[Git][security-tracker-team/security-tracker][master] 5 commits: lts: mark CVE-2026-32147, CVE-2026-28810, CVE-2026-28808/erlang as postponed in Bullseye

Daniel Leidert (@dleidert) dleidert at debian.org
Sun May 31 02:51:05 BST 2026 


Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker


Commits:
88392c8f by Daniel Leidert at 2026-05-31T01:53:26+02:00
lts: mark CVE-2026-32147,CVE-2026-28810,CVE-2026-28808/erlang as postponed in Bullseye

- - - - -
91dcd3c6 by Daniel Leidert at 2026-05-31T02:08:38+02:00
Add patch links for CVE-2026-44283/etcd

- - - - -
2129b86c by Daniel Leidert at 2026-05-31T02:15:23+02:00
lts: add exim4 to dla-needed

- - - - -
8d6a9b40 by Daniel Leidert at 2026-05-31T02:29:27+02:00
lts: add libcryptx-perl to dla-needed

- - - - -
432c312b by Daniel Leidert at 2026-05-31T03:00:12+02:00
Add patch link for CVE-2026-41071/libheif

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -6218,6 +6218,7 @@ CVE-2026-41074 (RT is an open source, enterprise-grade issue and ticket tracking
 CVE-2026-41071 (libheif is a HEIF and AVIF file format decoder and encoder. In version ...)
 	- libheif <unfixed> (bug #1137524)
 	NOTE: https://github.com/strukturag/libheif/security/advisories/GHSA-xj92-xjff-h8w3
+	NOTE: Fixed by: https://github.com/strukturag/libheif/commit/f20c81745e917b4c496615140385c86d7a2fa58d (v1.22.0)
 CVE-2026-41069 (libheif is a HEIF and AVIF file format decoder and encoder. In version ...)
 	- libheif <unfixed> (bug #1137524)
 	NOTE: https://github.com/strukturag/libheif/security/advisories/GHSA-p82x-fpmv-576r
@@ -10082,6 +10083,10 @@ CVE-2026-44308 (Spring Cloud AWS simplifies using AWS managed services in a Spri
 CVE-2026-44283 (etcd is a distributed key-value store for the data of a distributed sy ...)
 	- etcd <unfixed> (bug #1136829)
 	NOTE: https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5
+	NOTE: https://github.com/etcd-io/etcd/pull/21677
+	NOTE: https://github.com/etcd-io/etcd/pull/21680
+	NOTE: Fixed by: https://github.com/etcd-io/etcd/commit/e8ce1ae41f18a938d0d8ad85dbc034c489e468db (v3.5.30)
+	NOTE: Fixed by: https://github.com/etcd-io/etcd/commit/500c535adbb8a5a444bbff9fa34cc1c10addee71 (v3.5.30)
 CVE-2026-44216 (Wasmtime is a runtime for WebAssembly. From 30.0.0 to 36.0.8, 43.0.2,  ...)
 	- rust-wasmtime 36.0.8+dfsg-1
 	NOTE: https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg
@@ -26707,6 +26712,7 @@ CVE-2026-32147 (Improper Limitation of a Pathname to a Restricted Directory ('Pa
 	- erlang 1:27.3.4.11+dfsg-1
 	[trixie] - erlang <no-dsa> (Minor issue)
 	[bookworm] - erlang <no-dsa> (Minor issue)
+	[bullseye] - erlang <postponed> (Minor issue, can be fixed with next update)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-28jg-mw9x-hpm5
 	NOTE: https://cna.erlef.org/cves/CVE-2026-32147.html
 	NOTE: https://github.com/erlang/otp/commit/28c5d5a6c5f873dc701b597276271763e7d1c004 (OTP-26.2.5.20, OTP-27.3.4.11, OTP-28.4.3)
@@ -33836,6 +33842,7 @@ CVE-2026-28810 (Generation of Predictable Numbers or Identifiers vulnerability i
 	- erlang 1:27.3.4.10+dfsg-1
 	[trixie] - erlang <no-dsa> (Minor issue)
 	[bookworm] - erlang <no-dsa> (Minor issue)
+	[bullseye] - erlang <postponed> (Minor issue, can be fixed with next update)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8
 	NOTE: https://github.com/erlang/otp/pull/10864
 	NOTE: Fixed by: https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8 (OTP-26.2.5.19, OTP-27.3.4.10, OTP-28.4.2)
@@ -33844,6 +33851,7 @@ CVE-2026-28808 (Incorrect Authorization vulnerability in Erlang OTP (inets modul
 	- erlang 1:27.3.4.10+dfsg-1
 	[trixie] - erlang <no-dsa> (Minor issue)
 	[bookworm] - erlang <no-dsa> (Minor issue)
+	[bullseye] - erlang <postponed> (Minor issue, can be fixed with next update)
 	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f
 	NOTE: Fixed by: https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688 (OTP-27.3.4.10, OTP-28.4.2)
 	NOTE: https://cna.erlef.org/cves/CVE-2026-28808.html


=====================================
data/dla-needed.txt
=====================================
@@ -132,6 +132,10 @@ erlang
   NOTE: 20260519: and bookworm 12.12 (CVE-2025-46712).
   NOTE: 20260519: Fix ELTS at the same time. (Beuc/front-desk)
 --
+exim4
+  NOTE: 20260531: Added by Front-Desk (dleidert)
+  NOTE: 20260531: Follow DSA-6309-1 and possibly care about open CVEs (dleidert/front-desk)
+--
 expat
   NOTE: 20260518: Added by Front-Desk (Beuc)
   NOTE: 20260518: Upcoming DSA + many postponed CVE.
@@ -277,6 +281,9 @@ libcaca
   NOTE: 20260519: Added by Front-Desk (Beuc)
   NOTE: 20260519: Fix unstable first. (Beuc/front-desk)
 --
+libcryptx-perl
+  NOTE: 20260531: Added by Front-Desk (dleidert)
+--
 libraw
   NOTE: 20260417: Added by Front-Desk (rouca)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f19d2f37b47db6a617760f3856ff0d98502cdc73...432c312b1439c08db83d81699ffe16c32fb03aef

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f19d2f37b47db6a617760f3856ff0d98502cdc73...432c312b1439c08db83d81699ffe16c32fb03aef
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260531/3961f3a3/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list