[Git][security-tracker-team/security-tracker][master] 8 commits: dla: gnutls28 status update

Wed May 20 09:37:11 BST 2026


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fce605d8 by Sylvain Beucler at 2026-05-20T10:36:48+02:00
dla: gnutls28 status update

- - - - -
88f48cd7 by Sylvain Beucler at 2026-05-20T10:36:49+02:00
dla: add gst-plugins-good1.0

- - - - -
d5d7ed9f by Sylvain Beucler at 2026-05-20T10:36:49+02:00
dla: add evince/atril

- - - - -
7cf16502 by Sylvain Beucler at 2026-05-20T10:36:51+02:00
thrift: bullseye postponed

- - - - -
a27a89b4 by Sylvain Beucler at 2026-05-20T10:36:51+02:00
dla: add qemu

- - - - -
adb62654 by Sylvain Beucler at 2026-05-20T10:36:54+02:00
CVE-2026-33055,CVE-2026-33056/rustc,rust-tar: bullseye postponed

- - - - -
da6fd951 by Sylvain Beucler at 2026-05-20T10:36:56+02:00
CVE-2026-42030/mapserver: bullseye postponed

- - - - -
f4465d5f by Sylvain Beucler at 2026-05-20T10:36:59+02:00
CVE-2026-41051/csync2: bullseye postponed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2991,6 +2991,7 @@ CVE-2026-41051 (csync2 uses insecure temporary directories when compiled with C9
 	- csync2 <unfixed>
 	[trixie] - csync2 <no-dsa> (Minor issue)
 	[bookworm] - csync2 <no-dsa> (Minor issue)
+	[bullseye] - csync2 <postponed> (Minor issue, TOCTOU hard to exploit with glibc's mktemp)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1262472
 	TODO: check details for upstream
 CVE-2026-41050 (Fleet's Helm deployer did not fully apply ServiceAccount impersonation ...)
@@ -6140,6 +6141,7 @@ CVE-2026-42072 (Nornicdb is a distributed low-latency, Graph+Vector, Temporal MV
 	NOT-FOR-US: Nornicdb
 CVE-2026-42030 (MapServer is a system for developing web-based GIS applications. From  ...)
 	- mapserver 8.6.2-1
+	[bullseye] - mapserver <postponed> (Minor issue, reflected XSS)
 	NOTE: https://github.com/MapServer/MapServer/security/advisories/GHSA-4g9f-ph64-hg2x
 CVE-2026-42028 (novaGallery is a php image gallery. Prior to version 2.1.1, a path tra ...)
 	NOT-FOR-US: novaGallery
@@ -14022,24 +14024,28 @@ CVE-2026-41607 (Out-of-bounds Read vulnerability in Apache Thrift.  This issue a
 	- thrift 0.23.0-3 (bug #1135348)
 	[trixie] - thrift <no-dsa> (Minor issue)
 	[bookworm] - thrift <no-dsa> (Minor issue)
+	[bullseye] - thrift <postponed> (Minor issue, OOB read)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/28/2
 CVE-2026-41606 (Uncontrolled Recursion vulnerability in Apache Thrift.  This issue aff ...)
 	[experimental] - thrift 0.23.0-1
 	- thrift 0.23.0-3 (bug #1135348)
 	[trixie] - thrift <no-dsa> (Minor issue)
 	[bookworm] - thrift <no-dsa> (Minor issue)
+	[bullseye] - thrift <postponed> (Minor issue, DoS)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/28/3
 CVE-2026-41603 (Improper Validation of Certificate with Host Mismatch vulnerability in ...)
 	[experimental] - thrift 0.23.0-1
 	- thrift 0.23.0-3 (bug #1135348)
 	[trixie] - thrift <no-dsa> (Minor issue)
 	[bookworm] - thrift <no-dsa> (Minor issue)
+	[bullseye] - thrift <postponed> (Minor issue, not meant for public deployment)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/28/7
 CVE-2026-41602 (Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedT ...)
 	[experimental] - thrift 0.23.0-1
 	- thrift 0.23.0-3 (bug #1135348)
 	[trixie] - thrift <no-dsa> (Minor issue)
 	[bookworm] - thrift <no-dsa> (Minor issue)
+	[bullseye] - thrift <postponed> (Minor issue, UBSAN)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/28/6
 CVE-2026-41526 (In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safel ...)
 	- kcoreaddons <unfixed> (bug #1135179)
@@ -14094,6 +14100,7 @@ CVE-2025-48431 (Mismatched Memory Management Routines vulnerability in Apache Th
 	- thrift 0.23.0-3 (bug #1135348)
 	[trixie] - thrift <no-dsa> (Minor issue)
 	[bookworm] - thrift <no-dsa> (Minor issue)
+	[bullseye] - thrift <postponed> (Minor issue, DoS)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/04/28/8
 CVE-2025-10539 (Due to improper TLS certificate validation in the DeskTime Time Tracki ...)
 	NOT-FOR-US: DeskTime Time Tracking App
@@ -36164,13 +36171,17 @@ CVE-2026-33057 (Mesop is a Python-based UI framework that allows users to build
 	NOT-FOR-US: Mesop
 CVE-2026-33056 (tar-rs is a tar archive reading/writing library for Rust. In versions  ...)
 	- rustc 1.92.0+dfsg1-2
+	[bullseye] - rustc <postponed> (Minor issue, parsing inconsistencies among tar libraries, requires recompiling rdeps)
 	- rust-tar 0.4.45-1 (bug #1131481)
+	[bullseye] - rust-tar <postponed> (Minor issue, parsing inconsistencies among tar libraries, requires recompiling rdeps)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0067.html
 	NOTE: https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
 	NOTE: Fixed by: https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446 (0.4.45)
 CVE-2026-33055 (tar-rs is a tar archive reading/writing library for Rust. Versions 0.4 ...)
 	- rustc 1.92.0+dfsg1-2 (bug #1135225)
+	[bullseye] - rustc <postponed> (Minor issue, path traversal, requires recompiling rdeps)
 	- rust-tar 0.4.45-1 (bug #1131480)
+	[bullseye] - rust-tar <postponed> (Minor issue, path traversal, requires recompiling rdeps)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2026-0068.html
 	NOTE: https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff
 	NOTE: Fixed by: https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946 (0.4.45)
@@ -557802,8 +557813,8 @@ CVE-2020-13950 (Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can
 CVE-2020-13949 (In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send sho ...)
 	[experimental] - thrift 0.16.0-1
 	- thrift 0.16.0-3 (bug #988949)
-	[bullseye] - thrift <no-dsa> (Minor issue)
-	[buster] - thrift <no-dsa> (Minor issue)
+	[bullseye] - thrift <postponed> (Minor issue, DoS)
+	[buster] - thrift <postponed> (Minor issue, DoS)
 	NOTE: https://seclists.org/oss-sec/2021/q1/140
 CVE-2020-13948 (While investigating a bug report on Apache Superset, it was determined ...)
 	NOT-FOR-US: Apache Superset


=====================================
data/dla-needed.txt
=====================================
@@ -52,6 +52,10 @@ apache-log4j2
 asterisk
   NOTE: 20260423: Added by Front-Desk (pochu)
 --
+atril
+  NOTE: 20260520: Added by Front-Desk (Beuc)
+  NOTE: 20260520: Possible code execution on reading a PDF. (Beuc/front-desk)
+--
 bouncycastle
   NOTE: 20260417: Added by Front-Desk (rouca)
   NOTE: 20260417: Priority: Fix CVE-2026-5588 then try to fix other pilled CVE (rouca/FD)
@@ -128,6 +132,10 @@ erlang
   NOTE: 20260519: and bookworm 12.12 (CVE-2025-46712).
   NOTE: 20260519: Fix ELTS at the same time. (Beuc/front-desk)
 --
+evince
+  NOTE: 20260520: Added by Front-Desk (Beuc)
+  NOTE: 20260520: Possible code execution on reading a PDF. (Beuc/front-desk)
+--
 expat
   NOTE: 20260518: Added by Front-Desk (Beuc)
   NOTE: 20260518: Upcoming DSA + many postponed CVE.
@@ -185,6 +193,7 @@ glibc
 --
 gnutls28 (guilhem)
   NOTE: 20260503: Added by Front-Desk (lamby)
+  NOTE: 20260520: DSA-6281-1 released (Beuc/front-desk)
 --
 golang-github-gorilla-csrf
   NOTE: 20250422: Added by Front-Desk (rouca)
@@ -228,6 +237,10 @@ grub2
 gsasl
   NOTE: 20260514: Added by Front-Desk (pochu)
 --
+gst-plugins-good1.0
+  NOTE: 20260520: Added by Front-Desk (Beuc)
+  NOTE: 20260520: 6 CVEs piled up since December (Beuc)
+--
 haveged
   NOTE: 20260519: Added by Front-Desk (Beuc)
   NOTE: 20260519: high / LPE (Beuc/front-desk)
@@ -482,6 +495,11 @@ python-flask-httpauth (eamanu)
   NOTE: 20260419: Added by Front-Desk (rouca)
   NOTE: 20260423: Fix already created for all releases. NMU to fix in unstable. All coordinated with maintainer.
 --
+qemu
+  NOTE: 20260520: Added by Front-Desk (Beuc)
+  NOTE: 20260520: Many postponed CVEs piled up (Beuc/front-desk)
+  NOTE: 20260520: Also SPU/OSPU included a rebuild with updated glibc/glib2.0 (Beuc/front-desk)
+--
 rabbitmq-server
   NOTE: 20260504: Added by coordinator (santiago)
   NOTE: 20260504: Added to address out-standing minor issues



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7dbdcd380f1ec91a5efcd14b02df2e5e4eb400bd...f4465d5fc202c30a9545bd207f2d749e96ef8aab

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7dbdcd380f1ec91a5efcd14b02df2e5e4eb400bd...f4465d5fc202c30a9545bd207f2d749e96ef8aab
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260520/e0dfc88b/attachment-0001.htm>
