[Git][security-tracker-team/security-tracker][master] Add two fuse3 issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e3ffd207 by Salvatore Bonaccorso at 2026-03-21T10:20:47+01:00
Add two fuse3 issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -169,7 +169,12 @@ CVE-2026-33186 (gRPC-Go is the Go language implementation of gRPC. Versions prio
 CVE-2026-33180 (HAPI FHIR is a complete implementation of the HL7 FHIR standard for he ...)
 	NOT-FOR-US: HAPI FHIR
 CVE-2026-33179 (libfuse is the reference implementation of the Linux FUSE. From versio ...)
-	TODO: check
+	- fuse3 3.18.2-1
+	[trixie] - fuse3 <not-affected> (Vulnerable code introduced later)
+	[bookworm] - fuse3 <not-affected> (Vulnerable code introduced later)
+	[bullseye] - fuse3 <not-affected> (Vulnerable code introduced later)
+	NOTE: https://github.com/libfuse/libfuse/security/advisories/GHSA-x669-v3mq-r358
+	NOTE: Fixed by: https://github.com/libfuse/libfuse/commit/7beb86c09b6ec5aab14dc25256ed8a5ad18554d7 (fuse-3.18.2)
 CVE-2026-33177 (Statamic is a Laravel and Git powered content management system (CMS). ...)
 	NOT-FOR-US: Statamic CMS
 CVE-2026-33172 (Statamic is a Laravel and Git powered content management system (CMS). ...)
@@ -191,7 +196,12 @@ CVE-2026-33154 (dynaconf is a configuration management tool for Python. Prior to
 CVE-2026-33151 (Socket.IO is an open source, real-time, bidirectional, event-based, co ...)
 	TODO: check
 CVE-2026-33150 (libfuse is the reference implementation of the Linux FUSE. From versio ...)
-	TODO: check
+	- fuse3 3.18.2-1
+	[trixie] - fuse3 <not-affected> (Vulnerable code not present)
+	[bookworm] - fuse3 <not-affected> (Vulnerable code not present)
+	[bullseye] - fuse3 <not-affected> (Vulnerable code not present)
+	NOTE: https://github.com/libfuse/libfuse/security/advisories/GHSA-qxv7-xrc2-qmfx
+	NOTE: Fixed by: https://github.com/libfuse/libfuse/commit/49fcd891a58f622c098e2ca67d66086f7b213836 (fuse-3.18.2)
 CVE-2026-33147 (GMT is an open source collection of command-line tools for manipulatin ...)
 	NOT-FOR-US: GMT
 CVE-2026-33144 (GPAC is an open-source multimedia framework. Prior to commit 86b0e36,  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ffd207805cc1ee4064eb88428fa98689abbb09

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ffd207805cc1ee4064eb88428fa98689abbb09
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260321/1b2c4c8d/attachment.htm>