[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2026-8376/perl: bullseye postponed

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Sat May 23 08:05:31 BST 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d7b54c72 by Sylvain Beucler at 2026-05-23T09:05:15+02:00
CVE-2026-8376/perl: bullseye postponed

- - - - -
3f1c6b8e by Sylvain Beucler at 2026-05-23T09:05:18+02:00
golang-go.crypto: limited bullseye support

- - - - -
c4f26fbe by Sylvain Beucler at 2026-05-23T09:05:21+02:00
CVE-2026-42154/prometheus: bullseye postponed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -314,58 +314,71 @@ CVE-2026-47101 (LiteLLM prior to 1.83.14 allows an authenticated internal_user t
 	NOT-FOR-US: LiteLLM
 CVE-2026-46598 (For certain crafted inputs, a 'ed25519.PrivateKey' was created by cast ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79596
 CVE-2026-46597 (An incorrectly placed cast from bytes to int allowed for server-side p ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79561
 CVE-2026-46595 (Previously, CVE-2024-45337 fixed an authorization bypass for misused s ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79570
 CVE-2026-44409 (There is an an information disclosure vulnerability in ZTE MU5250. Due ...)
 	NOT-FOR-US: ZTE
 CVE-2026-42508 (Previously, a revoked 'SignatureKey' belonging to a CA was not correct ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79568
 CVE-2026-3481 (The WP Blockade plugin for WordPress is vulnerable to Reflected Cross- ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2026-39835 (SSH servers which use CertChecker as a public key callback without set ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79563
 CVE-2026-39834 (When writing data larger than 4GB in a single Write call on an SSH cha ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79567
 CVE-2026-39833 (The in-memory keyring returned by NewKeyring() silently accepted keys  ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79436
 CVE-2026-39832 (When adding a key to a remote agent constraint extensions such as rest ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79435
 CVE-2026-39831 (The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nis ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79566
 CVE-2026-39830 (A malicious SSH peer could send unsolicited global request responses t ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79564
 CVE-2026-39829 (The RSA and DSA public key parsers did not enforce size limits on key  ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79565
 CVE-2026-39828 (When an SSH server authentication callback returned PartialSuccessErro ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/79562
 CVE-2026-39827 (An authenticated SSH client that repeatedly opened channels which were ...)
 	- golang-go.crypto <unfixed>
+	[bullseye] - golang-go.crypto <postponed> (Limited support, follow bookworm DSAs/point-releases)
 	NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
 	NOTE: https://github.com/golang/go/issues/35127
 CVE-2026-34911 (A malicious actor with access to the network and low privileges could  ...)
@@ -393,6 +406,7 @@ CVE-2026-8376 [Buffer overflow in Perl_study_chunk]
 	- perl <unfixed> (bug #1137345)
 	[trixie] - perl <no-dsa> (Minor issue; can be fixed in point release)
 	[bookworm] - perl <no-dsa> (Minor issue; can be fixed in point release)
+	[bullseye] - perl <postponed> (Minor issue; can be fixed in point release)
 	NOTE: https://github.com/Perl/perl5/pull/24433
 CVE-2026-9157 (Improper input validation, Unrestricted upload of file with dangerous  ...)
 	NOT-FOR-US: Gmission
@@ -12207,6 +12221,7 @@ CVE-2026-42220 (Nginx UI is a web user interface for the Nginx web server. Prior
 	NOT-FOR-US: Nginx UI
 CVE-2026-42154 (Prometheus is an open-source monitoring system and time series databas ...)
 	- prometheus <unfixed> (bug #1135999)
+	[bullseye] - prometheus <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm
 	NOTE: https://github.com/prometheus/prometheus/pull/18584
 	NOTE: https://github.com/prometheus/prometheus/pull/18585



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d6327e855696c49c5da9ee80c2f8446fdcee718...c4f26fbe8b24c1df0d6e5ce0f6ab8a4fbb408b63

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d6327e855696c49c5da9ee80c2f8446fdcee718...c4f26fbe8b24c1df0d6e5ce0f6ab8a4fbb408b63
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260523/7e6ec5f6/attachment.htm>

More information about the debian-security-tracker-commits mailing list