[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2026-7210,CVE-2026-8328/python3.9: bullseye postponed

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Tue May 19 08:18:53 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
317ac1e5 by Sylvain Beucler at 2026-05-19T09:18:25+02:00
CVE-2026-7210,CVE-2026-8328/python3.9: bullseye postponed

aligning with other dists
waiting for more issues to pile-up, we just released DLA-4583-1

- - - - -
c5b1cee1 by Sylvain Beucler at 2026-05-19T09:18:28+02:00
erlang: reference missing OSPU CVEs

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127607#19

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1944,6 +1944,7 @@ CVE-2026-8328 (The ftpcp() function in Lib/ftplib.py was not updated when  CVE-2
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
+	[bullseye] - python3.9 <postponed> (Minor issue, port scanning in specific scenario)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
 	- pypy3 <unfixed>
@@ -4485,6 +4486,7 @@ CVE-2026-7210 (`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient
 	- python3.11 <removed>
 	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
+	[bullseye] - python3.9 <postponed> (Minor issue, wait for expat update)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
 	- pypy3 <unfixed>
@@ -38414,7 +38416,7 @@ CVE-2026-23943 (Improper Handling of Highly Compressed Data (Compression Bomb) v
 	{DLA-4590-1}
 	- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
 	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
-	[bookworm] - erlang <no-dsa> (Minor issue)
+	[bookworm] - erlang 1:25.2.3+dfsg-1+deb12u4
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-c836-qprm-jw9r
 	NOTE: Fixed by: https://github.com/erlang/otp/commit/43a87b949bdff12d629a8c34146711d9da93b1b1 (OTP-28.4.1)
 	NOTE: Fixed by: https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3 (OTP-27.3.4.9)
@@ -38423,7 +38425,7 @@ CVE-2026-23942 (Improper Limitation of a Pathname to a Restricted Directory ('Pa
 	{DLA-4590-1}
 	- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
 	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
-	[bookworm] - erlang <no-dsa> (Minor issue)
+	[bookworm] - erlang 1:25.2.3+dfsg-1+deb12u4
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-4749-w85x-hw9h
 	NOTE: Fixed by: https://github.com/erlang/otp/commit/27688a824f753d4c16371dc70e88753fb410590b (OTP-28.4.1)
 	NOTE: Fixed by: https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28 (OTP-27.3.4.9)
@@ -38432,7 +38434,7 @@ CVE-2026-23941 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smug
 	{DLA-4590-1}
 	- erlang 1:27.3.4.9+dfsg-1 (bug #1130912)
 	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
-	[bookworm] - erlang <no-dsa> (Minor issue)
+	[bookworm] - erlang 1:25.2.3+dfsg-1+deb12u4
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-w4jc-9wpv-pqh7
 	NOTE: Fixed by: https://github.com/erlang/otp/commit/a4b46336fd25aa100ac602eb9a627aaead7eda18 (OTP-28.4.1)
 	NOTE: Fixed by: https://github.com/erlang/otp/commit/a761d391d8d08316cbd7d4a86733ba932b73c45b (OTP-27.3.4.9)
@@ -47794,7 +47796,7 @@ CVE-2026-21620 (Relative Path Traversal, Improper Isolation or Compartmentalizat
 	{DLA-4590-1}
 	- erlang 1:27.3.4.8+dfsg-1 (bug #1128651)
 	[trixie] - erlang 1:27.3.4.1+dfsg-1+deb13u2
-	[bookworm] - erlang <no-dsa> (Minor issue)
+	[bookworm] - erlang 1:25.2.3+dfsg-1+deb12u4
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp
 	NOTE: https://github.com/erlang/otp/pull/10706
 	NOTE: Fixed by (merge): https://github.com/erlang/otp/commit/696fdec922661d4a3cc528fc34bc24fae8d4ad8a (OTP-28.3.2)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4db9697cf4d5baa314d39390cf45af689f080e8d...c5b1cee1f396f6a223aaad9ae058540a9663957a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4db9697cf4d5baa314d39390cf45af689f080e8d...c5b1cee1f396f6a223aaad9ae058540a9663957a
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260519/7579caba/attachment.htm>

More information about the debian-security-tracker-commits mailing list