[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2026-42308,CVE-2026-42310/pillow: bullseye postponed

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Thu May 21 09:17:04 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
030adf81 by Sylvain Beucler at 2026-05-21T10:16:48+02:00
CVE-2026-42308,CVE-2026-42310/pillow: bullseye postponed

- - - - -
58649c97 by Sylvain Beucler at 2026-05-21T10:16:51+02:00
CVE-2026-8723/node-qs: bullseye postponed

- - - - -
c8dd66ae by Sylvain Beucler at 2026-05-21T10:16:54+02:00
CVE-2026-6321,CVE-2026-6322/node-ajv: fast-uri provided with >=forky, bullseye not-affected

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1581,6 +1581,7 @@ CVE-2026-8724 (A security flaw has been discovered in Dataease 2.10.20. Impacted
 	NOT-FOR-US: Dataease
 CVE-2026-8723 (### Summary    `qs.stringify` throws `TypeError` when called with `arr ...)
 	- node-qs <unfixed>
+	[bullseye] - node-qs <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
 	NOTE: Fixed by: https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41 (v6.15.2)
 CVE-2026-8721 (Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwo ...)
@@ -6591,6 +6592,7 @@ CVE-2026-42311 (Pillow is a Python imaging library. From version 10.3.0 to befor
 	NOTE: Introduced by: https://github.com/python-pillow/Pillow/commit/c2907dc04967109391a77eea00f7d583a0a0395f (10.3.0)
 CVE-2026-42310 (Pillow is a Python imaging library. From version 4.2.0 to before versi ...)
 	- pillow 12.2.0-1
+	[bullseye] - pillow <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7
 	NOTE: https://github.com/python-pillow/Pillow/pull/9519
 	NOTE: Fixed by: https://github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468 (12.2.0)
@@ -6602,6 +6604,7 @@ CVE-2026-42309 (Pillow is a Python imaging library. From version 11.2.1 to befor
 	NOTE: https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2
 CVE-2026-42308 (Pillow is a Python imaging library. Prior to version 12.2.0, if a font ...)
 	- pillow 12.2.0-1
+	[bullseye] - pillow <postponed> (Minor issue, UBSAN)
 	NOTE: https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j
 	TODO: research fixing commit(s), maybe https://github.com/python-pillow/Pillow/pull/9518/changes
 CVE-2026-42307 (Vim is an open source, command line text editor. Prior to version 9.2. ...)
@@ -10929,9 +10932,10 @@ CVE-2026-6322 (fast-uri normalize() decoded percent-encoded authority delimiters
 	- node-ajv 8.20.0~ds+~cs6.1.3-1 (bug #1135998)
 	[trixie] - node-ajv <no-dsa> (Minor issue)
 	[bookworm] - node-ajv <no-dsa> (Minor issue)
+	[bullseye] - node-ajv <not-affected> (fast-uri not provided)
 	NOTE: https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc
 	NOTE: https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293 (v3.1.2)
-	NOTE: Embedded fast-uri used and provided as node-fast-uri
+	NOTE: Embedded fast-uri used and provided as node-fast-uri, starting with forky
 CVE-2026-6262 (The Betheme theme for WordPress is vulnerable to Arbitrary File Deleti ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-6261 (The Betheme theme for WordPress is vulnerable to Arbitrary File Upload ...)
@@ -11292,9 +11296,10 @@ CVE-2026-6321 (fast-uri decoded percent-encoded path separators and dot segments
 	- node-ajv 8.20.0~ds+~cs6.1.3-1 (bug #1135998)
 	[trixie] - node-ajv <no-dsa> (Minor issue)
 	[bookworm] - node-ajv <no-dsa> (Minor issue)
+	[bullseye] - node-ajv <not-affected> (fast-uri not provided)
 	NOTE: https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6
 	NOTE: Fixed by: https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35 (v3.1.1)
-	NOTE: Embedded fast-uri used and provided as node-fast-uri
+	NOTE: Embedded fast-uri used and provided as node-fast-uri, starting with forky
 CVE-2026-6266 (A flaw was found in the AAP gateway. The user auto-link strategy, intr ...)
 	NOT-FOR-US: Red Hat AAP gateway
 CVE-2026-6255 (The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d4f16921b3673ea964a3adc01a13db029b08ab27...c8dd66ae17c720754f6c5355643de5249567ff6f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d4f16921b3673ea964a3adc01a13db029b08ab27...c8dd66ae17c720754f6c5355643de5249567ff6f
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260521/82d8bd66/attachment.htm>

More information about the debian-security-tracker-commits mailing list