Daniel Leidert pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1ad649c8 by Daniel Leidert at 2026-03-15T19:26:11+01:00
Fix link for CVE-2026-3950 and mark Bullseye as not affected
- - - - -
4d9e2c4d by Daniel Leidert at 2026-03-15T19:45:28+01:00
lts: mark CVE-2026-3731/libssh as postponed
- - - - -
be18a96d by Daniel Leidert at 2026-03-15T19:48:36+01:00
dla-needed: add gst-plugins-base1.0 also in dsa-needed
- - - - -
0c591523 by Daniel Leidert at 2026-03-15T19:57:54+01:00
lts: mark gpac as EOL
- - - - -
12c93ca0 by Daniel Leidert at 2026-03-15T20:07:48+01:00
lts: mark CVE-2026-4105/bullseye as postponed
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -606,6 +606,7 @@ CVE-2026-4105 (A flaw was found in systemd. The
systemd-machined service contain
- systemd 260~rc3-1
[trixie] - systemd <no-dsa> (Only exloitable with custom polkit policy
that allows register-machine access)
[bookworm] - systemd <no-dsa> (Only exloitable with custom polkit
policy that allows register-machine access)
+ [bullseye] - systemd <postponed> (Only exloitable with custom polkit
policy that allows register-machine access)
NOTE:
https://github.com/systemd/systemd/security/advisories/GHSA-4h6x-r8vx-3862
NOTE: Introduced with:
https://github.com/systemd/systemd/commit/fbe550738d03b178bb004a1390e74115e904118a
(v225)
NOTE: Fixed by:
https://github.com/systemd/systemd/commit/6df5f80bd374be1b45c52d740e88f0236da922c7
(v260-rc3)
@@ -745,10 +746,12 @@ CVE-2026-4039 (A vulnerability was determined in OpenClaw
2026.2.19-2. This vuln
NOT-FOR-US: OpenClaw
CVE-2026-4016 (A security vulnerability has been detected in GPAC 26.03-DEV.
Affected ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life>
NOTE: https://github.com/gpac/gpac/issues/3468
NOTE:
https://github.com/gpac/gpac/commit/7618d7206cdeb3c28961dc97ab0ecabaff0c8af2
CVE-2026-4015 (A weakness has been identified in GPAC 26.03-DEV. Affected is
the func ...)
- gpac <removed>
+ [bullseye] - gpac <end-of-life>
NOTE: https://github.com/gpac/gpac/issues/3467
NOTE:
https://github.com/gpac/gpac/commit/d29f6f1ada5cc284cdfa783b6f532c7d8bd049a5
CVE-2026-3989 (SGLangs `replay_request_dump.py` contains an insecure
pickle.load() wi ...)
@@ -1335,8 +1338,10 @@ CVE-2026-3950 (A vulnerability was identified in
strukturag libheif up to 1.21.2
- libheif <unfixed> (bug #1130640)
[trixie] - libheif <not-affected> (Vulnerable code not present)
[bookworm] - libheif <not-affected> (Vulnerable code not present)
- NOTE: Introduced after:
https://github.com/strukturag/libheif/content/16e205f12bfe9a3717ca1d3b447fa83f66bc87e9
(v1.20.0)
+ [bullseye] - libheif <not-affected> (Vulnerable code not present)
+ NOTE: Introduced after:
https://github.com/strukturag/libheif/commit/16e205f12bfe9a3717ca1d3b447fa83f66bc87e9
(v1.20.0)
NOTE: https://github.com/strukturag/libheif/issues/1715
+ NOTE: Fixed by: https://github.com/strukturag/libheif/pull/1721
CVE-2026-3949 (A vulnerability was determined in strukturag libheif up to
1.21.2. Thi ...)
- libheif <unfixed> (unimportant)
NOTE: https://github.com/strukturag/libheif/issues/1712
@@ -3155,6 +3160,7 @@ CVE-2026-3731 (A weakness has been identified in libssh
up to 0.11.3. The impact
- libssh 0.12.0-1 (bug #1127693)
[trixie] - libssh <no-dsa> (Minor issue)
[bookworm] - libssh <no-dsa> (Minor issue)
+ [bullseye] - libssh <postponed> (Minor issue)
NOTE:
https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt
NOTE: Fixed by:
https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8
(libssh-0.11.4)
NOTE: Testcase:
https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540
(libssh-0.11.4)
=====================================
data/dla-needed.txt
=====================================
@@ -163,6 +163,10 @@ grub2
NOTE: 20251129: Maintainer (jak) replied: work underway, proposed to skip
next point release (2026-01, too soon)
NOTE: 20251129: also uncertainty on whether a shim/SBAT (revocation) update
is feasible/needed.
--
+gst-plugins-base1.0
+ NOTE: 20260315: Added by Front-Desk (dleidert)
+ NOTE: 20260315: Follow DSA when released (dleidert/front-desk)
+--
gvfs
NOTE: 20260228: Added by Front-Desk (charles)
NOTE: 20260228: CVE-2026-28296 is the greater problem, users connecting to a
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d2362fe49158d13456a623e1dcc4b00885be27d5...12c93ca0eab0a1a3d017ee95597a258a6543767e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d2362fe49158d13456a623e1dcc4b00885be27d5...12c93ca0eab0a1a3d017ee95597a258a6543767e
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
