[Git][security-tracker-team/security-tracker][master] Postpone some perl updates
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Jun 5 22:12:18 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
226a207f by Salvatore Bonaccorso at 2026-06-05T23:09:30+02:00
Postpone some perl updates
But baseline is, Perl maintainer will first top-down address issues in
unstable, then propose what to do with trixie and then to ideally follow
as well below.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -9963,14 +9963,20 @@ CVE-2026-48715 [Stack Buffer Overflow in radvdump Route Information Option Parse
NOTE: Crash in CLI tool, no security impact
CVE-2026-9538 (Archive::Tar versions before 3.10 for Perl allow memory exhaustion via ...)
- perl <unfixed> (bug #1138861)
+ [trixie] - perl <postponed> (Minor issue; wait for regressions upstream sorted out)
+ [bookworm] - perl <postponed> (Minor issue; wait for regressions upstream sorted out)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40396448/
NOTE: https://github.com/jib/archive-tar-new/commit/f9af01426038e29d9578825a0cd3626946ab08c7 (3.10)
CVE-2026-42497 (Archive::Tar versions before 3.08 for Perl extract hardlinks to attack ...)
- perl <unfixed> (bug #1138859)
+ [trixie] - perl <postponed> (Minor issue; wait for regressions upstream sorted out)
+ [bookworm] - perl <postponed> (Minor issue; wait for regressions upstream sorted out)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40396457/
NOTE: https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158 (3.08)
CVE-2026-42496 (Archive::Tar versions before 3.08 for Perl extract symlinks with attac ...)
- perl <unfixed> (bug #1138860)
+ [trixie] - perl <postponed> (Minor issue; wait for regressions upstream sorted out)
+ [bookworm] - perl <postponed> (Minor issue; wait for regressions upstream sorted out)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/40396459/
NOTE: https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158 (3.08)
CVE-2026-48589 (Apache Shiro\u2019s Jakarta EE module used the HTTP Referer header in ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/226a207fb00e6bd1b382bba69865c783c86f1ec4
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/226a207fb00e6bd1b382bba69865c783c86f1ec4
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260605/7a8b5fab/attachment.htm>
More information about the debian-security-tracker-commits
mailing list