[Git][security-tracker-team/security-tracker][master] 5 commits: CVE-2026-33147/gpac: mark as end-of-life for bullseye
Carlos Henrique Lima Melara (@charles)
gitlab at salsa.debian.org
Sun Mar 22 03:19:42 GMT 2026
Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7a48dce1 by Carlos Henrique Lima Melara at 2026-03-22T00:13:01-03:00
CVE-2026-33147/gpac: mark as end-of-life for bullseye
- - - - -
b4847957 by Carlos Henrique Lima Melara at 2026-03-22T00:13:02-03:00
LTS: EOL python2.7 and jython CVEs
- - - - -
73316ab7 by Carlos Henrique Lima Melara at 2026-03-22T00:13:03-03:00
LTS: add samba to dla-needed.txt
- - - - -
0e3aad13 by Carlos Henrique Lima Melara at 2026-03-22T00:13:05-03:00
CVE-2026-3082,2923,1940/gst-plugins-bad1.0: track upstream fixes in lts branches
- - - - -
ec86f7f1 by Carlos Henrique Lima Melara at 2026-03-22T00:16:48-03:00
LTS: add gst-plugins-bad1.0 to data/dla-needed.txt
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -315,6 +315,7 @@ CVE-2026-33147 (GMT is an open source collection of command-line tools for manip
NOT-FOR-US: GMT
CVE-2026-33144 (GPAC is an open-source multimedia framework. Prior to commit 86b0e36, ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
NOTE: https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg
NOTE: https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72
CVE-2026-33143 (OneUptime is a solution for monitoring and managing online services. P ...)
@@ -522,7 +523,9 @@ CVE-2026-4519 (The webbrowser.open() API would accept leading dashes in the URL
- python3.11 <removed>
- python3.9 <removed>
- python2.7 <removed>
+ [bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- jython <unfixed>
+ [bullseye] - jython <end-of-life> (EOL in bullseye LTS)
- pypy3 <unfixed>
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
NOTE: https://github.com/python/cpython/issues/143930
@@ -1704,6 +1707,7 @@ CVE-2026-3479 (pkgutil.get_data() did not validate the resource argument as docu
- python3.11 <removed>
- python3.9 <removed>
- python2.7 <removed>
+ [bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- pypy3 <unfixed>
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/WYLLVQOOCKGK73JM7Z7ZSNOJC4N7BAWY/
NOTE: https://github.com/python/cpython/issues/146121
@@ -3108,6 +3112,9 @@ CVE-2026-3082 (GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Exec
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0003.html
NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10885
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46fc929efe909d98d983abe2dc60d196432fc3f (main)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fcd957dc713352fa12e499b676747666cb028ffd (1.28.1)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/108e5a1713c2c06744cf40139900f8f7c2076485 (1.26.11)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/83e9225bb9e89948e7b1c9f37ef9218d2dcde354 (1.24 branch)
CVE-2026-32772 (telnet in GNU inetutils through 2.7 allows servers to read arbitrary e ...)
- inetutils <unfixed> (bug #1130741)
NOTE: https://www.openwall.com/lists/oss-security/2026/03/13/1
@@ -4011,6 +4018,7 @@ CVE-2025-13462 (The "tarfile" module would still apply normalization of AREGTYPE
- python3.11 <removed>
- python3.9 <removed>
- python2.7 <removed>
+ [bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/EOMI5I66ZMKQ2INNFT6T7IAIKUGPZYIE/
NOTE: https://github.com/python/cpython/pull/143934
NOTE: https://github.com/python/cpython/commit/42d754e34c06e57ad6b8e7f92f32af679912d8ab (main)
@@ -5725,6 +5733,15 @@ CVE-2026-2923 (GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1b12d63b4414de80ebf5561823b6a0ac8b734eb1 (main)
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3b8253f447bcc9831dbf643d2c69b205fedbe086 (main)
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f0a84752aaa09457fcf736c93cecdff34ec0bfb2 (main)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/561bfdedac6356b957d520db13f99e83a7153462 (1.28.1)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/69a2c1ce774b8ffdd2516f354a9d49ab07c216b5 (1.28.1)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/cfb98fe90983b9df7d62251b8af1cf6c55dd6d45 (1.28.1)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/729d2715568831ff25aeb4fee5312edb49bde9f2 (1.26.11)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7be5f191f01f3a8e114f4c6e8fb783716f51e98a (1.26.11)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/504f965a086ab8cf2d223a1a99d03a71b67458bc (1.26.11)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/be547640430a13c378e8ade430b9de060d0fe181 (1.24 branch)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/db222d6d7971100a8ba60bd5d10a2233a38ebc46 (1.24 branch)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6aa055e9606104be1f095896d0b292b06dfb8dd9 (1.24 branch)
CVE-2026-2920 (GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution ...)
- gst-plugins-ugly1.0 1.28.1-1
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0006.html
@@ -5742,11 +5759,26 @@ CVE-2026-2921 (GStreamer RIFF Palette Integer Overflow Remote Code Execution Vul
CVE-2026-1940
- gst-plugins-bad1.0 1.28.1-1 (bug #1130059)
NOTE: https://gstreamer.freedesktop.org/security/sa-2026-0001.html
- NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1171ae8ac218ea85f8dc41203a2ee146ff322a20 (main)
- NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3564405b6919469427750f6b89d4abbe43534fa2 (main)
- NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c73a1f4427ecb2e77d00fdd9576bd9864cfaba97 (main)
- NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8822ee3b2397d865c21cbbd8e36fb2d64d6ab380 (main)
- NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/081484ec99aa75fe24b3286d88e1f1280deea56a (main)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce2e822775bc5d192009617827bb6e9f0f98ca22 (main)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e7789e43cc9cf409e973949ebb4107c49c7ce4cd (main)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4778ee36e5f200edbca279159448030925667fb7 (main)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5d1ca7b2d735de78cc65c06b827ccb0048f84b9a (main)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e742802aa7de256e7012936de5436c31cde192c3 (main)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1171ae8ac218ea85f8dc41203a2ee146ff322a20 (1.28.1)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3564405b6919469427750f6b89d4abbe43534fa2 (1.28.1)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c73a1f4427ecb2e77d00fdd9576bd9864cfaba97 (1.28.1)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8822ee3b2397d865c21cbbd8e36fb2d64d6ab380 (1.28.1)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/081484ec99aa75fe24b3286d88e1f1280deea56a (1.28.1)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e77b18aff5317dfe881bc62be20c80a5a0f83bdc (1.26.11)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5484aa812130a3632adcfaf7403524ed2e422e04 (1.26.11)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fa3b28d17ff1e82407e74499d6b08a3fe39755cc (1.26.11)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8153ccf4fa02ffd6b5608b666fc2532721804086 (1.26.11)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5fe1ccfa0cd6c9f7350dff703d1bf0d82de99b0e (1.26.11)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d785c115c8ca9e68b165440933d307c02c69ee53 (1.24 branch)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/961586ce317c6cd9ddb28eec2cabd243418a662a (1.24 branch)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/20749ec7baa3e30376f6dde3029c531e2d396a27 (1.24 branch)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff79ffc4488acbc30e5af78195fe2d321bed991b (1.24 branch)
+ NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/62d390f499a21ef8b42f8b7a51300373fcebfee3 (1.24 branch)
CVE-2026-3585 (The The Events Calendar plugin for WordPress is vulnerable to Path Tra ...)
NOT-FOR-US: WordPress plugin
CVE-2026-31816 (Budibase is a low code platform for creating internal tools, workflows ...)
=====================================
data/dla-needed.txt
=====================================
@@ -150,6 +150,10 @@ grub2
NOTE: 20251129: Maintainer (jak) replied: work underway, proposed to skip next point release (2026-01, too soon)
NOTE: 20251129: also uncertainty on whether a shim/SBAT (revocation) update is feasible/needed.
--
+gst-plugins-bad1.0
+ NOTE: 20260322: Added by Front-Desk (charles)
+ NOTE: 20260228: In dsa-needed, coordinate with secteam (charles)
+--
gst-plugins-base1.0
NOTE: 20260315: Added by Front-Desk (dleidert)
NOTE: 20260315: Follow DSA when released (dleidert/front-desk)
@@ -401,6 +405,13 @@ rust-openssl
NOTE: 20251107: https://buildd.debian.org/status/package.php?p=rust-debcargo&suite=bullseye-security
NOTE: 20251107: Please coordinate with FTP masters to unblock the situation (Beuc/front-desk)
--
+samba
+ NOTE: 20260321: Added by Front-Desk (charles)
+ NOTE: 20260321: Fix #1108904 in lts first then elts. The upstream bug has a
+ NOTE: 20260321: lot of information: https://bugzilla.samba.org/show_bug.cgi?id=15876.
+ NOTE: 20260321: Red hat has backported the fix to 4.15 and there is a note
+ NOTE: 20260321: about pre-4.15: "Samba < 4.15 doesn't have async dns lookups!" (charles)
+--
smb4k
NOTE: 20251217: Added by Front-Desk (pochu)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2c69b4c2759e0cf609e0b5220574aff61787208d...ec86f7f142c5b284272fbb3682b8b77be7212647
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2c69b4c2759e0cf609e0b5220574aff61787208d...ec86f7f142c5b284272fbb3682b8b77be7212647
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260322/a5dfb454/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list