Daniel Leidert pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f5ea73dc by Daniel Leidert at 2026-05-11T00:43:48+02:00
lts: mark CVE-2026-6502/qemu as not affecting Bullseye
- - - - -
68350170 by Daniel Leidert at 2026-05-11T00:45:25+02:00
lts: mark CVE-2026-44028,CVE-2026-44029/nix as not affecting Bullseye
- - - - -
ae104759 by Daniel Leidert at 2026-05-11T01:24:03+02:00
lts: add php7.4 to dla-needed
- - - - -
8eb362a4 by Daniel Leidert at 2026-05-11T01:32:47+02:00
Add suspected MR link that fixes CVE-2026-42308/pillow
- - - - -
9f799428 by Daniel Leidert at 2026-05-11T01:37:12+02:00
lts: mark CVE-2026-7246/python-click as postponed
- - - - -
7a875147 by Daniel Leidert at 2026-05-11T01:46:37+02:00
lts: add busybox to dla-needed
- - - - -
05f2f01f by Daniel Leidert at 2026-05-11T01:50:35+02:00
lts: add thunderbird to dla-needed
- - - - -
4a7662ae by Daniel Leidert at 2026-05-11T02:02:36+02:00
lts: mark a bunch of Curl related issues postponed
- - - - -
4d340bcf by Daniel Leidert at 2026-05-11T02:06:46+02:00
lts: mark CVE-2026-40686,CVE-2026-40687/exim4 as postponed
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -350,6 +350,7 @@ CVE-2026-42309 (Pillow is a Python imaging library. From
version 11.2.1 to befor
CVE-2026-42308 (Pillow is a Python imaging library. Prior to version 12.2.0,
if a font ...)
- pillow 12.2.0-1
NOTE:
https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j
+ NOTE: https://github.com/python-pillow/Pillow/pull/9518/changes
(suspected fix)
TODO: research fixing commit(s)
CVE-2026-42307 (Vim is an open source, command line text editor. Prior to
version 9.2. ...)
- vim 2:9.2.0428-1
@@ -4830,6 +4831,7 @@ CVE-2026-6502
- qemu 1:11.0.0+ds-2
[trixie] - qemu <no-dsa> (Minor issue)
[bookworm] - qemu <not-affected> (Vulnerable code not present)
+ [bullseye] - qemu <not-affected> (Vulnerable code not present)
NOTE: Introduced with:
https://gitlab.com/qemu-project/qemu/-/commit/7c092f17cceef10258ed23006b40e19b14996471
(v9.2.0-rc0)
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/30fad722ce68316d22b926ba0e6017f0440465df
CVE-2026-6907 (An issue was discovered in 6.0 before 6.0.5 and 5.2 before
5.2.14. `dj ...)
@@ -4971,12 +4973,14 @@ CVE-2026-4362 (The ElementsKit Elementor Addons plugin
for WordPress is vulnerab
CVE-2026-44029 (An issue was discovered in Nix before 2.34.7. Writing to
arbitrary fil ...)
- nix <unfixed> (bug #1135777)
[bookworm] - nix <not-affected> (Vulnerable code introduced later)
+ [bullseye] - nix <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/04/33
NOTE:
https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p
NOTE:
https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
CVE-2026-44028 (An issue was discovered in Nix before 2.34.7 and Lix before
2.95.2. Un ...)
- nix <unfixed> (bug #1135777)
[bookworm] - nix <not-affected> (Vulnerable code introduced later)
+ [bullseye] - nix <not-affected> (Vulnerable code introduced later)
NOTE:
https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
NOTE:
https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368
NOTE: https://www.openwall.com/lists/oss-security/2026/05/04/33
@@ -6954,6 +6958,7 @@ CVE-2026-7246 (Pallets Click, versions 8.3.2 and below,
contain a command inject
- python-click <unfixed> (bug #1135379)
[trixie] - python-click <no-dsa> (Minor issue)
[bookworm] - python-click <no-dsa> (Minor issue)
+ [bullseye] - python-click <postponed> (Minor issue; can be fixed in
next update)
NOTE:
https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw
NOTE: Fixed by:
https://github.com/pallets/click/commit/b96c2601af4e01341b4d2c0db494ebee4aef8f42
(8.3.3)
CVE-2026-7164 (Incorrect packet validation allowed unbounded recursion parsing
SCTP c ...)
@@ -7538,11 +7543,13 @@ CVE-2026-40686 (In Exim before 4.99.2, when utf8
operators are enabled, there is
- exim4 4.99.2-1
[trixie] - exim4 <no-dsa> (Minor issue)
[bookworm] - exim4 <no-dsa> (Minor issue)
+ [bullseye] - exim4 <postponed> (Minor issue; can be fixed in next
update)
NOTE: Fixed by:
https://code.exim.org/exim/exim/commit/f2570bde16fb4d4a1242ff363a4c4eecf6372efc
CVE-2026-40687 (In Exim before 4.99.2, when the SPA authentication driver is
used with ...)
- exim4 4.99.2-1
[trixie] - exim4 <no-dsa> (Minor issue)
[bookworm] - exim4 <no-dsa> (Minor issue)
+ [bullseye] - exim4 <postponed> (Minor issue; can be fixed in next
update)
NOTE: Fixed by:
https://code.exim.org/exim/exim/commit/68b963b9f75ca27b38e1c0f8c87037990199f505
CVE-2026-7466 (AgentFlow contains an arbitrary code execution vulnerability
that allo ...)
NOT-FOR-US: AgentFlow
@@ -7743,6 +7750,7 @@ CVE-2026-7168
- curl 8.20.0-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://curl.se/docs/CVE-2026-7168.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/fc6eff13b5414caf6edf22d73a3239e074a04216
(curl-7_12_0)
NOTE: Fixed by:
https://github.com/curl/curl/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507
(curl-8_20_0)
@@ -7753,6 +7761,7 @@ CVE-2026-6429
- curl 8.20.0~rc3-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://curl.se/docs/CVE-2026-6429.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/01165e08e0d131b399fba2190f17af67e66f0888
(curl-7_14_0)
NOTE: Fixed by:
https://github.com/curl/curl/commit/b4024bf808bd558026fdc6096e8457f199ace306
(rc-8_20_0-3)
@@ -7760,6 +7769,7 @@ CVE-2026-6253
- curl 8.20.0~rc3-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://curl.se/docs/CVE-2026-6253.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/3b60bb725913ce7339aefef0a14b12df4c24db60
(curl-7_14_1)
NOTE: Fixed by:
https://github.com/curl/curl/commit/188c2f166a20fa97c2325b2da7d0e5cecc13725f
(rc-8_20_0-3)
@@ -7771,6 +7781,7 @@ CVE-2026-5773
- curl 8.20.0~rc2-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://curl.se/docs/CVE-2026-5773.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/aec2e865f06669b9cb5d26cc1148d70bc418b163
(curl-7_40_0)
NOTE: Fixed by:
https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571
(rc-8_20_0-2)
@@ -7778,6 +7789,7 @@ CVE-2026-5545
- curl 8.20.0~rc2-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://curl.se/docs/CVE-2026-5545.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/e56ae1426cb7a0a4a427cf8d6099a821fdaae428
(curl-7_10_6)
NOTE: Fixed by:
https://github.com/curl/curl/commit/33e43985b8f3b9e66691d06e70be0395849856cd
(rc-8_20_0-1)
@@ -7785,6 +7797,7 @@ CVE-2026-4873
- curl 8.20.0~rc2-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://curl.se/docs/CVE-2026-4873.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/ec3bb8f727405642a471b4b1b9eb0118fc003104
(curl-7_20_0)
NOTE: Fixed by:
https://github.com/curl/curl/commit/507e7be573b0a76fca597b75ff7cb27a66e7d865
(rc-8_20_0-1)
@@ -7792,6 +7805,7 @@ CVE-2026-6276
- curl 8.20.0~rc3-1
[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://curl.se/docs/CVE-2026-6276.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/e15e51384a423be31318b3c9c7d612a1aae661fd
(curl-7_71_0)
NOTE: Fixed by:
https://github.com/curl/curl/commit/3a19987a87f393d9394fe5acc7643f6c263c92db
(rc-8_20_0-3)
=====================================
data/dla-needed.txt
=====================================
@@ -56,6 +56,10 @@ bouncycastle
NOTE: 20260417: Added by Front-Desk (rouca)
NOTE: 20260417: Priority: Fix CVE-2026-5588 then try to fix other pilled CVE
(rouca/FD)
--
+busybox
+ NOTE: 20260511: Added by Front-Desk (dleidert)
+ NOTE: 20260511: A bunch of issues has piled up and last update was in early
2025 (dleidert/front-desk)
+--
c3p0
NOTE: 20260414: Added by Front-Desk (rouca)
--
@@ -437,6 +441,10 @@ php-phpseclib (utkarsh)
NOTE: 20260327: Added by Front-Desk (Beuc)
NOTE: 20260327: Upcoming DSA; fix also the postponed issue (Beuc/front-desk)
--
+php7.4
+ NOTE: 20260511: Added by Front-Desk (dleidert)
+ NOTE: A bunch of CVEs has piled up (dleidert/front-desk)
+--
postorius
NOTE: 20260508: Added by Front-Desk (dleidert)
NOTE: 20260508: Follow DSA and possibly prepare OSPU (dleidert/front-desk)
@@ -535,6 +543,10 @@ suricata
NOTE: 20250331: re added to fix next bunch of CVEs (ta)
NOTE: 20250825: testing package (ta)
--
+thunderbird
+ NOTE: 20260511: Added by Front-Desk (dleidert)
+ NOTE: 20260511: Follow DSA when released (dleidert/front-desk)
+--
trafficserver
NOTE: 20241120: Added by Front-Desk (Beuc)
NOTE: 20241120: Upcoming DSA (Beuc/front-desk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/787d3d1f8386c3fc4b5341fee5b4c696dd20d3d7...4d340bcf5641991c5ab96891697e1ce88818a2b7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/787d3d1f8386c3fc4b5341fee5b4c696dd20d3d7...4d340bcf5641991c5ab96891697e1ce88818a2b7
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
