Hi Matheus, On Sat, May 30, 2026 at 10:27:36AM -0300, Matheus Polkorny wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: [email protected] > Control: affects -1 + src:pygments > User: [email protected] > Usertags: pu bsp-2026-05-07-brazil > > [ Reason ] > Fix Potential ReDoS vulnerabilities in pygments: > CVE-2026-4539[1], CVE-2022-40896[2]. > > [ Impact ] > A specially crafted input can trigger excessive CPU consumption > due to inefficient regular expression processing in affected > lexers, leading to a denial of service condition. > > [ Tests ] > The vulnerable code path was tested with the proposed > patch applied. > > [ Risks ] > The changes are minimal and limited to the affected lexers. > They are direct backports of the upstream fixes and do not > modify unrelated functionality. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > Backport the upstream fixes for: > > CVE-2022-40896: ReDoS in SmithyLexer. > CVE-2026-4539: ReDoS in AdlLexer. > > [ Other info ] > The merge request for unstable is open and awaiting review.
The later of those CVEs is open as well in trixie yet, will you fill a similar proposed updates request for trixie? Regards, Salvatore
