[Git][security-tracker-team/security-tracker][master] Reserve DLA-4576-1 for p7zip

Mon May 11 13:06:53 BST 2026


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f8310829 by Sylvain Beucler at 2026-05-11T14:06:46+02:00
Reserve DLA-4576-1 for p7zip

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -93917,7 +93917,6 @@ CVE-2025-11002 (7-Zip ZIP File Parsing Directory Traversal Remote Code Execution
 	[bookworm] - 7zip <no-dsa> (Minor issue)
 	- p7zip 16.02+transitional.1
 	[bookworm] - p7zip <no-dsa> (Minor issue)
-	[bullseye] - p7zip <postponed> (Minor issue; can be fixed in next update)
 	NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package
 	NOTE: depending on 7zip. Mark this version as fixed version.
 	NOTE: https://github.com/ip7z/7zip/releases/tag/25.00
@@ -93928,7 +93927,6 @@ CVE-2025-11001 (7-Zip ZIP File Parsing Directory Traversal Remote Code Execution
 	[bookworm] - 7zip <no-dsa> (Minor issue)
 	- p7zip 16.02+transitional.1
 	[bookworm] - p7zip <no-dsa> (Minor issue)
-	[bullseye] - p7zip <postponed> (Minor issue; can be fixed in next update)
 	NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package
 	NOTE: depending on 7zip. Mark this version as fixed version.
 	NOTE: https://github.com/ip7z/7zip/releases/tag/25.00
@@ -117379,7 +117377,6 @@ CVE-2025-55188 (7-Zip before 25.01 does not always properly handle symbolic link
 	[bookworm] - 7zip <no-dsa> (Minor issue)
 	- p7zip 16.02+transitional.1
 	[bookworm] - p7zip <no-dsa> (Minor issue)
-	[bullseye] - p7zip <postponed> (Minor issue)
 	NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package
 	NOTE: depending on 7zip. Mark this version as fixed version.
 	NOTE: https://github.com/ip7z/7zip/releases/tag/25.01
@@ -236259,7 +236256,6 @@ CVE-2023-52168 (The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz)
 	[bookworm] - 7zip 22.01+dfsg-8+deb12u1
 	- p7zip 16.02+transitional.1
 	[bookworm] - p7zip <no-dsa> (Minor issue)
-	[bullseye] - p7zip <postponed> (Minor issue, sourceforge but is not public)
 	NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/
 	NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
 	NOTE: https://www.openwall.com/lists/oss-security/2024/07/03/10


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[11 May 2026] DLA-4576-1 p7zip - security update
+	{CVE-2022-47069 CVE-2023-31102 CVE-2023-40481 CVE-2023-52168 CVE-2023-52169 CVE-2024-11612 CVE-2025-11001 CVE-2025-11002 CVE-2025-53817 CVE-2025-55188}
+	[bullseye] - p7zip 16.02+really25.01+dfsg-0+deb11u1
 [09 May 2026] DLA-4575-1 firefox-esr - security update
 	{CVE-2026-8090 CVE-2026-8092 CVE-2026-8094}
 	[bullseye] - firefox-esr 140.10.2esr-1~deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -392,29 +392,6 @@ openvswitch
 orthanc
   NOTE: 20260419: Added by Front-Desk (rouca)
 --
-p7zip (Sylvain Beucler)
-  NOTE: 20251020: Added by Front-Desk (dleidert)
-  NOTE: 20251020: I disagree with the low-severity ratings; but finding the patches might be a hard (dleidert/front-desk)
-  NOTE: 20260106: CVE-2023-52168 & CVE-2025-55188: should be patchable
-  NOTE: 20260106: CVE-2025-11001 & CVE-2025-11002: no isolated patch
-  NOTE: 20260106: Proposed EOL or full replacement with 7zip (Beuc)
-  NOTE: 20260106: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/306
-  NOTE: 20260211: Proposed semi-backport for 7zip/bookworm (Beuc)
-  NOTE: 20260211: https://lists.debian.org/debian-lts/2026/02/msg00019.html
-  NOTE: 20260303: Ongoing similar work for _p_7zip/bookworm, and then downwards (Beuc)
-  NOTE: 20260305: Proposed _p_7zip-compatible bookworm->stretch packages (Beuc)
-  NOTE: 20260305: https://lists.debian.org/debian-lts/2026/03/msg00009.html
-  NOTE: 20260306: Proposed semi-backport for 7zip/bookworm as OSPU (Beuc)
-  NOTE: 20260306: https://bugs.debian.org/1129934
-  NOTE: 20260321: Ping'd OSPU ^ (Beuc)
-  NOTE: 20260410: Lower 7zip/bookworm OSPU version scheme 25 -> 22+really25
-  NOTE: 20260410: to avoid bookworm->trixie and bookworm-backports upgrade conflicts
-  NOTE: 20260410: 7zip/bookworm-backports updated to better test bookworm->trixie upgrades
-  NOTE: 20260410: 7zip/trixie SPU submitted to fix transition versions (Beuc)
-  NOTE: 20260410: https://bugs.debian.org/1133148
-  NOTE: 20260430: Still waiting for SRMs review, no feedback (Beuc)
-  NOTE: 20260503: SRM approved, user testing through bookworm-proposed-updates until OSPU freeze 2026-05-09 (Beuc)
---
 p7zip-rar (Sylvain Beucler)
   NOTE: 20250719: Added by Front-Desk (Beuc)
   NOTE: 20260106: CVE-2025-53816: no isolated patch, hard to determine if



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8310829139bc2d33684271b20f8f28e40f97f3c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8310829139bc2d33684271b20f8f28e40f97f3c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260511/158c0882/attachment-0001.htm>
