[Git][security-tracker-team/security-tracker][master] Track fixed version for perl issues fixed via unstable upload

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Jun 6 19:35:02 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ec0547f4 by Salvatore Bonaccorso at 2026-06-06T20:34:31+02:00
Track fixed version for perl issues fixed via unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9487,7 +9487,7 @@ CVE-2026-46644 [insecure equivalence in symfony/polyfill-intl-idn for ASCII-only
 	NOTE: https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq
 CVE-2026-48962 (IO::Compress versions before 2.220 for Perl can execute arbitrary code ...)
 	- libio-compress-perl 2.220-1 (bug #1138055)
-	- perl <unfixed> (bug #1138854)
+	- perl 5.40.1-8 (bug #1138854)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40434385/
 	NOTE: Fixed by: https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610 (v2.220)
 CVE-2026-48961 (IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetai ...)
@@ -9495,18 +9495,18 @@ CVE-2026-48961 (IO::Compress versions from 2.207 before 2.220 for Perl ship a zi
 	[trixie] - libio-compress-perl <no-dsa> (Minor issue)
 	[bookworm] - libio-compress-perl <not-affected> (Vulnerable code introduced later)
 	[bullseye] - libio-compress-perl <not-affected> (Vulnerable code introduced later)
-	- perl <unfixed> (bug #1138855)
+	- perl 5.40.1-8 (bug #1138855)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40434383/
 	NOTE: Introduced with: https://github.com/pmqs/IO-Compress/commit/ddfe67584a228877e5d28840da75ff32e435a5e3 (v2.207)
 	NOTE: Fixed by: https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7 (v2.220)
 CVE-2026-48959 (IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaust ...)
 	- libio-compress-perl 2.220-1 (bug #1138051)
-	- perl <unfixed> (bug #1138856)
+	- perl 5.40.1-8 (bug #1138856)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40434381/
 	NOTE: Fixed by: https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2 (v2.220)
 CVE-2025-15649 (IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaugh ...)
 	- libio-compress-perl 2.217-1
-	- perl <unfixed> (bug #1138863)
+	- perl 5.40.1-8 (bug #1138863)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40434380/
 	NOTE: https://github.com/pmqs/IO-Compress/issues/65
 	NOTE: Fixed by: https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8 (v2.215)
@@ -11224,7 +11224,7 @@ CVE-2026-5091 (Catalyst::Plugin::Authentication versions through 0.10024 for Per
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40281889/
 	NOTE: https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e (v0.10_025)
 CVE-2026-8376 (Perl versions through 5.43.10 have a heap buffer overflow when compili ...)
-	- perl <unfixed> (bug #1137345)
+	- perl 5.40.1-8 (bug #1137345)
 	[trixie] - perl <no-dsa> (Minor issue; can be fixed in point release)
 	[bookworm] - perl <no-dsa> (Minor issue; can be fixed in point release)
 	[bullseye] - perl <postponed> (Minor issue; can be fixed in point release)
@@ -17468,7 +17468,7 @@ CVE-2026-7010 (HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in
 	- libhttp-tiny-perl 0.092-2
 	[trixie] - libhttp-tiny-perl <no-dsa> (Minor issue)
 	[bookworm] - libhttp-tiny-perl <no-dsa> (Minor issue)
-	- perl <unfixed> (bug #1138858)
+	- perl 5.40.1-8 (bug #1138858)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/39952806/
 	NOTE: Fixed by: https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/d73c7651e82ace02693842df55928b6c3ae7c38d (release-0.093)
 CVE-2026-6146 (Amazon::Credentials versions through 1.2.0 for Perl uses rand to gener ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec0547f40acca3aace02e7b145ef565b315bc032

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec0547f40acca3aace02e7b145ef565b315bc032
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260606/587e50d4/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list