[Git][security-tracker-team/security-tracker][master] DLA-4591-1,DSA-6282-1/rsync: reference missing CVEs

Sun Jun 21 14:27:44 BST 2026


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
969f41f4 by Sylvain Beucler at 2026-06-21T15:25:00+02:00
DLA-4591-1,DSA-6282-1/rsync: reference missing CVEs

In upstream's patches batch:
CVE-2025-10158: 0022-fixed-an-invalid-access-to-files-array.patch
CVE-2026-41035: 0031-xattrs-fixed-count-in-qsort.patch

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -42666,6 +42666,7 @@ CVE-2023-3634 (In products of the MSE6 product-family by Festo a remote authenti
 CVE-2026-41035 (In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted len ...)
 	- rsync 3.4.2+ds1-1 (bug #1134617; unimportant)
 	[trixie] - rsync 3.4.1+ds1-5+deb13u2
+	[bookworm] - rsync 3.2.7-1+deb12u5
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/16/2
 	NOTE: https://github.com/RsyncProject/rsync/issues/871
 	NOTE: https://github.com/RsyncProject/rsync/pull/875
@@ -109870,7 +109871,6 @@ CVE-2025-10158 (A malicious client acting as the receiver of an rsync file trans
 	- rsync 3.4.1+ds1-7 (bug #1121442)
 	[trixie] - rsync 3.4.1+ds1-5+deb13u1
 	[bookworm] - rsync 3.2.7-1+deb12u4
-	[bullseye] - rsync <ignored> (Minor issue)
 	NOTE: Fixed by: https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f
 CVE-2025-8727 (There is a vulnerability in the Supermicro BMC web function at Supermi ...)
 	NOT-FOR-US: Supermicro


=====================================
data/DLA/list
=====================================
@@ -142,7 +142,7 @@
 	{CVE-2026-8388 CVE-2026-8391 CVE-2026-8401 CVE-2026-8946 CVE-2026-8947 CVE-2026-8950 CVE-2026-8953 CVE-2026-8954 CVE-2026-8955 CVE-2026-8956 CVE-2026-8957 CVE-2026-8958 CVE-2026-8961 CVE-2026-8962 CVE-2026-8968 CVE-2026-8970 CVE-2026-8974 CVE-2026-8975}
 	[bullseye] - firefox-esr 140.11.0esr-1~deb11u1
 [20 May 2026] DLA-4591-1 rsync - security update
-	{CVE-2026-29518 CVE-2026-43617 CVE-2026-43618 CVE-2026-43619 CVE-2026-43620}
+	{CVE-2025-10158 CVE-2026-29518 CVE-2026-41035 CVE-2026-43617 CVE-2026-43618 CVE-2026-43619 CVE-2026-43620}
 	[bullseye] - rsync 3.2.3-4+deb11u4
 [18 May 2026] DLA-4590-1 erlang - security update
 	{CVE-2026-21620 CVE-2026-23941 CVE-2026-23942 CVE-2026-23943}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/969f41f44e217bdf863faa3d4de775e001b0c77b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/969f41f44e217bdf863faa3d4de775e001b0c77b
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260621/4ffcd731/attachment.htm>
