[Git][security-tracker-team/security-tracker][master] 7 commits: CVE-2026-4186/gpac: mark eol for bullseye

Carlos Henrique Lima Melara (@charles) gitlab at salsa.debian.org
Wed Mar 18 03:10:38 GMT 2026 


Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker


Commits:
14896cb5 by Carlos Henrique Lima Melara at 2026-03-17T21:18:11-03:00
CVE-2026-4186/gpac: mark eol for bullseye

- - - - -
0736a826 by Carlos Henrique Lima Melara at 2026-03-17T21:24:52-03:00
CVE-2026-4224/python2.7: mark eol in bullseye

- - - - -
9923f247 by Carlos Henrique Lima Melara at 2026-03-17T21:56:52-03:00
CVE-2026-30875/gobgp: postpone for bullseye

It's a limited support package and the issue is a DoS like others before
marked as minor issues.

- - - - -
920ad912 by Carlos Henrique Lima Melara at 2026-03-17T22:47:15-03:00
CVE-2026-25679/go: mark bullseye as not-affected, add introductory commit

The vulnerability was introduced in go1.26rc1 [1] as part of a fix to
another vulnerability (CVE-2025-47912), that is why it got backported to
1.25.2 [2] and 1.24.8 [3].

[1] https://github.com/golang/go/commit/f6f4e8b3ef21299db1ea3a343c3e55e91365a7fd
[2] https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e
[3] https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea

- - - - -
83803655 by Carlos Henrique Lima Melara at 2026-03-17T23:05:25-03:00
CVE-2026-27139/golang-1.15: postpone for bullseye

Minor issue in support limited package, one can read only file metadata
outside the directory listed.

- - - - -
76d0dfa1 by Carlos Henrique Lima Melara at 2026-03-17T23:21:50-03:00
CVE-2026-27142/golang-1.15: mark as postponed for bullseye

Limited support package, minor issue.

- - - - -
a7cb1957 by Carlos Henrique Lima Melara at 2026-03-18T00:08:29-03:00
CVE-2026-23925/zabbix: postpone for bullseye

Follow secteam triage, it requires authenticated "user role" and write
permission to trigger this vulnerability. It's unclear what commit fixes
it, but as far as I could search and correlate cf7c038497b [1] might be
it.

[1] https://github.com/zabbix/zabbix/commit/cf7c038497bfa503c8ff391e99018c7d16700422

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -263,6 +263,7 @@ CVE-2026-4224 (When an Expat parser with a registered ElementDeclHandler parses
 	- python3.11 <removed>
 	- python3.9 <removed>
 	- python2.7 <removed>
+	[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
 	- pypy3 <unfixed>
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/
 	NOTE: https://github.com/python/cpython/issues/145986
@@ -321,6 +322,7 @@ CVE-2026-30875 (Chamilo LMS is a learning management system. Prior to version 1.
 	NOT-FOR-US: Chamilo LMS
 CVE-2026-30405 (An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a d ...)
 	- gobgp <unfixed> (bug #1131115)
+	[bullseye] - gobgp <postponed> (Limited support, minor issue, DoS, follow bookworm DSAs/point-releases)
 	NOTE: https://github.com/osrg/gobgp/issues/3305
 	NOTE: https://github.com/osrg/gobgp/commit/f12b8fbb84f9e1a58dca932ccf0b005039f3cfb5 (v4.3.0)
 CVE-2026-2578 (Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted sta ...)
@@ -564,6 +566,7 @@ CVE-2026-4186 (A vulnerability was determined in UEditor up to 1.4.3.2. This iss
 	NOT-FOR-US: UEditor
 CVE-2026-4185 (A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-mas ...)
 	- gpac <removed>
+	[bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
 	NOTE: https://github.com/gpac/gpac/commit/8961c74f87ae3fe2d3352e622f7730ca96d50cf1
 CVE-2026-4184 (A vulnerability was detected in D-Link DIR-816 1.10CNB05. Affected by  ...)
 	NOT-FOR-US: D-Link
@@ -4375,6 +4378,7 @@ CVE-2026-23925 (An authenticated Zabbix user (User role) with template/host writ
 	- zabbix 1:7.0.22+dfsg-1
 	[trixie] - zabbix 1:7.0.22+dfsg-1~deb13u1
 	[bookworm] - zabbix <no-dsa> (Minor issue)
+	[bullseye] - zabbix <postponed> (Minor issue, requires authentication and write permission)
 	NOTE: https://support.zabbix.com/browse/ZBX-27567
 CVE-2026-20882 (The WebSocket Application Programming Interface lacks restrictions on  ...)
 	NOT-FOR-US: Mobiliti e-mobi.hu
@@ -4515,6 +4519,7 @@ CVE-2026-27139 (On Unix platforms, when listing the contents of a directory usin
 	- golang-1.24 <unfixed>
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://github.com/golang/go/issues/77827
 	NOTE: Fixed by: https://github.com/golang/go/commit/8cce3ab20c49a5c3c9fa8e97ad47335c3ccd2620 (go1.26.1)
 	NOTE: Fixed by: https://github.com/golang/go/commit/4091800393d254befde3770fd16f51200ebd5a3d (go1.25.8)
@@ -4524,7 +4529,9 @@ CVE-2026-25679 (url.Parse insufficiently validated the host/authority component
 	- golang-1.24 <unfixed>
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/golang/go/issues/77578
+	NOTE: Introduced with: https://github.com/golang/go/commit/f6f4e8b3ef21299db1ea3a343c3e55e91365a7fd (go1.26rc1)
 	NOTE: Fixed by: https://github.com/golang/go/commit/65c7d7a9fb3a9d1fbf1e702a211b8cc3a7bedb53 (go1.26.1)
 	NOTE: fixed by: https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803 (go1.25.8)
 CVE-2026-27142 (Actions which insert URLs into the content attribute of HTML meta tags ...)
@@ -4533,6 +4540,7 @@ CVE-2026-27142 (Actions which insert URLs into the content attribute of HTML met
 	- golang-1.24 <unfixed>
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://github.com/golang/go/issues/77954
 	NOTE: Fixed by: https://github.com/golang/go/commit/994692847a2cd3efd319f0cb61a07c0012c8a4ff (go1.26.1)
 	NOTE: Fixed by: https://github.com/golang/go/commit/a9db31e6d9f280418ce441067f3f9dc0a036e770 (go1.25.8)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/294ceded9bb9731574ec6f16b36283f0efa73229...a7cb195748d7f0d6c517c393ab655cc54371cdfd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/294ceded9bb9731574ec6f16b36283f0efa73229...a7cb195748d7f0d6c517c393ab655cc54371cdfd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260318/dd4fb6b4/attachment.htm>

More information about the debian-security-tracker-commits mailing list