[Git][security-tracker-team/security-tracker][master] Track fixed version for mbedtls issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2d2317b6 by Salvatore Bonaccorso at 2026-05-15T23:14:53+02:00
Track fixed version for mbedtls issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -26405,7 +26405,7 @@ CVE-2026-34877 (An issue was discovered in Mbed TLS versions from 2.19.0 up to 3
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-serialized-data/
 	NOTE: Fixed by clarified documentation.
 CVE-2026-34876 (An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds ...)
-	- mbedtls <unfixed> (bug #1132577)
+	- mbedtls 3.6.6-0.1 (bug #1132577)
 	[bullseye] - mbedtls <not-affected> (Vulnerable code not present)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ccm-finish-boundary-check/
 CVE-2026-34835 (Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 ...)
@@ -26942,10 +26942,10 @@ CVE-2026-3987 (A path traversal vulnerability in the Fireware OS Web UI on Watch
 CVE-2026-3882
 	REJECTED
 CVE-2026-34873 (An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impers ...)
-	- mbedtls <unfixed> (bug #1132577)
+	- mbedtls 3.6.6-0.1 (bug #1132577)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/
 CVE-2026-34872 (An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and  ...)
-	- mbedtls <unfixed> (bug #1132577)
+	- mbedtls 3.6.6-0.1 (bug #1132577)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-peerkey-checks/
 CVE-2026-34750 (Payload is a free and open source headless content management system.  ...)
 	NOT-FOR-US: Payload CMS
@@ -27173,14 +27173,14 @@ CVE-2026-34999 (OpenViking versions 0.2.5 prior to 0.2.14 contain a missing auth
 CVE-2026-34889 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-34875 (An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1. ...)
-	- mbedtls <unfixed> (bug #1132577)
+	- mbedtls 3.6.6-0.1 (bug #1132577)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-ffdh-buffer-overflow/
 CVE-2026-34874 (An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0. ...)
-	- mbedtls <unfixed> (bug #1132577)
+	- mbedtls 3.6.6-0.1 (bug #1132577)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-null-pointer-dereference-x509/
 CVE-2026-34871 (An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0  ...)
 	{DLA-4551-1}
-	- mbedtls <unfixed> (bug #1132577; unimportant)
+	- mbedtls 3.6.6-0.1 (bug #1132577; unimportant)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/
 	NOTE: Builds using Glibc or uClibc, running on a kernel where getrandom() is available, are safe.
 CVE-2026-34751 (Payload is a free and open source headless content management system.  ...)
@@ -27276,13 +27276,13 @@ CVE-2026-27489 (Open Neural Network Exchange (ONNX) is an open standard for mach
 CVE-2026-27101 (Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application versio ...)
 	NOT-FOR-US: Dell / EMC
 CVE-2026-25835 (Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a ...)
-	- mbedtls <unfixed> (bug #1133841)
+	- mbedtls 3.6.6-0.1 (bug #1133841)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-rng-cloning/
 CVE-2026-25834 (Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.)
-	- mbedtls <unfixed> (bug #1133841)
+	- mbedtls 3.6.6-0.1 (bug #1133841)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-sigalg-injection/
 CVE-2026-25833 (Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow ...)
-	- mbedtls <unfixed> (bug #1133841; unimportant)
+	- mbedtls 3.6.6-0.1 (bug #1133841; unimportant)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-inet-pton/
 	NOTE: Only affects platforms/toolchains that do not provide inet_pton().
 CVE-2026-25601 (A vulnerability was identified in MEPIS RM, an industrial software pro ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d2317b618aec985cc669fc259c3f65f02c2a91f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d2317b618aec985cc669fc259c3f65f02c2a91f
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260515/35c46990/attachment-0001.htm>