Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
722b5287 by Emilio Pozuelo Monfort at 2026-01-23T14:13:10+01:00
lts: jython and python2.7 EOL on bullseye
- - - - -
60be70b3 by Emilio Pozuelo Monfort at 2026-01-23T14:13:11+01:00
lts: postpone golang issues
They are either minor (DoS) or hard to trigger.
- - - - -
e2340263 by Emilio Pozuelo Monfort at 2026-01-23T14:13:12+01:00
lts: add modsecurity-crs
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1541,6 +1541,7 @@ CVE-2026-0865 (User-controlled header names and values
containing newlines can a
[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- pypy3 <unfixed>
- jython <unfixed>
+ [bullseye] - jython <end-of-life> (EOL in bullseye LTS)
NOTE: https://github.com/python/cpython/pull/143917
NOTE: https://github.com/python/cpython/issues/143916
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/
@@ -1593,7 +1594,9 @@ CVE-2025-15367 (The poplib module, when passed a
user-controlled command, can ha
- python3.9 <removed>
- pypy3 <unfixed>
- python2.7 <removed>
+ [bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- jython <unfixed>
+ [bullseye] - jython <end-of-life> (EOL in bullseye LTS)
NOTE: https://github.com/python/cpython/issues/143923
NOTE: https://github.com/python/cpython/pull/143924
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/
@@ -1605,7 +1608,9 @@ CVE-2025-15366 (The imaplib module, when passed a
user-controlled command, can h
- python3.9 <removed>
- pypy3 <unfixed>
- python2.7 <removed>
+ [bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- jython <unfixed>
+ [bullseye] - jython <end-of-life> (EOL in bullseye LTS)
NOTE: https://github.com/python/cpython/issues/143921
NOTE: https://github.com/python/cpython/pull/143922
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/
@@ -1617,7 +1622,9 @@ CVE-2025-15282 (User-controlled data URLs parsed by
urllib.request.DataHandler a
- python3.9 <removed>
- pypy3 <unfixed>
- python2.7 <removed>
+ [bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
- jython <unfixed>
+ [bullseye] - jython <end-of-life> (EOL in bullseye LTS)
NOTE: https://github.com/python/cpython/issues/143925
NOTE: https://github.com/python/cpython/pull/143926
NOTE:
https://mail.python.org/archives/list/[email protected]/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/
@@ -2914,6 +2921,7 @@ CVE-2025-61730 [crypto/tls: handshake messages may be
processed at the incorrect
- golang-1.24 <unfixed> (bug #1125917)
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue,
follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
NOTE: https://github.com/golang/go/issues/76443
NOTE: Fixed by:
https://github.com/golang/go/commit/525dd853633f90d6038719d9a48cba3770ca71ea
(go1.25.6)
@@ -2923,6 +2931,7 @@ CVE-2025-68119 [cmd/go: unexpected code execution when
invoking toolchain]
- golang-1.24 <unfixed>
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue,
follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
NOTE: https://github.com/golang/go/issues/77099
NOTE: Fixed by:
https://github.com/golang/go/commit/082365aa552a7e2186f79110d5311dce70749cc0
(go1.25.6)
@@ -2932,6 +2941,7 @@ CVE-2025-61731 [cmd/go: bypass of flag sanitization can
lead to arbitrary code e
- golang-1.24 <unfixed> (bug #1125917)
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue,
follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
NOTE: https://github.com/golang/go/issues/77100
NOTE: Fixed by:
https://github.com/golang/go/commit/2526187481ee31241b72f491992accbdd66c2655
(go1.25.6)
@@ -2943,6 +2953,7 @@ CVE-2025-68121 [crypto/tls: Config.Clone copies
automatically generated session
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, minor issue,
follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
NOTE: https://github.com/golang/go/issues/77113
NOTE: Fixed by:
https://github.com/golang/go/commit/4be38528a68a8b0c4e101576df200c214ad49c26
(go1.25.6)
@@ -2954,6 +2965,7 @@ CVE-2025-61726 [net/http: memory exhaustion in
Request.ParseForm]
- golang-1.19 <removed>
[bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, DoS, minor
issue, follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
NOTE: https://github.com/golang/go/issues/77101
NOTE: Fixed by:
https://github.com/golang/go/commit/afa9b66ac081d3b239d8c1a226b5e884c8435185
(go1.25.6)
@@ -2963,6 +2975,7 @@ CVE-2025-61728 [archive/zip: denial of service when
parsing arbitrary ZIP archiv
- golang-1.24 <unfixed> (bug #1125917)
- golang-1.19 <removed>
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <postponed> (Limited support, DoS, minor
issue, follow bookworm DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
NOTE: https://github.com/golang/go/issues/77102
NOTE: Fixed by:
https://github.com/golang/go/commit/9d497df196d66553ae844c22a53fb86cd422e80c
(go1.25.6)
=====================================
data/dla-needed.txt
=====================================
@@ -244,6 +244,9 @@ mimetex
NOTE: 20250629: There doesn't seem to be a fix so far according to #1103801
(dleidert)
NOTE: 20250629: Best course of action seems to be some kind of mitigation
similar to https://moodle.org/mod/forum/discuss.php?d=467592 (dleidert)
--
+modsecurity-crs
+ NOTE: 20260123: Added by Front-Desk (pochu)
+--
nagvis
NOTE: 20250117: Added by Front-Desk (rouca)
NOTE: 20250119: Also check/fix https://bugs.debian.org/1061044
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/476d1889d46dcdbd322ceebd80e8618f433d4768...e23402636619f4b02c79516039470d7302a30225
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/476d1889d46dcdbd322ceebd80e8618f433d4768...e23402636619f4b02c79516039470d7302a30225
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
