[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2025-68158/python-authlib: bullseye postponed
Sylvain Beucler (@beuc)
gitlab at salsa.debian.org
Mon May 18 09:43:16 BST 2026
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
561ece9b by Sylvain Beucler at 2026-05-18T10:43:05+02:00
CVE-2025-68158/python-authlib: bullseye postponed
- - - - -
a051ff8c by Sylvain Beucler at 2026-05-18T10:43:08+02:00
swupdate: bullseye postponed
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -13874,13 +13874,13 @@ CVE-2026-6986 (A security vulnerability has been detected in Cesanta Mongoose up
- swupdate 2025.12+dfsg-10
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
CVE-2026-6985 (A weakness has been identified in Cesanta Mongoose up to 7.20. This vu ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2025.12+dfsg-10
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
CVE-2026-6984 (A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22. ...)
NOT-FOR-US: AstrBotDevs AstrBot
CVE-2026-6983 (A vulnerability was identified in pagekit up to 1.0.18. Affected by th ...)
@@ -26881,19 +26881,19 @@ CVE-2026-5246 (A vulnerability was determined in Cesanta Mongoose up to 7.20. Af
- swupdate 2025.12+dfsg-10
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
CVE-2026-5245 (A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2025.12+dfsg-10
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
CVE-2026-5244 (A vulnerability has been found in Cesanta Mongoose up to 7.20. This af ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2025.12+dfsg-10
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
CVE-2026-5032 (The W3 Total Cache plugin for WordPress is vulnerable to information e ...)
NOT-FOR-US: WordPress plugin
CVE-2026-4636 (A flaw was found in Keycloak. An authenticated user with the uma_prote ...)
@@ -46740,19 +46740,19 @@ CVE-2026-2968 (A vulnerability was detected in Cesanta Mongoose up to 7.20. This
- swupdate 2025.12+dfsg-10
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
CVE-2026-2967 (A security vulnerability has been detected in Cesanta Mongoose up to 7 ...)
- mongoose <not-affected> (Fixed before or with initial upload, also see bug #1135115)
- swupdate 2025.12+dfsg-10
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
CVE-2026-2966 (A weakness has been identified in Cesanta Mongoose up to 7.20. The imp ...)
- mongoose <not-affected> (Fixed before or with initial upload, also see bug #1135115)
- swupdate 2025.12+dfsg-10
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
CVE-2026-2965 (A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCR ...)
NOT-FOR-US: 07FLYCMS, 07FLY-CMS and 07FlyCRM
CVE-2026-2964 (A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1 ...)
@@ -65180,6 +65180,7 @@ CVE-2025-68158 (Authlib is a Python library which builds OAuth and OpenID Connec
- python-authlib 1.6.6-1
[trixie] - python-authlib 1.6.0-1+deb13u1
[bookworm] - python-authlib 1.2.0-1+deb12u1
+ [bullseye] - python-authlib <postponed> (Minor issue, no rdeps)
NOTE: https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523
NOTE: Fixed by: https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489 (v1.6.6)
CVE-2025-68151 (CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, ...)
@@ -84822,7 +84823,7 @@ CVE-2025-65502 (Null pointer dereference in add_ca_certs() in Cesanta Mongoose b
- swupdate 2025.12+dfsg-1
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/issues/3306
NOTE: https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2 (7.20)
CVE-2025-65501 (Null pointer dereference in coap_dtls_info_callback() in OISM libcoap ...)
@@ -103688,7 +103689,7 @@ CVE-2025-51495 (An integer overflow vulnerability exists in the WebSocket compon
- swupdate 2025.12+dfsg-1
[trixie] - swupdate <no-dsa> (Minor issue)
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/pull/3131
NOTE: https://github.com/cesanta/mongoose/commit/cdc439bc38570048541b2ac6b9c326da87bf4a0a (7.18)
CVE-2025-43400 (An out-of-bounds write issue was addressed with improved bounds checki ...)
@@ -318844,7 +318845,7 @@ CVE-2023-2905 (Due to a failure in validating the length of a provided MQTT_CMD_
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2024.12+dfsg-1
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
CVE-2023-3223 (A flaw was found in undertow. Servlets annotated with @MultipartConfig ...)
- undertow 2.3.18-1 (bug #1054893)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209689
@@ -324986,7 +324987,7 @@ CVE-2023-34188 (The HTTP server in Mongoose before 7.10 accepts requests contain
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2024.12+dfsg-1
[bookworm] - swupdate <no-dsa> (Minor issue)
- [bullseye] - swupdate <no-dsa> (Minor issue)
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f (7.10)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2023-34021 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moy ...)
@@ -495485,18 +495486,21 @@ CVE-2021-26531
CVE-2021-26530 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compile ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2022.12+dfsg-1
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/issues/1204
NOTE: https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994 (7.1)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2021-26529 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7- ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2022.12+dfsg-1
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/issues/1203
NOTE: https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994 (7.1)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2021-26528 (The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2022.12+dfsg-1
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/issues/1203
NOTE: https://github.com/cesanta/mongoose/commit/8e520756366ca5739f13dc6ad65fcf269dbbc994 (7.1)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
@@ -528880,6 +528884,7 @@ CVE-2020-25888
CVE-2020-25887 (Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when r ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2022.12+dfsg-1
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/issues/1140
CVE-2020-25886
RESERVED
@@ -529216,6 +529221,7 @@ CVE-2020-25757 (A lack of input validation and access controls in Lua CGIs on D-
CVE-2020-25756 (A buffer overflow vulnerability exists in the mg_get_http_header funct ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2022.12+dfsg-1
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/issues/1135
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2020-25755 (An issue was discovered on Enphase Envoy R3.x and D4.x (and other curr ...)
@@ -591489,6 +591495,7 @@ CVE-2019-19308 (In text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.
CVE-2019-19307 (An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6. ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2021.04-1
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/issues/1055
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2019-19306 (The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via m ...)
@@ -613185,6 +613192,7 @@ CVE-2019-13504 (There is an out-of-bounds read in Exiv2::MrwImage::readMetadata
CVE-2019-13503 (mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer o ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2021.04-1
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/pull/1035
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2019-13502
@@ -614791,6 +614799,7 @@ CVE-2019-12952
CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt() func ...)
- mongoose <not-affected> (Fixed before or with initial upload)
- swupdate 2021.04-1
+ [bullseye] - swupdate <postponed> (Minor issue)
NOTE: https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb (6.15)
NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2019-12950 (An issue was discovered in TeamPass 2.1.27.35. From the sources/items. ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96da10ca0b2e7fa230aa97908cb186637683c0e2...a051ff8cf1a09889183550b31f469c390d72ea7b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/96da10ca0b2e7fa230aa97908cb186637683c0e2...a051ff8cf1a09889183550b31f469c390d72ea7b
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260518/d877dfcb/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list