[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2026-4645/golang-github-antchfx-xpath: bullseye postponed

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Tue Mar 24 14:48:34 GMT 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
22596f96 by Sylvain Beucler at 2026-03-24T15:11:09+01:00
CVE-2026-4645/golang-github-antchfx-xpath: bullseye postponed

- - - - -
164a11fa by Sylvain Beucler at 2026-03-24T15:21:47+01:00
CVE-2026-4437,CVE-2026-4438/glibc: bullseye postponed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -308,6 +308,7 @@ CVE-2026-4647 (A flaw was found in the GNU Binutils BFD library, a widely used c
 	NOTE: binutils not covered by security support
 CVE-2026-4645 (A flaw was found in the `github.com/antchfx/xpath` component. A remote ...)
 	- golang-github-antchfx-xpath 1.3.6-1
+	[bullseye] - golang-github-antchfx-xpath <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
 	NOTE: https://github.com/antchfx/xpath/issues/121
 	NOTE: Fixed by: https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494 (v1.3.6)
 CVE-2026-4633 (A flaw was found in Keycloak. A remote attacker can exploit differenti ...)
@@ -1353,6 +1354,7 @@ CVE-2026-4438 (Calling gethostbyaddr or gethostbyaddr_r with a configured nsswit
 	- glibc <unfixed> (bug #1131435)
 	[trixie] - glibc <no-dsa> (Minor issue)
 	[bookworm] - glibc <no-dsa> (Minor issue)
+	[bullseye] - glibc <postponed> (Minor issue, specification violation)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=34015
 	NOTE: Proposed patch: https://inbox.sourceware.org/libc-alpha/20260320194250.1089143-1-carlos@redhat.com/
 	NOTE: https://www.openwall.com/lists/oss-security/2026/03/23/2
@@ -1360,6 +1362,7 @@ CVE-2026-4437 (Calling gethostbyaddr or gethostbyaddr_r with a configured nsswit
 	- glibc <unfixed> (bug #1131435)
 	[trixie] - glibc <no-dsa> (Minor issue)
 	[bookworm] - glibc <no-dsa> (Minor issue)
+	[bullseye] - glibc <postponed> (Minor issue, validation issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=34014
 	NOTE: Proposed patch: https://inbox.sourceware.org/libc-alpha/20260320194250.1089143-1-carlos@redhat.com/
 	NOTE: https://www.openwall.com/lists/oss-security/2026/03/23/2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa165f26b3984cd6858aa5eccba6e9f31b7fdfd1...164a11fac0bfa4027ac37c57b253134ba0d3fd3d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa165f26b3984cd6858aa5eccba6e9f31b7fdfd1...164a11fac0bfa4027ac37c57b253134ba0d3fd3d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260324/899ec3fc/attachment.htm>

More information about the debian-security-tracker-commits mailing list