Your message dated Sat, 28 Feb 2026 18:33:44 +0000
with message-id <[email protected]>
and subject line Bug#1129286: fixed in gvfs 1.59.90-1
has caused the Debian Bug report #1129286,
regarding gvfs: CVE-2026-28296
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129286: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129286
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gvfs
Version: 1.59.1-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gvfs/-/issues/833
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.57.2-2
Hi,
The following vulnerability was published for gvfs.
CVE-2026-28295[0]:
| A flaw was found in the FTP GVfs backend. A malicious FTP server can
| exploit this vulnerability by providing an arbitrary IP address and
| port in its passive mode (PASV) response. The client unconditionally
| trusts this information and attempts to connect to the specified
| endpoint, allowing the malicious server to probe for open ports
| accessible from the client's network.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-28295
https://www.cve.org/CVERecord?id=CVE-2026-28295
[1] https://gitlab.gnome.org/GNOME/gvfs/-/issues/833
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gvfs
Source-Version: 1.59.90-1
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gvfs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated gvfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Feb 2026 13:26:37 -0500
Source: gvfs
Built-For-Profiles: noudeb
Architecture: source
Version: 1.59.90-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1129285 1129286
Changes:
gvfs (1.59.90-1) unstable; urgency=high
.
* New upstream release
- CVE-2026-28295 (Closes: #1129285)
- CVE-2026-28296 (Closes: #1129286)
* Bump minimum gnome-online-accounts
* Remove 2 patches applied in new release
* Update Standards Version to 4.7.3
Checksums-Sha1:
2b0a8ed27a504ed3ff6986a7f135851f0c6518e8 3174 gvfs_1.59.90-1.dsc
14df21749b6cf1903d33addc319dfffa4e992a03 1297248 gvfs_1.59.90.orig.tar.xz
1fa08c848aaa944dbc2d1cbd353c8e78d6107d42 27392 gvfs_1.59.90-1.debian.tar.xz
775920e4496d414a46aeaa4f73ae714982491cbc 13018 gvfs_1.59.90-1_source.buildinfo
Checksums-Sha256:
7af7ac4329e73e59838084b681be07fcab856ede573df03f49a4a53bb1e3f31b 3174
gvfs_1.59.90-1.dsc
7d440b2e727677a40488667e4b5c94de9edf4dcf181e56bfdcfa297984fe5f7d 1297248
gvfs_1.59.90.orig.tar.xz
18d66047973101125ddb13bb18d420b7d0f7207de3f1ef09b427fd38d24c4899 27392
gvfs_1.59.90-1.debian.tar.xz
4ea03dc3453dcde5923d60e179bda52b839c6133502fd3efe00fc3d45ce9b86c 13018
gvfs_1.59.90-1_source.buildinfo
Files:
fbd6981ab9c6bc1a1f3591db536127f8 3174 gnome optional gvfs_1.59.90-1.dsc
57eb7c82b3bb3461fe2e9ede0e7049c0 1297248 gnome optional
gvfs_1.59.90.orig.tar.xz
9632ced30b82b6bb9868d86c4437d079 27392 gnome optional
gvfs_1.59.90-1.debian.tar.xz
d29aca84ac4b69e91a94828de1625325 13018 gnome optional
gvfs_1.59.90-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmmjM40ACgkQ5mx3Wuv+
bH2ovQ//bygtSGlmBfGp7IJgewTDmVnjeEWCB+Ck9sonX180WnxqvN96V98bcG52
irf3Q+SYHqJvV1QII3YRokqMtqT+n8oGAsgagJ6v+s2uX1bu9QgsWPV6xLbitlYu
RPOitELkcPFdvunZU9G4Hi2JJ0SiUqrGTe0qx8BBCHhkMO16EtMq+3qKzAtBxQ+E
KPb6vSIHi9ycumQZs5Iuj3at2DEmFku84gt/X0zE6TxzkPoTBjNiLhfn4MV7B8Kz
lDixbWr2AMTUROODiQg9z+Wh6YaIqvfDy3JgNHYoqaA+po4M6w2TIck1461vaGPs
nwziC6CgeelS8gdJ4SfMiZTb8PgtExEV4ePBuBFDUQEcxEPv75lyTw9zD3cTLLP3
46sODUfO1rwf0aEuKeNgIdvAKIAlc9HPcPYdlgav2RBl/TZx9a3fZMW0IFi8mnoy
BDNXnUGU1JB7p+5pAXCq16tmVi6bk1pLuFbsZyNDdachgzLx7vCYYPjXb0Ot9vKJ
lxl8eoABX+xjRBSivGq7az6hYJhft5G8yzD0hUHUApclaMqPzNGMTKinjBD5oi/e
S0j7OuzWDesMIQIdxo5c6Ko0dZNkSpgy2+79Yvo5/Eu33EZm7ZHMhi5Y++OhUmYo
OorH3nytpDdW9oJeQCMb+LriLkp7I4xwyXsqC0Rajokan0XSQ+Q=
=+53F
-----END PGP SIGNATURE-----
pgpNwxNE5RF00.pgp
Description: PGP signature
--- End Message ---
