[Git][security-tracker-team/security-tracker][master] 2 commits: Associate some BuildKit issues with itp'ed entry

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat May 2 15:01:31 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fb85850a by Salvatore Bonaccorso at 2026-05-02T16:00:06+02:00
Associate some BuildKit issues with itp'ed entry

We need to as well check the embedded copy for docker.io.

- - - - -
468966fa by Salvatore Bonaccorso at 2026-05-02T16:00:30+02:00
Add embedded code copy tracking for golang-github-moby-buildkit

- - - - -


2 changed files:

- data/CVE/list
- data/embedded-code-copies


Changes:

=====================================
data/CVE/list
=====================================
@@ -19072,9 +19072,9 @@ CVE-2026-33750 (The brace-expansion library generates arbitrary strings containi
 	NOTE: https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
 	NOTE: Fixed by: https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5 (v2.0.3)
 CVE-2026-33748 (BuildKit is a toolkit for converting source code to build artifacts in ...)
-	NOT-FOR-US: BuildKit
+	- golang-github-moby-buildkit <itp> (bug #1094971)
 CVE-2026-33747 (BuildKit is a toolkit for converting source code to build artifacts in ...)
-	NOT-FOR-US: BuildKit
+	- golang-github-moby-buildkit <itp> (bug #1094971)
 CVE-2026-33745 (cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTT ...)
 	[experimental] - cpp-httplib 0.41.0+ds-1
 	- cpp-httplib 0.41.0+ds-3 (bug #1132162)
@@ -277807,13 +277807,13 @@ CVE-2024-24548 (Payment EX Ver1.1.5b and earlier allows a remote unauthenticated
 CVE-2024-23941 (Cross-site scripting vulnerability exists in Group Office prior to v6. ...)
 	NOT-FOR-US: Group Office
 CVE-2024-23653 (BuildKit is a toolkit for converting source code to build artifacts in ...)
-	NOT-FOR-US: BuildKit
+	- golang-github-moby-buildkit <itp> (bug #1094971)
 CVE-2024-23652 (BuildKit is a toolkit for converting source code to build artifacts in ...)
-	NOT-FOR-US: BuildKit
+	- golang-github-moby-buildkit <itp> (bug #1094971)
 CVE-2024-23651 (BuildKit is a toolkit for converting source code to build artifacts in ...)
-	NOT-FOR-US: BuildKit
+	- golang-github-moby-buildkit <itp> (bug #1094971)
 CVE-2024-23650 (BuildKit is a toolkit for converting source code to build artifacts in ...)
-	NOT-FOR-US: BuildKit
+	- golang-github-moby-buildkit <itp> (bug #1094971)
 CVE-2024-22859 (Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3. ...)
 	NOT-FOR-US: livewire
 CVE-2024-1130 (The NEX-Forms \u2013 Ultimate Form Builder \u2013 Contact forms and mu ...)
@@ -335560,7 +335560,7 @@ CVE-2023-26056 (XWiki Platform is a generic wiki platform. Starting in version 3
 CVE-2023-26055 (XWiki Commons are technical libraries common to several other top leve ...)
 	NOT-FOR-US: XWiki
 CVE-2023-26054 (BuildKit is a toolkit for converting source code to build artifacts in ...)
-	NOT-FOR-US: BuildKit
+	- golang-github-moby-buildkit <itp> (bug #1094971)
 CVE-2023-26053 (Gradle is a build tool with a focus on build automation and support fo ...)
 	- gradle <not-affected> (The version of Gradle in Debian doesn't support dependency verification yet)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2174854


=====================================
data/embedded-code-copies
=====================================
@@ -3959,3 +3959,6 @@ rapidjson
 
 nanovg
 	- bespokesynth <unfixed> (embed)
+
+golang-github-moby-buildkit (itp: #1094971)
+	- docker.io <unfixed> (embed)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c2d49ab9b526a5d8a33ee0d03285044e19eea9a...468966fa8dbe4881ca5332e485008cd5c878ca97

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8c2d49ab9b526a5d8a33ee0d03285044e19eea9a...468966fa8dbe4881ca5332e485008cd5c878ca97
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260502/cda8b5c9/attachment.htm>

More information about the debian-security-tracker-commits mailing list