[Git][security-tracker-team/security-tracker][master] new go issues

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5c46a819 by Moritz Muehlenhoff at 2026-05-08T13:05:44+02:00
new go issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -171,9 +171,23 @@ CVE-2026-42880 (Argo CD is a declarative, GitOps 
continuous delivery tool for Ku
 CVE-2026-42826 (Exposure of sensitive information to an unauthorized actor in 
Azure De ...)
        NOT-FOR-US: Microsoft
 CVE-2026-42501 (A malicious module proxy can exploit a flaw in the go 
command's valida ...)
-       TODO: check
+       - golang-1.25 1.25.10-1
+       - golang-1.26 1.26.3-1
+       - golang-1.24 <removed>
+       - golang-1.19 <removed>
+       - golang-1.15 <removed>
+       NOTE: https://go-review.googlesource.com/c/go/+/775321
+       NOTE: https://github.com/golang/go/issues/79070
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-42499 (Pathological inputs could cause DoS through consumePhrase when 
parsing ...)
-       TODO: check
+       - golang-1.25 1.25.10-1
+       - golang-1.26 1.26.3-1
+       - golang-1.24 <removed>
+       - golang-1.19 <removed>
+       - golang-1.15 <removed>
+       NOTE: https://go-review.googlesource.com/c/go/+/771520
+       NOTE: https://github.com/golang/go/issues/78987
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-42449 (n8n-MCP is an MCP server that provides AI assistants access to 
n8n nod ...)
        NOT-FOR-US: n8n-MCP
 CVE-2026-42279 (solidtime is an open-source time-tracking app. In version 
0.12.0, the  ...)
@@ -246,19 +260,68 @@ CVE-2026-40213 (OpenStack Cyborg before 16.0.1 uses 
rule:allow (check_str='@') a
 CVE-2026-3508 (An Out-of-bounds Read vulnerability in the IOCTL handler in 
ASUS Syste ...)
        NOT-FOR-US: ASUS
 CVE-2026-39836 (The Dial and LookupPort functions panic on Windows when 
provided with  ...)
-       TODO: check
+       - golang-1.25 <not-affected> (Windows-specific)
+       - golang-1.26 <not-affected> (Windows-specific)
+       - golang-1.24 <not-affected> (Windows-specific)
+       - golang-1.19 <not-affected> (Windows-specific)
+       - golang-1.15 <not-affected> (Windows-specific)
+       NOTE: https://go-review.googlesource.com/c/go/+/775320
+       NOTE: https://github.com/golang/go/issue/79006
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39826 (If a trusted template author were to write a <script> tag 
containing a ...)
-       TODO: check
+       - golang-1.25 1.25.10-1
+       - golang-1.26 1.26.3-1
+       - golang-1.24 <removed>
+       - golang-1.19 <removed>
+       - golang-1.15 <removed>
+       NOTE: https://go-review.googlesource.com/c/go/+/771180
+       NOTE: https://github.com/golang/go/issues/78981
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39825 (ReverseProxy can forward queries containing parameters not 
visible to  ...)
-       TODO: check
+       - golang-1.25 1.25.10-1
+       - golang-1.26 1.26.3-1
+       - golang-1.24 <removed>
+       - golang-1.19 <removed>
+       - golang-1.15 <removed>
+       NOTE: https://go-review.googlesource.com/c/go/+/770541
+       NOTE: https://github.com/golang/go/issues/78948
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39823 (CVE-2026-27142 fixed a vulnerability in which URLs were not 
correctly  ...)
-       TODO: check
+       - golang-1.25 1.25.10-1
+       - golang-1.26 1.26.3-1
+       - golang-1.24 <removed>
+       - golang-1.19 <removed>
+       - golang-1.15 <removed>
+       NOTE: https://go-review.googlesource.com/c/go/+/769920
+       NOTE: https://github.com/golang/go/issues/78913
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39820 (Well-crafted inputs reaching ParseAddress, ParseAddressList, 
and Parse ...)
-       TODO: check
+       - golang-1.25 1.25.10-1
+       - golang-1.26 1.26.3-1
+       - golang-1.24 <removed>
+       - golang-1.19 <removed>
+       - golang-1.15 <removed>
+       NOTE: https://go-review.googlesource.com/c/go/+/759940
+       NOTE: https://github.com/golang/go/issues/78566
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39819 (The "go bug" command writes to two files with predictable 
names in the ...)
-       TODO: check
+       - golang-1.25 1.25.10-1
+       - golang-1.26 1.26.3-1
+       - golang-1.24 <removed>
+       - golang-1.19 <removed>
+       - golang-1.15 <removed>
+       NOTE: https://go-review.googlesource.com/c/go/+/763882
+       NOTE: https://github.com/golang/go/issues/78584
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-39817 (The "go tool pack" subcommand (usually used only by the 
compiler as an ...)
-       TODO: check
+       - golang-1.25 1.25.10-1
+       - golang-1.26 1.26.3-1
+       - golang-1.24 <removed>
+       - golang-1.19 <removed>
+       - golang-1.15 <removed>
+       NOTE: https://go-review.googlesource.com/c/go/+/767520
+       NOTE: https://github.com/golang/go/issues/78778
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-35435 (Improper access control in Azure AI Foundry M365 published 
agents allo ...)
        NOT-FOR-US: Microsoft
 CVE-2026-35428 (Improper neutralization of special elements used in a command 
('comman ...)
@@ -272,7 +335,14 @@ CVE-2026-33823 (Improper authorization in Microsoft Teams 
allows an authorized a
 CVE-2026-33814 (When processing HTTP/2 SETTINGS frames, transport will enter 
an infini ...)
        TODO: check
 CVE-2026-33811 (When using LookupCNAME with the cgo DNS resolver, a very long 
CNAME re ...)
-       TODO: check
+       - golang-1.25 1.25.10-1
+       - golang-1.26 1.26.3-1
+       - golang-1.24 <removed>
+       - golang-1.19 <removed>
+       - golang-1.15 <removed>
+       NOTE: https://go-review.googlesource.com/c/go/+/767860
+       NOTE: https://github.com/golang/go/issues/78803
+       NOTE: https://groups.google.com/g/golang-announce/c/qcCIEXso47M
 CVE-2026-33111 (Improper neutralization of special elements used in a command 
('comman ...)
        NOT-FOR-US: Microsoft
 CVE-2026-33109 (Improper access control in Azure Managed Instance for Apache 
Cassandra ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c46a81939db26c10ca630dc47c6e5e0ea6e942c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c46a81939db26c10ca630dc47c6e5e0ea6e942c
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits