[Git][security-tracker-team/security-tracker][master] CVE-2026--13601/yelp assigned
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Jun 29 21:37:30 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
9e2d2221 by Salvatore Bonaccorso at 2026-06-29T22:36:45+02:00
CVE-2026--13601/yelp assigned
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/DSA/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -169,8 +169,6 @@ CVE-2026-13742 (Honeywell IQ MultiAccess, all versions prior to and including ve
NOT-FOR-US: Honeywell
CVE-2026-13676 (fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize U ...)
TODO: check
-CVE-2026-13601 (A flaw was found in Yelp due to an overly permissive Content Security ...)
- TODO: check
CVE-2026-13595 (A flaw was found in the libblkid library of util-linux. During nested ...)
TODO: check
CVE-2026-13592 (A vulnerability was detected in liftoff-sr CIPster up to e8e9dba09bf56 ...)
@@ -33829,11 +33827,8 @@ CVE-2026-5172 (A buffer overflow in dnsmasq\u2019s extract_addresses() function
NOTE: https://xchglabs.com/blog/dnsmasq-five-cves.html
NOTE: Fixed by: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=073082ddc0aba7b8efa15a688d6183463b65effa (v2.93rc1)
NOTE: Introduced with: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=638c7c4d20004c0f320820098e29df62a27dd2a1 (v2.90test1)
-CVE-2026-XXXX [yelp: Sandbox escape]
+CVE-2026-13601 [yelp: Sandbox escape]
- yelp 49.1-1 (bug #1136299)
- [trixie] - yelp 42.2-4+deb13u1
- [bookworm] - yelp 42.2-1+deb12u2
- [bullseye] - yelp 3.38.3-1+deb11u2
NOTE: https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp/
NOTE: https://gitlab.gnome.org/GNOME/yelp/-/work_items/238
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/yelp/-/commit/d220aa2f754eed4e6a006a4acaa68b31892dea2b (49.1)
=====================================
data/DLA/list
=====================================
@@ -30,6 +30,7 @@
[bullseye] - libtext-csv-xs-perl 1.45-1+deb11u1
[bookworm] - libtext-csv-xs-perl 1.49-1+deb12u1
[25 Jun 2026] DLA-4647-1 yelp - security update
+ {CVE-2026-13601}
[bullseye] - yelp 3.38.3-1+deb11u2
[24 Jun 2026] DLA-4646-1 postgresql-13 - security update
{CVE-2026-6473 CVE-2026-6474 CVE-2026-6475 CVE-2026-6477 CVE-2026-6478 CVE-2026-6479 CVE-2026-6637}
=====================================
data/DSA/list
=====================================
@@ -178,6 +178,7 @@
{CVE-2024-51754 CVE-2026-46628 CVE-2026-46629 CVE-2026-46633 CVE-2026-46637 CVE-2026-47730}
[bookworm] - php-twig 3.5.1-1+deb12u3
[02 Jun 2026] DSA-6319-1 yelp - security update
+ {CVE-2026-13601}
[bookworm] - yelp 42.2-1+deb12u2
[trixie] - yelp 42.2-4+deb13u1
[01 Jun 2026] DSA-6318-1 gst-plugins-good1.0 - security update
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e2d22213cbbf98118307b2610fa40a868a173e2
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e2d22213cbbf98118307b2610fa40a868a173e2
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260629/78f17850/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list