Your message dated Thu, 14 May 2026 08:35:19 +0000
with message-id <[email protected]>
and subject line Bug#1128653: fixed in tensorflow 2.14.1+dfsg-3.1
has caused the Debian Bug report #1128653,
regarding tensorflow: CVE-2026-2492
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128653: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128653
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tensorflow
Version: 2.14.1+dfsg-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for tensorflow.
CVE-2026-2492[0]:
| TensorFlow HDF5 Library Uncontrolled Search Path Element Local
| Privilege Escalation Vulnerability. This vulnerability allows local
| attackers to escalate privileges on affected installations of
| TensorFlow. An attacker must first obtain the ability to execute
| low-privileged code on the target system in order to exploit this
| vulnerability. The specific flaw exists within the handling of
| plugins. The application loads plugins from an unsecured location.
| An attacker can leverage this vulnerability to escalate privileges
| and execute arbitrary code in the context of a target user. Was ZDI-
| CAN-25480.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2492
https://www.cve.org/CVERecord?id=CVE-2026-2492
[1] https://www.zerodayinitiative.com/advisories/ZDI-26-116/
[2]
https://github.com/tensorflow/tensorflow/commit/46e7f7fb144fd11cf6d17c23dd47620328d77082
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tensorflow
Source-Version: 2.14.1+dfsg-3.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tensorflow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated tensorflow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 May 2026 15:23:32 +0300
Source: tensorflow
Architecture: source
Version: 2.14.1+dfsg-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Deep Learning Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1128653
Changes:
tensorflow (2.14.1+dfsg-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-2492: HDF5 Library Uncontrolled Search Path Element
Local Privilege Escalation (Closes: #1128653)
Checksums-Sha1:
2be170d03e8797c036ac8a9157ae23b8a6b1d1a9 2532 tensorflow_2.14.1+dfsg-3.1.dsc
8d21b18b0e662c8a93df6c02294ff855602465b4 51776
tensorflow_2.14.1+dfsg-3.1.debian.tar.xz
Checksums-Sha256:
6213f9ff617df41a6d38051b21965c0cc47af63f9130810ae6f9ed08fbb53f4d 2532
tensorflow_2.14.1+dfsg-3.1.dsc
05f0c158488289368b06664d0e6e54a9d408936c479c9529e5f6fe9fa41b72a0 51776
tensorflow_2.14.1+dfsg-3.1.debian.tar.xz
Files:
a8c3346d19d44c83e690f5b9751e7651 2532 science optional
tensorflow_2.14.1+dfsg-3.1.dsc
e74c761e6e42c98c810d474044f0ba3c 51776 science optional
tensorflow_2.14.1+dfsg-3.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmn4kwEACgkQiNJCh6LY
mLHlahAAndblETuKGgNtv1tYhnElXukYQgjjuUFNK1ijvn8q9n4I8MMOidYbY/lW
aHqj5/FZQCoUY+v52QAZCNC5k9UXko+OxRjAgofLC0osLacwDIHWrpeDadk1I9bc
XL0YqYK44ujvGjFLpVLtdMOZ3r36aBtPzgwPUQMesqNfGnDlIeMNWneGDLl4vo+l
zqyddAyUjibC3cUQ1Jo8RBFyWgSvSwkSfjE6nD8OzAf1zt1lZg9is5iqa4Ldq4PO
32nnunaeFIXWDUuN1luDtCIaA2h3mZthG0AOTuoTNJhN09Qd+aDYrtj2BbMDz1Fc
TAKRNyBYcIlbCHkIfekik7b1pFiR/v06FTnFPSQ0kTPRqDCFDfEMOFdy+7yD0la/
h+f367pM/tXRcGyjGavYbWNPRjw0RrEOJPcVq3nHoRcld1tE923JQiTm8rLpr3tK
AylUj4fuyD2uytIfyXYjIn+98VH3sdIU164Rs/+PnuZSIq6W3VD8LKpe3cYdH56W
eVyRGq50BYN+xcgqnkz2Z39cZZBCW+G7fVtdSKdPu3sVmjua6U+OQmSqgWI433Fe
fezS+V0Cb8Bj4Aj1T9WV84mlK19hp/HRZC5ro/I3x0L07HM5VSVpxSZN+yiIv7P2
a8n/bYGQo1vi/iUVbox/stakwwGYrt6vyJ45ddbQnRNZVFlnUbU=
=VzAi
-----END PGP SIGNATURE-----
pgpCDUZIkTbNE.pgp
Description: PGP signature
--- End Message ---
