[Git][security-tracker-team/security-tracker][master] Reserve DLA-4589-1 for nginx

Mon May 18 15:02:50 BST 2026


Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker


Commits:
682bb9be by Carlos Henrique Lima Melara at 2026-05-18T16:00:13+02:00
Reserve DLA-4589-1 for nginx

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -54484,7 +54484,6 @@ CVE-2026-20056 (A vulnerability in the Dynamic Vectoring and Streaming (DVS) Eng
 CVE-2026-1642 (A vulnerability exists in NGINX OSS and NGINX Plus when configured to  ...)
 	{DSA-6131-1}
 	- nginx 1.28.1-3 (bug #1127053)
-	[bullseye] - nginx <postponed> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/02/05/1
 	NOTE: https://my.f5.com/manage/s/article/K000159824
 	NOTE: Fixed by: https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e (release-1.28.2)
@@ -121011,7 +121010,6 @@ CVE-2025-53859 (NGINX Open Source and NGINX Plus have a vulnerability in the ngx
 	- nginx 1.28.0-3 (bug #1111138)
 	[trixie] - nginx 1.26.3-3+deb13u1
 	[bookworm] - nginx 1.22.1-9+deb12u3
-	[bullseye] - nginx <postponed> (minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/08/13/5
 	NOTE: https://nginx.org/download/patch.2025.smtp.txt
 	NOTE: Fixed by: https://github.com/nginx/nginx/commit/765642b86e0df1b5ef37f42522be7d08d95909c9 (release-1.29.1)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[18 May 2026] DLA-4589-1 nginx - security update
+	{CVE-2025-53859 CVE-2026-1642 CVE-2026-27651 CVE-2026-27654 CVE-2026-27784 CVE-2026-28753 CVE-2026-32647 CVE-2026-40701 CVE-2026-42934 CVE-2026-42945 CVE-2026-42946}
+	[bullseye] - nginx 1.18.0-6.1+deb11u6
 [16 May 2026] DLA-4588-1 linux-6.1 - security update
 	{CVE-2026-46333}
 	[bullseye] - linux-6.1 6.1.172-1~deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -345,11 +345,6 @@ netty (rouca)
   NOTE: 20260114: fix remaining CVE wait DSA (rouca)
   NOTE: 20200331: release DLA-4519-1 netty. Unfortunatly partial due to new CVEs (rouca)
 --
-nginx (charles)
-  NOTE: 20260328: Added by Front-Desk (Beuc)
-  NOTE: 20260328: 6 new CVEs; also follow DSA-6131-1 (1 CVE)
-  NOTE: 20260328: and bookworm 12.12 (1 CVE) (Beuc/front-desk)
---
 node-lodash (utkarsh)
   NOTE: 20260131: Added by Front-Desk (Beuc)
   NOTE: 20260201: this package is pure madness - 290 vendored sources and origtars. :)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/682bb9be2474b21948eb10b5de84a17d24fe94c4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/682bb9be2474b21948eb10b5de84a17d24fe94c4
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260518/b244a19c/attachment.htm>
