[Git][security-tracker-team/security-tracker][master] Update status for libvpx issue

Mon, 16 Feb 2026 20:45:39 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b736263f by Salvatore Bonaccorso at 2026-02-17T05:45:04+01:00
Update status for libvpx issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -45,12 +45,16 @@ CVE-2026-2452 (Emails sent by pretix can utilize 
placeholders that will be fille
 CVE-2026-2451 (Emails sent by pretix can utilize placeholders that will be 
filled wit ...)
        NOT-FOR-US: rami.io products
 CVE-2026-2447 (Heap buffer overflow in libvpx. This vulnerability affects 
Firefox < 1 ...)
-       - firefox <unfixed>
-       - firefox-esr <unfixed>
+       - firefox <unfixed> (unimportant)
+       - firefox-esr <unfixed> (unimportant)
        - libvpx <unfixed>
-       - thunderbird <unfixed>
+       - thunderbird <unfixed> (unimportant)
        NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
        NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-11/
+       NOTE: Firefox, Firefox ESR and Thunderbird use the system libvpx library
+       NOTE: Same issue as CVE-2026-1861/chromium
+       NOTE: 
https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1
+       TODO: check, libvpx might need a separate CVE for src:libvpx itself
 CVE-2026-2415 (Emails sent by pretix can utilize placeholders that will be 
filled wit ...)
        NOT-FOR-US: rami.io products
 CVE-2026-2101 (A Reflected Cross-site Scripting (XSS) vulnerability affecting 
ENOVIAv ...)
@@ -5240,6 +5244,7 @@ CVE-2026-1861 (Heap buffer overflow in libvpx in Google 
Chrome prior to 144.0.75
        {DSA-6122-1}
        - chromium 144.0.7559.109-2
        [bullseye] - chromium <end-of-life> (see #1061268)
+       NOTE: 
https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1
 CVE-2026-25616 (Blesta 3.x through 5.x before 5.13.3 mishandles input 
validation, aka  ...)
        NOT-FOR-US: Blesta
 CVE-2026-25615 (Blesta 3.x through 5.x before 5.13.3 allows object injection, 
aka CORE ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b736263f228da4b0d12069f3316c230c78b9a570

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b736263f228da4b0d12069f3316c230c78b9a570
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to