[Git][security-tracker-team/security-tracker][master] 5 commits: Fix link for CVE-2026-3950 and mark Bullseye as not affected

Daniel Leidert (@dleidert) dleidert at debian.org
Sun Mar 15 19:10:20 GMT 2026 


Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1ad649c8 by Daniel Leidert at 2026-03-15T19:26:11+01:00
Fix link for CVE-2026-3950 and mark Bullseye as not affected

- - - - -
4d9e2c4d by Daniel Leidert at 2026-03-15T19:45:28+01:00
lts: mark CVE-2026-3731/libssh as postponed

- - - - -
be18a96d by Daniel Leidert at 2026-03-15T19:48:36+01:00
dla-needed: add gst-plugins-base1.0 also in dsa-needed

- - - - -
0c591523 by Daniel Leidert at 2026-03-15T19:57:54+01:00
lts: mark gpac as EOL

- - - - -
12c93ca0 by Daniel Leidert at 2026-03-15T20:07:48+01:00
lts: mark CVE-2026-4105/bullseye as postponed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -606,6 +606,7 @@ CVE-2026-4105 (A flaw was found in systemd. The systemd-machined service contain
 	- systemd 260~rc3-1
 	[trixie] - systemd <no-dsa> (Only exloitable with custom polkit policy that allows register-machine access)
 	[bookworm] - systemd <no-dsa> (Only exloitable with custom polkit policy that allows register-machine access)
+	[bullseye] - systemd <postponed> (Only exloitable with custom polkit policy that allows register-machine access)
 	NOTE: https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862
 	NOTE: Introduced with: https://github.com/systemd/systemd/commit/fbe550738d03b178bb004a1390e74115e904118a (v225)
 	NOTE: Fixed by: https://github.com/systemd/systemd/commit/6df5f80bd374be1b45c52d740e88f0236da922c7 (v260-rc3)
@@ -745,10 +746,12 @@ CVE-2026-4039 (A vulnerability was determined in OpenClaw 2026.2.19-2. This vuln
 	NOT-FOR-US: OpenClaw
 CVE-2026-4016 (A security vulnerability has been detected in GPAC 26.03-DEV. Affected ...)
 	- gpac <removed>
+	[bullseye] - gpac <end-of-life>
 	NOTE: https://github.com/gpac/gpac/issues/3468
 	NOTE: https://github.com/gpac/gpac/commit/7618d7206cdeb3c28961dc97ab0ecabaff0c8af2
 CVE-2026-4015 (A weakness has been identified in GPAC 26.03-DEV. Affected is the func ...)
 	- gpac <removed>
+	[bullseye] - gpac <end-of-life>
 	NOTE: https://github.com/gpac/gpac/issues/3467
 	NOTE: https://github.com/gpac/gpac/commit/d29f6f1ada5cc284cdfa783b6f532c7d8bd049a5
 CVE-2026-3989 (SGLangs `replay_request_dump.py` contains an insecure pickle.load() wi ...)
@@ -1335,8 +1338,10 @@ CVE-2026-3950 (A vulnerability was identified in strukturag libheif up to 1.21.2
 	- libheif <unfixed> (bug #1130640)
 	[trixie] - libheif <not-affected> (Vulnerable code not present)
 	[bookworm] - libheif <not-affected> (Vulnerable code not present)
-	NOTE: Introduced after: https://github.com/strukturag/libheif/content/16e205f12bfe9a3717ca1d3b447fa83f66bc87e9 (v1.20.0)
+	[bullseye] - libheif <not-affected> (Vulnerable code not present)
+	NOTE: Introduced after: https://github.com/strukturag/libheif/commit/16e205f12bfe9a3717ca1d3b447fa83f66bc87e9 (v1.20.0)
 	NOTE: https://github.com/strukturag/libheif/issues/1715
+	NOTE: Fixed by: https://github.com/strukturag/libheif/pull/1721
 CVE-2026-3949 (A vulnerability was determined in strukturag libheif up to 1.21.2. Thi ...)
 	- libheif <unfixed> (unimportant)
 	NOTE: https://github.com/strukturag/libheif/issues/1712
@@ -3155,6 +3160,7 @@ CVE-2026-3731 (A weakness has been identified in libssh up to 0.11.3. The impact
 	- libssh 0.12.0-1 (bug #1127693)
 	[trixie] - libssh <no-dsa> (Minor issue)
 	[bookworm] - libssh <no-dsa> (Minor issue)
+	[bullseye] - libssh <postponed> (Minor issue)
 	NOTE: https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt
 	NOTE: Fixed by: https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8 (libssh-0.11.4)
 	NOTE: Testcase: https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540 (libssh-0.11.4)


=====================================
data/dla-needed.txt
=====================================
@@ -163,6 +163,10 @@ grub2
   NOTE: 20251129: Maintainer (jak) replied: work underway, proposed to skip next point release (2026-01, too soon)
   NOTE: 20251129: also uncertainty on whether a shim/SBAT (revocation) update is feasible/needed.
 --
+gst-plugins-base1.0
+  NOTE: 20260315: Added by Front-Desk (dleidert)
+  NOTE: 20260315: Follow DSA when released (dleidert/front-desk)
+--
 gvfs
   NOTE: 20260228: Added by Front-Desk (charles)
   NOTE: 20260228: CVE-2026-28296 is the greater problem, users connecting to a



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d2362fe49158d13456a623e1dcc4b00885be27d5...12c93ca0eab0a1a3d017ee95597a258a6543767e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d2362fe49158d13456a623e1dcc4b00885be27d5...12c93ca0eab0a1a3d017ee95597a258a6543767e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260315/e3b083b1/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list