[Git][security-tracker-team/security-tracker][master] 7 commits: CVE-2026-45205/commons-configuration2: bullseye postponed

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Fri May 22 20:13:06 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9c1f2c56 by Sylvain Beucler at 2026-05-22T21:12:33+02:00
CVE-2026-45205/commons-configuration2: bullseye postponed

- - - - -
f5961c3d by Sylvain Beucler at 2026-05-22T21:12:36+02:00
CVE-2026-5091/libcatalyst-plugin-authentication-perl: bullseye postponed

- - - - -
5586897b by Sylvain Beucler at 2026-05-22T21:12:39+02:00
CVE-2026-8700,CVE-2026-8704/libcrypt-dsa-perl: follow bookworm triage

- - - - -
311177fc by Sylvain Beucler at 2026-05-22T21:12:41+02:00
CVE-2026-44636,CVE-2026-44637,CVE-2026-44638/libsixel: bullseye postponed

- - - - -
da10feff by Sylvain Beucler at 2026-05-22T21:12:44+02:00
CVE-2026-8836/lwip: follow bookworm triage

- - - - -
353b69f4 by Sylvain Beucler at 2026-05-22T21:12:46+02:00
node-axios: follow bookworm triage

- - - - -
dacffa58 by Sylvain Beucler at 2026-05-22T21:12:49+02:00
CVE-2026-42338/node-ip-address: follow bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -198,6 +198,7 @@ CVE-2026-5091 (Catalyst::Plugin::Authentication versions through 0.10024 for Per
 	- libcatalyst-plugin-authentication-perl <unfixed> (bug #1137325)
 	[trixie] - libcatalyst-plugin-authentication-perl <no-dsa> (Minor issue)
 	[bookworm] - libcatalyst-plugin-authentication-perl <no-dsa> (Minor issue)
+	[bullseye] - libcatalyst-plugin-authentication-perl <postponed> (Minor issue, side channel)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40281889/
 	NOTE: https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e (v0.10_025)
 CVE-2026-8376 [Buffer overflow in Perl_study_chunk]
@@ -1894,6 +1895,7 @@ CVE-2026-8836 (A vulnerability was found in lwIP up to 2.2.1. Affected is the fu
 	- lwip <unfixed>
 	[trixie] - lwip <no-dsa> (Minor issue)
 	[bookworm] - lwip <no-dsa> (Minor issue)
+	[bullseye] - lwip <postponed> (Minor issue)
 	NOTE: https://savannah.nongnu.org/bugs/?68194
 	NOTE: https://cgit.git.savannah.gnu.org/cgit/lwip.git/commit/?id=0c957ec03054eb6c8205e9c9d1d05d90ada3898c
 CVE-2026-8803 (A flaw has been found in opensourcepos Open Source Point of Sale up to ...)
@@ -2418,12 +2420,14 @@ CVE-2026-8704 (Crypt::DSA versions through 1.19 for Perl use 2-args open, allowi
 	- libcrypt-dsa-perl 1.20-1 (bug #1136809)
 	[trixie] - libcrypt-dsa-perl <no-dsa> (Minor issue)
 	[bookworm] - libcrypt-dsa-perl <no-dsa> (Minor issue)
+	[bullseye] - libcrypt-dsa-perl <postponed> (Minor issue)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40104289/
 	NOTE: Fixed by: https://github.com/perl-Crypt-OpenPGP/Crypt-DSA/commit/e7dc7836594908d6e9abf74b0a66f12a78569d1c (1.20)
 CVE-2026-8700 (Crypt::DSA versions before 1.20 for Perl generate seeds using rand.  S ...)
 	- libcrypt-dsa-perl 1.20-1 (bug #1136808)
 	[trixie] - libcrypt-dsa-perl <ignored> (Fix switches to Crypt::SysRandom not present in older releases)
 	[bookworm] - libcrypt-dsa-perl <ignored> (Fix switches to Crypt::SysRandom not present in older releases)
+	[bullseye] - libcrypt-dsa-perl <ignored> (Fix switches to Crypt::SysRandom not present in older releases)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/40104301/
 	NOTE: Fixed by: https://github.com/perl-Crypt-OpenPGP/Crypt-DSA/commit/43f2ad133bca76c57665f42eb0dc8042df54d3f1 (1.20)
 CVE-2026-40930
@@ -2751,16 +2755,19 @@ CVE-2026-44638 (libsixel is a SIXEL encoder/decoder implementation derived from
 	- libsixel 1:1.8.7-r2-1
 	[trixie] - libsixel <no-dsa> (Minor issue)
 	[bookworm] - libsixel <no-dsa> (Minor issue)
+	[bullseye] - libsixel <postponed> (Minor issue, no rdeps)
 	NOTE: https://github.com/saitoha/libsixel/security/advisories/GHSA-wpx3-h5g8-qr3w
 CVE-2026-44637 (libsixel is a SIXEL encoder/decoder implementation derived from kmiya' ...)
 	- libsixel 1:1.8.7-r2-1
 	[trixie] - libsixel <no-dsa> (Minor issue)
 	[bookworm] - libsixel <no-dsa> (Minor issue)
+	[bullseye] - libsixel <postponed> (Minor issue, no rdeps)
 	NOTE: https://github.com/saitoha/libsixel/security/advisories/GHSA-9jm7-77gr-qghv
 CVE-2026-44636 (libsixel is a SIXEL encoder/decoder implementation derived from kmiya' ...)
 	- libsixel 1:1.8.7-r2-1
 	[trixie] - libsixel <no-dsa> (Minor issue)
 	[bookworm] - libsixel <no-dsa> (Minor issue)
+	[bullseye] - libsixel <postponed> (Minor issue, no rdeps)
 	NOTE: https://github.com/saitoha/libsixel/security/advisories/GHSA-hx93-w8p2-ffh5
 CVE-2026-44430 (The MCP Registry provides MCP clients with a list of MCP servers, like ...)
 	NOT-FOR-US: MCP Registry
@@ -3435,6 +3442,7 @@ CVE-2026-45205 (Uncontrolled Recursion vulnerability in Apache Commons.  When pr
 	- commons-configuration2 <unfixed> (bug #1136705)
 	[trixie] - commons-configuration2 <no-dsa> (Minor issue)
 	[bookworm] - commons-configuration2 <no-dsa> (Minor issue)
+	[bullseye] - commons-configuration2 <postponed> (Minor issue, DoS)
 	- commons-configuration <not-affected> (Vulnerable code not present)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/14/5
 	NOTE: https://github.com/apache/commons-configuration/pull/634
@@ -4837,6 +4845,7 @@ CVE-2026-42338 (ip-address is a library for parsing and manipulating IPv4 and IP
 	- node-ip-address <unfixed>
 	[trixie] - node-ip-address <no-dsa> (Minor issue)
 	[bookworm] - node-ip-address <no-dsa> (Minor issue)
+	[bullseye] - node-ip-address <postponed> (Minor issue)
 	NOTE: https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g
 CVE-2026-42289 (ChurchCRM is an open-source church management system. Prior to 7.3.2,  ...)
 	NOT-FOR-US: ChurchCRM
@@ -8789,6 +8798,7 @@ CVE-2026-42264 (Axios is a promise based HTTP client for the browser and Node.js
 	- node-axios 1.15.2-1
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj
 	NOTE: https://github.com/axios/axios/pull/10779
 	NOTE: https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa (v1.15.2)
@@ -16304,61 +16314,73 @@ CVE-2026-42044 (Axios is a promise based HTTP client for the browser and Node.js
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23
 CVE-2026-42043 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7
 CVE-2026-42042 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-xx6v-rp6x-q39c
 CVE-2026-42041 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63
 CVE-2026-42040 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-xhjh-pmcv-23jw
 CVE-2026-42039 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9
 CVE-2026-42038 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-m7pr-hjqh-92cm
 CVE-2026-42037 (Axios is a promise based HTTP client for the browser and Node.js. From ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77
 CVE-2026-42036 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-vf2m-468p-8v99
 CVE-2026-42035 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9
 CVE-2026-42034 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-5c9x-8gcm-mpgx
 CVE-2026-42033 (Axios is a promise based HTTP client for the browser and Node.js. Prio ...)
 	- node-axios 1.15.2-1 (bug #1134878)
 	[trixie] - node-axios <no-dsa> (Minor issue)
 	[bookworm] - node-axios <no-dsa> (Minor issue)
+	[bullseye] - node-axios <postponed> (Minor issue)
 	NOTE: https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf
 CVE-2026-41907 (uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to ...)
 	- node-uuid 14.0.0+~11.0.0-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/026eeb2b46ab2e2d575a5e9da8dfc100a76dc17a...dacffa5842155a25755bb6462d18464dff0d7546

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/026eeb2b46ab2e2d575a5e9da8dfc100a76dc17a...dacffa5842155a25755bb6462d18464dff0d7546
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260522/e0ca6a0d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list