cargo <postponed> (Minor issue)
- rustc 1.95.0+dfsg1-2
[trixie] - rustc <no-dsa> (Minor issue)
[bookworm] - rustc <no-dsa> (Minor issue)
@@ -9143,10 +9153,12 @@ CVE-2026-42626 (HP ENVY 5000 series printers VERBASPP1N003.2237A.00 do not prope
NOT-FOR-US: HP ENVY 5000 series printers
CVE-2026-42506 (Parsing arbitrary HTML which is then rendered using Render can result ...)
- golang-golang-x-net 1:0.55.0-1
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
NOTE: https://github.com/golang/go/issues/79571
CVE-2026-42502 (Parsing arbitrary HTML which is then rendered using Render can result ...)
- golang-golang-x-net 1:0.55.0-1
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
NOTE: https://github.com/golang/go/issues/79572
CVE-2026-40172 (authentik is an open-source identity provider. In versions prior to 20 ...)
@@ -9173,6 +9185,7 @@ CVE-2026-39964 (TypeBot is a chatbot builder tool. In versions prior to 3.16.0,
NOT-FOR-US: TypeBot
CVE-2026-39821 (The ToASCII and ToUnicode functions incorrectly accept Punycode-encode ...)
- golang-golang-x-net <unfixed>
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
NOTE: https://github.com/golang/go/issues/78760
CVE-2026-37470 (An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitr ...)
@@ -9197,14 +9210,17 @@ CVE-2026-28444 (Typebot is a chatbot builder tool. In versions 3.15.2 and prior,
NOT-FOR-US: TypeBot
CVE-2026-27136 (Parsing arbitrary HTML which is then rendered using Render can result ...)
- golang-golang-x-net 1:0.55.0-1
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
NOTE: https://github.com/golang/go/issues/79575
CVE-2026-25681 (Parsing arbitrary HTML which is then rendered using Render can result ...)
- golang-golang-x-net 1:0.55.0-1
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
NOTE: https://github.com/golang/go/issues/79574
CVE-2026-25680 (Parsing arbitrary HTML can consume excessive CPU time, possibly leadin ...)
- golang-golang-x-net 1:0.55.0-1
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue)
NOTE: https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
NOTE: https://github.com/golang/go/issues/79573
CVE-2026-25608 (STER uses unencrypted TCP traffic to transmit data over the network. I ...)
=====================================
data/dla-needed.txt
=====================================
@@ -458,6 +458,9 @@ phpseclib/bullseye
NOTE: 20260518: Added by Front-Desk (Beuc)
NOTE: 20260518: Follow bookworm 12.14 (2 CVEs) (Beuc/front-desk)
--
+poppler/bullseye
+ NOTE: 20260605: Added by Front-Desk (pochu)
+--
postgresql-13/bullseye (eamanu)
NOTE: 20260514: Added by Front-Desk (pochu)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79319cb60e0a53eed4edf907eca9c7d07aaa7c25
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79319cb60e0a53eed4edf907eca9c7d07aaa7c25
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260605/0499b957/attachment.htm>
More information about the debian-security-tracker-commits
mailing list