[Git][security-tracker-team/security-tracker][master] 2 commits: golang-1.15: limited support
Sylvain Beucler (@beuc)
gitlab at salsa.debian.org
Mon May 18 12:18:36 BST 2026
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
68ff5b78 by Sylvain Beucler at 2026-05-18T13:15:53+02:00
golang-1.15: limited support
- - - - -
ffc1c5ed by Sylvain Beucler at 2026-05-18T13:17:48+02:00
gobgp: limited support
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -6617,6 +6617,7 @@ CVE-2026-42501 (A malicious module proxy can exploit a flaw in the go command's
[trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/775321
NOTE: https://github.com/golang/go/issues/79070
NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
@@ -6627,6 +6628,7 @@ CVE-2026-42499 (Pathological inputs could cause DoS through consumePhrase when p
[trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/771520
NOTE: https://github.com/golang/go/issues/78987
NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
@@ -6726,6 +6728,7 @@ CVE-2026-39826 (If a trusted template author were to write a <script> tag contai
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/771180
NOTE: https://github.com/golang/go/issues/78981
NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
@@ -6735,6 +6738,7 @@ CVE-2026-39825 (ReverseProxy can forward queries containing parameters not visib
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/770541
NOTE: https://github.com/golang/go/issues/78948
NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
@@ -6744,6 +6748,7 @@ CVE-2026-39823 (CVE-2026-27142 fixed a vulnerability in which URLs were not corr
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/769920
NOTE: https://github.com/golang/go/issues/78913
NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
@@ -6753,6 +6758,7 @@ CVE-2026-39820 (Well-crafted inputs reaching ParseAddress, ParseAddressList, and
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/759940
NOTE: https://github.com/golang/go/issues/78566
NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
@@ -6762,6 +6768,7 @@ CVE-2026-39819 (The "go bug" command writes to two files with predictable names
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/763882
NOTE: https://github.com/golang/go/issues/78584
NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
@@ -6771,6 +6778,7 @@ CVE-2026-39817 (The "go tool pack" subcommand (usually used only by the compiler
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/767520
NOTE: https://github.com/golang/go/issues/78778
NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
@@ -6798,6 +6806,7 @@ CVE-2026-33811 (When using LookupCNAME with the cgo DNS resolver, a very long CN
- golang-1.24 <removed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/go/+/767860
NOTE: https://github.com/golang/go/issues/78803
NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
@@ -6964,6 +6973,7 @@ CVE-2026-44243 (GitPython is a python library used to interact with Git reposito
NOTE: https://github.com/gitpython-developers/GitPython/pull/2134
CVE-2026-42285 (GoBGP is an open source Border Gateway Protocol (BGP) implementation i ...)
- gobgp 4.5.0-1 (bug #1136049)
+ [bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: https://github.com/osrg/gobgp/security/advisories/GHSA-p3w2-64xm-833j
CVE-2026-42214 (Notepad Next is a cross-platform, reimplementation of Notepad++. Prior ...)
NOT-FOR-US: Notepad Next
@@ -6995,9 +7005,11 @@ CVE-2026-41644 (monetr is a budgeting application for recurring expenses. Prior
NOT-FOR-US: monetr
CVE-2026-41643 (GoBGP is an open source Border Gateway Protocol (BGP) implementation i ...)
- gobgp 4.3.0-1
+ [bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: https://github.com/osrg/gobgp/security/advisories/GHSA-8rxh-r2p6-7f2q
CVE-2026-41642 (GoBGP is an open source Border Gateway Protocol (BGP) implementation i ...)
- gobgp 4.4.0-1
+ [bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: https://github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4px
CVE-2026-41589 (Wish is an SSH server with defaults and a collection of middlewares. F ...)
NOT-FOR-US: Wish SSH
@@ -9922,6 +9934,7 @@ CVE-2026-38669 (wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when crea
NOT-FOR-US: cCMS
CVE-2026-37461 (An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) o ...)
- gobgp 4.4.0-1
+ [bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: https://github.com/osrg/gobgp/commit/362cce3e325f56e7a4f792ccb9689b3bdda9e682 (v4.4.0)
NOTE: https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d (v4.4.0)
CVE-2026-37459 (An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 all ...)
@@ -10116,15 +10129,19 @@ CVE-2026-7738 (A security flaw has been discovered in puchunjie doc-tools-mcp 1.
NOT-FOR-US: puchunjie doc-tools-mcp
CVE-2026-7737 (A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by ...)
- gobgp 4.4.0-1
+ [bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: Fixed by: https://github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260 (v4.4.0)
CVE-2026-7736 (A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by ...)
- gobgp 4.4.0-1
+ [bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: Fixed by: https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592 (v4.4.0)
CVE-2026-7735 (A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the f ...)
- gobgp 4.4.0-1
+ [bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: Fixed by: https://github.com/osrg/gobgp/commit/51ad1ada06cb41ce47b7066799981816f50b7ced (v4.4.0)
CVE-2026-7734 (A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts ...)
- gobgp 4.4.0-1
+ [bullseye] - gobgp <postponed> (Limited support, follow bookworm security updates)
NOTE: Fixed by: https://github.com/osrg/gobgp/commit/f9f7b55ec258e514be0264871fa645a2c3edad11 (v4.4.0)
CVE-2026-7733 (A flaw has been found in funadmin up to 7.1.0-rc6. This affects the fu ...)
NOT-FOR-US: funadmin
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ce6eca230509d5693d1a2c3fdf25abf80595851c...ffc1c5ed54a95df88077fcb1d56b50c8f0de11ef
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ce6eca230509d5693d1a2c3fdf25abf80595851c...ffc1c5ed54a95df88077fcb1d56b50c8f0de11ef
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260518/74e4c957/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list