[Git][security-tracker-team/security-tracker][master] 4 commits: dla: add expat

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Mon May 18 20:19:59 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ca801da0 by Sylvain Beucler at 2026-05-18T21:19:45+02:00
dla: add expat

- - - - -
e026222e by Sylvain Beucler at 2026-05-18T21:19:47+02:00
CVE-2026-41989/libgcrypt20: introductory commit + bullseye not-affected

>From upstream commit:
    Fixes-commit: bbe15758c893dbf546416c1a6bccdad1ab000ad7
introducing the incorrect memset.

- - - - -
2397baa4 by Sylvain Beucler at 2026-05-18T21:19:47+02:00
dla: add netatalk

- - - - -
c1d18958 by Sylvain Beucler at 2026-05-18T21:19:50+02:00
CVE-2026-30923,CVE-2026-42268/modsecurity: bullseye postponed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -9618,9 +9618,11 @@ CVE-2026-31195 (The ping diagnostic handler in /bin/httpd_clientside for ALTICE
 	NOT-FOR-US: ALTICE
 CVE-2026-42268 (ModSecurity is an open source, cross platform web application firewall ...)
 	- modsecurity 3.0.15-1
+	[bullseye] - modsecurity <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-vwr3-7x7g-7p9w
 CVE-2026-30923 (ModSecurity is an open source, cross platform web application firewall ...)
 	- modsecurity 3.0.15-1
+	[bullseye] - modsecurity <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g
 CVE-2026-30246 (Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versio ...)
 	NOT-FOR-US: Fiber
@@ -17046,9 +17048,11 @@ CVE-2026-4367
 	NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/31
 CVE-2026-41989 (Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow  ...)
 	- libgcrypt20 1.12.2-1
+	[bullseye] - libgcrypt20 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/21/1
 	NOTE: https://dev.gnupg.org/T8211
 	NOTE: Fixed by: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=2d3d732c9bf87cc10729f69678dd9e6862f99fa3 (libgcrypt-1.12.2)
+	NOTE: Introduced by: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=bbe15758c893dbf546416c1a6bccdad1ab000ad7 (libgcrypt-1.9.0)
 CVE-2026-41990 (Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a stat ...)
 	- libgcrypt20 1.12.2-1
 	[trixie] - libgcrypt20 <not-affected> (Vulnerable code not present)


=====================================
data/dla-needed.txt
=====================================
@@ -124,6 +124,11 @@ epiphany-browser (abhijith)
 erlang (kanashiro)
   NOTE: 20260222: Added by Front-Desk (rouca)
 --
+expat
+  NOTE: 20260518: Added by Front-Desk (Beuc)
+  NOTE: 20260518: Upcoming DSA + many postponed CVE.
+  NOTE: 20260518: CVE-2026-41080 fix requires for python's CVE-2026-7210.
+--
 firebird3.0
   NOTE: 20260418: Added by Front-Desk (rouca)
 --
@@ -338,6 +343,12 @@ nagvis
   NOTE: 20250629: Next DLA for 2 new issues has been released (dleidert)
   NOTE: 20250629: PU is ready and will be tested before sending the PU request (dleidert)
 --
+netatalk
+  NOTE: 20260518: Added by Front-Desk (Beuc)
+  NOTE: 20260518: DSA-6280-1 released fixing 20 patches for trixie.
+  NOTE: 20260518: ~low popcon, no sponsors, only fix if backporting the single
+  NOTE: 20260518: consolidated patch is straightforward enough (Beuc/front-desk)
+--
 netty (rouca)
   NOTE: 20250814: Added by Front-Desk (lamby)
   NOTE: 20251115: Partial release for sid. Fix all CVEs except CVE-2025-58056 (rouca)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5e7abcab6a4f8717098fc4dd99d8b624122d6bf2...c1d18958f4048566afeda10cc42563341b0685bf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5e7abcab6a4f8717098fc4dd99d8b624122d6bf2...c1d18958f4048566afeda10cc42563341b0685bf
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260518/394b053c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list