[Git][security-tracker-team/security-tracker][master] 2 commits: Ignore CVE-2026-3446 for python3.11 (bookworm)
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue May 12 08:40:35 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e2bbbeb5 by Arnaud Rebillout at 2026-05-12T09:38:46+02:00
Ignore CVE-2026-3446 for python3.11 (bookworm)
- - - - -
9ba6af61 by Salvatore Bonaccorso at 2026-05-12T09:39:53+02:00
Expand note for CVE-2026-3446
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -17824,7 +17824,7 @@ CVE-2026-3446 (When calling base64.b64decode() or related functions the decoding
- python3.13 <unfixed>
[trixie] - python3.13 <no-dsa> (Minor issue)
- python3.11 <removed>
- [bookworm] - python3.11 <no-dsa> (Minor issue)
+ [bookworm] - python3.11 <ignored> (Not backported to older Python releases due to compat concerns)
- python3.9 <removed>
- python2.7 <removed>
[bullseye] - python2.7 <end-of-life> (limited support in bullseye)
@@ -17838,6 +17838,8 @@ CVE-2026-3446 (When calling base64.b64decode() or related functions the decoding
NOTE: Fixed by: https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e (v3.15.0a8)
NOTE: Fixed by: https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa (v3.14.4)
NOTE: Fixed by: https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474 (v3.13.13)
+ NOTE: Risk for broken compatibility concerns for older versions, thus will not be backported upstream:
+ NOTE: https://github.com/python/cpython/issues/145264#issuecomment-4409789500
CVE-2026-36236 (SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injec ...)
NOT-FOR-US: SourceCodester
CVE-2026-36235 (A SQL injection vulnerability was found in the scheduleSubList.php fil ...)
@@ -34562,6 +34564,7 @@ CVE-2025-13462 (The "tarfile" module would still apply normalization of AREGTYPE
NOTE: https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017 (3.14 branch)
NOTE: https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7 (3.13 branch)
NOTE: https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406 (3.11 branch)
+ NOTE: Reproducer: https://github.com/PyO3/maturin/issues/2855
CVE-2019-25543 (Netartmedia Real Estate Portal 5.0 contains an SQL injection vulnerabi ...)
NOT-FOR-US: Netartmedia
CVE-2019-25542 (Netartmedia Real Estate Portal 5.0 contains a SQL injection vulnerabil ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d42e1f2fad4a42f97821de223490cfe51d613505...9ba6af61bbe2bb1ec74100c2c9b17fd93b35df46
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d42e1f2fad4a42f97821de223490cfe51d613505...9ba6af61bbe2bb1ec74100c2c9b17fd93b35df46
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260512/6e6d5116/attachment.htm>
More information about the debian-security-tracker-commits
mailing list