[Git][security-tracker-team/security-tracker][master] 9 commits: lts: mark CVE-2026-6502/qemu as not affecting Bullseye

Daniel Leidert (@dleidert) dleidert at debian.org
Mon May 11 01:08:02 BST 2026 


Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f5ea73dc by Daniel Leidert at 2026-05-11T00:43:48+02:00
lts: mark CVE-2026-6502/qemu as not affecting Bullseye

- - - - -
68350170 by Daniel Leidert at 2026-05-11T00:45:25+02:00
lts: mark CVE-2026-44028,CVE-2026-44029/nix as not affecting Bullseye

- - - - -
ae104759 by Daniel Leidert at 2026-05-11T01:24:03+02:00
lts: add php7.4 to dla-needed

- - - - -
8eb362a4 by Daniel Leidert at 2026-05-11T01:32:47+02:00
Add suspected MR link that fixes CVE-2026-42308/pillow

- - - - -
9f799428 by Daniel Leidert at 2026-05-11T01:37:12+02:00
lts: mark CVE-2026-7246/python-click as postponed

- - - - -
7a875147 by Daniel Leidert at 2026-05-11T01:46:37+02:00
lts: add busybox to dla-needed

- - - - -
05f2f01f by Daniel Leidert at 2026-05-11T01:50:35+02:00
lts: add thunderbird to dla-needed

- - - - -
4a7662ae by Daniel Leidert at 2026-05-11T02:02:36+02:00
lts: mark a bunch of Curl related issues postponed

- - - - -
4d340bcf by Daniel Leidert at 2026-05-11T02:06:46+02:00
lts: mark CVE-2026-40686,CVE-2026-40687/exim4 as postponed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -350,6 +350,7 @@ CVE-2026-42309 (Pillow is a Python imaging library. From version 11.2.1 to befor
 CVE-2026-42308 (Pillow is a Python imaging library. Prior to version 12.2.0, if a font ...)
 	- pillow 12.2.0-1
 	NOTE: https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j
+	NOTE: https://github.com/python-pillow/Pillow/pull/9518/changes (suspected fix)
 	TODO: research fixing commit(s)
 CVE-2026-42307 (Vim is an open source, command line text editor. Prior to version 9.2. ...)
 	- vim 2:9.2.0428-1
@@ -4830,6 +4831,7 @@ CVE-2026-6502
 	- qemu 1:11.0.0+ds-2
 	[trixie] - qemu <no-dsa> (Minor issue)
 	[bookworm] - qemu <not-affected> (Vulnerable code not present)
+	[bullseye] - qemu <not-affected> (Vulnerable code not present)
 	NOTE: Introduced with: https://gitlab.com/qemu-project/qemu/-/commit/7c092f17cceef10258ed23006b40e19b14996471 (v9.2.0-rc0)
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/30fad722ce68316d22b926ba0e6017f0440465df
 CVE-2026-6907 (An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `dj ...)
@@ -4971,12 +4973,14 @@ CVE-2026-4362 (The ElementsKit Elementor Addons plugin for WordPress is vulnerab
 CVE-2026-44029 (An issue was discovered in Nix before 2.34.7. Writing to arbitrary fil ...)
 	- nix <unfixed> (bug #1135777)
 	[bookworm] - nix <not-affected> (Vulnerable code introduced later)
+	[bullseye] - nix <not-affected> (Vulnerable code introduced later)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/04/33
 	NOTE: https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p
 	NOTE: https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
 CVE-2026-44028 (An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Un ...)
 	- nix <unfixed> (bug #1135777)
 	[bookworm] - nix <not-affected> (Vulnerable code introduced later)
+	[bullseye] - nix <not-affected> (Vulnerable code introduced later)
 	NOTE: https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
 	NOTE: https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/04/33
@@ -6954,6 +6958,7 @@ CVE-2026-7246 (Pallets Click, versions 8.3.2 and below, contain a command inject
 	- python-click <unfixed> (bug #1135379)
 	[trixie] - python-click <no-dsa> (Minor issue)
 	[bookworm] - python-click <no-dsa> (Minor issue)
+	[bullseye] - python-click <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw
 	NOTE: Fixed by: https://github.com/pallets/click/commit/b96c2601af4e01341b4d2c0db494ebee4aef8f42 (8.3.3)
 CVE-2026-7164 (Incorrect packet validation allowed unbounded recursion parsing SCTP c ...)
@@ -7538,11 +7543,13 @@ CVE-2026-40686 (In Exim before 4.99.2, when utf8 operators are enabled, there is
 	- exim4 4.99.2-1
 	[trixie] - exim4 <no-dsa> (Minor issue)
 	[bookworm] - exim4 <no-dsa> (Minor issue)
+	[bullseye] - exim4 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: Fixed by: https://code.exim.org/exim/exim/commit/f2570bde16fb4d4a1242ff363a4c4eecf6372efc
 CVE-2026-40687 (In Exim before 4.99.2, when the SPA authentication driver is used with ...)
 	- exim4 4.99.2-1
 	[trixie] - exim4 <no-dsa> (Minor issue)
 	[bookworm] - exim4 <no-dsa> (Minor issue)
+	[bullseye] - exim4 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: Fixed by: https://code.exim.org/exim/exim/commit/68b963b9f75ca27b38e1c0f8c87037990199f505
 CVE-2026-7466 (AgentFlow contains an arbitrary code execution vulnerability that allo ...)
 	NOT-FOR-US: AgentFlow
@@ -7743,6 +7750,7 @@ CVE-2026-7168
 	- curl 8.20.0-1
 	[trixie] - curl <no-dsa> (Minor issue)
 	[bookworm] - curl <no-dsa> (Minor issue)
+	[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://curl.se/docs/CVE-2026-7168.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/fc6eff13b5414caf6edf22d73a3239e074a04216 (curl-7_12_0)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507 (curl-8_20_0)
@@ -7753,6 +7761,7 @@ CVE-2026-6429
 	- curl 8.20.0~rc3-1
 	[trixie] - curl <no-dsa> (Minor issue)
 	[bookworm] - curl <no-dsa> (Minor issue)
+	[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://curl.se/docs/CVE-2026-6429.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/01165e08e0d131b399fba2190f17af67e66f0888 (curl-7_14_0)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306 (rc-8_20_0-3)
@@ -7760,6 +7769,7 @@ CVE-2026-6253
 	- curl 8.20.0~rc3-1
 	[trixie] - curl <no-dsa> (Minor issue)
 	[bookworm] - curl <no-dsa> (Minor issue)
+	[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://curl.se/docs/CVE-2026-6253.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/3b60bb725913ce7339aefef0a14b12df4c24db60 (curl-7_14_1)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f (rc-8_20_0-3)
@@ -7771,6 +7781,7 @@ CVE-2026-5773
 	- curl 8.20.0~rc2-1
 	[trixie] - curl <no-dsa> (Minor issue)
 	[bookworm] - curl <no-dsa> (Minor issue)
+	[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://curl.se/docs/CVE-2026-5773.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/aec2e865f06669b9cb5d26cc1148d70bc418b163 (curl-7_40_0)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571 (rc-8_20_0-2)
@@ -7778,6 +7789,7 @@ CVE-2026-5545
 	- curl 8.20.0~rc2-1
 	[trixie] - curl <no-dsa> (Minor issue)
 	[bookworm] - curl <no-dsa> (Minor issue)
+	[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://curl.se/docs/CVE-2026-5545.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/e56ae1426cb7a0a4a427cf8d6099a821fdaae428 (curl-7_10_6)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd (rc-8_20_0-1)
@@ -7785,6 +7797,7 @@ CVE-2026-4873
 	- curl 8.20.0~rc2-1
 	[trixie] - curl <no-dsa> (Minor issue)
 	[bookworm] - curl <no-dsa> (Minor issue)
+	[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://curl.se/docs/CVE-2026-4873.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/ec3bb8f727405642a471b4b1b9eb0118fc003104 (curl-7_20_0)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/507e7be573b0a76fca597b75ff7cb27a66e7d865 (rc-8_20_0-1)
@@ -7792,6 +7805,7 @@ CVE-2026-6276
 	- curl 8.20.0~rc3-1
 	[trixie] - curl <no-dsa> (Minor issue)
 	[bookworm] - curl <no-dsa> (Minor issue)
+	[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://curl.se/docs/CVE-2026-6276.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/e15e51384a423be31318b3c9c7d612a1aae661fd (curl-7_71_0)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db (rc-8_20_0-3)


=====================================
data/dla-needed.txt
=====================================
@@ -56,6 +56,10 @@ bouncycastle
   NOTE: 20260417: Added by Front-Desk (rouca)
   NOTE: 20260417: Priority: Fix CVE-2026-5588 then try to fix other pilled CVE (rouca/FD)
 --
+busybox
+  NOTE: 20260511: Added by Front-Desk (dleidert)
+  NOTE: 20260511: A bunch of issues has piled up and last update was in early 2025 (dleidert/front-desk)
+--
 c3p0
   NOTE: 20260414: Added by Front-Desk (rouca)
 --
@@ -437,6 +441,10 @@ php-phpseclib (utkarsh)
   NOTE: 20260327: Added by Front-Desk (Beuc)
   NOTE: 20260327: Upcoming DSA; fix also the postponed issue (Beuc/front-desk)
 --
+php7.4
+  NOTE: 20260511: Added by Front-Desk (dleidert)
+  NOTE: A bunch of CVEs has piled up (dleidert/front-desk)
+--
 postorius
   NOTE: 20260508: Added by Front-Desk (dleidert)
   NOTE: 20260508: Follow DSA and possibly prepare OSPU (dleidert/front-desk)
@@ -535,6 +543,10 @@ suricata
   NOTE: 20250331: re added to fix next bunch of CVEs (ta)
   NOTE: 20250825: testing package (ta)
 --
+thunderbird
+  NOTE: 20260511: Added by Front-Desk (dleidert)
+  NOTE: 20260511: Follow DSA when released (dleidert/front-desk)
+--
 trafficserver
   NOTE: 20241120: Added by Front-Desk (Beuc)
   NOTE: 20241120: Upcoming DSA (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/787d3d1f8386c3fc4b5341fee5b4c696dd20d3d7...4d340bcf5641991c5ab96891697e1ce88818a2b7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/787d3d1f8386c3fc4b5341fee5b4c696dd20d3d7...4d340bcf5641991c5ab96891697e1ce88818a2b7
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260511/90a42d72/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list