[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2025-40932/libapache-sessionx-perl: postponed for bullseye
Carlos Henrique Lima Melara (@charles)
gitlab at salsa.debian.org
Sun Mar 1 01:35:54 GMT 2026
Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker
Commits:
dee5c422 by Carlos Henrique Lima Melara at 2026-02-28T22:07:25-03:00
CVE-2025-40932/libapache-sessionx-perl: postponed for bullseye
Follow secteam triage.
- - - - -
d3b769f0 by Carlos Henrique Lima Melara at 2026-02-28T22:18:01-03:00
CVE-2026-27837/node-dottie: postpone for bullseye
Follow secteam triage.
- - - - -
782771d3 by Carlos Henrique Lima Melara at 2026-02-28T22:34:24-03:00
CVE-2026-27606/node-rollup: postpone for bullseye
Follow secteam triage.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -546,6 +546,7 @@ CVE-2021-4456 (Net::CIDR versions before 0.24 for Perl mishandle leading zeros i
CVE-2025-40932 (Apache::SessionX versions through 2.01 for Perl create insecure sessio ...)
- libapache-sessionx-perl <unfixed> (bug #930660)
[bookworm] - libapache-sessionx-perl <no-dsa> (Minor issue; can be handled via point release at some point after unstable fix)
+ [bullseye] - libapache-sessionx-perl <postponed> (Minor issue; last upstream release in 2005 and only 1 rdep)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/37425045/
CVE-2026-3071 (Deserialization of untrusted data in the LanguageModel class of Flair ...)
NOT-FOR-US: LanguageModel class of Flair
@@ -783,6 +784,7 @@ CVE-2026-27837 (Dottie provides nested object access and manipulation in JavaScr
- node-dottie <unfixed> (bug #1129097)
[trixie] - node-dottie <no-dsa> (Minor issue)
[bookworm] - node-dottie <no-dsa> (Minor issue)
+ [bullseye] - node-dottie <postponed> (Minor issue)
NOTE: https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w
NOTE: Fixed by: https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14 (v2.0.7)
NOTE: CVE exists because of an incomplete fix for CVE-2023-26132.
@@ -1365,6 +1367,7 @@ CVE-2026-27606 (Rollup is a module bundler for JavaScript. Versions prior to 2.8
- node-rollup <unfixed> (bug #1129260)
[trixie] - node-rollup <no-dsa> (Minor issue)
[bookworm] - node-rollup <no-dsa> (Minor issue)
+ [bullseye] - node-rollup <postponed> (Minor issue)
NOTE: https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgc
NOTE: Fixed by: https://github.com/rollup/rollup/commit/c60770d7aaf750e512c1b2774989ea4596e660b2 (v4.59.0)
NOTE: Fixed by: https://github.com/rollup/rollup/commit/c8cf1f9c48c516285758c1e11f08a54f304fd44e (v3.30.0)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c8a8080919efebef90a4d1fc0590e30d23c8841...782771d3c5f1ab5450ac3239ee4e725a6431e607
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c8a8080919efebef90a4d1fc0590e30d23c8841...782771d3c5f1ab5450ac3239ee4e725a6431e607
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260301/215ab011/attachment.htm>
More information about the debian-security-tracker-commits
mailing list