Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f8310829 by Sylvain Beucler at 2026-05-11T14:06:46+02:00
Reserve DLA-4576-1 for p7zip
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -93917,7 +93917,6 @@ CVE-2025-11002 (7-Zip ZIP File Parsing Directory
Traversal Remote Code Execution
[bookworm] - 7zip <no-dsa> (Minor issue)
- p7zip 16.02+transitional.1
[bookworm] - p7zip <no-dsa> (Minor issue)
- [bullseye] - p7zip <postponed> (Minor issue; can be fixed in next
update)
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE: https://github.com/ip7z/7zip/releases/tag/25.00
@@ -93928,7 +93927,6 @@ CVE-2025-11001 (7-Zip ZIP File Parsing Directory
Traversal Remote Code Execution
[bookworm] - 7zip <no-dsa> (Minor issue)
- p7zip 16.02+transitional.1
[bookworm] - p7zip <no-dsa> (Minor issue)
- [bullseye] - p7zip <postponed> (Minor issue; can be fixed in next
update)
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE: https://github.com/ip7z/7zip/releases/tag/25.00
@@ -117379,7 +117377,6 @@ CVE-2025-55188 (7-Zip before 25.01 does not always
properly handle symbolic link
[bookworm] - 7zip <no-dsa> (Minor issue)
- p7zip 16.02+transitional.1
[bookworm] - p7zip <no-dsa> (Minor issue)
- [bullseye] - p7zip <postponed> (Minor issue)
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source
package
NOTE: depending on 7zip. Mark this version as fixed version.
NOTE: https://github.com/ip7z/7zip/releases/tag/25.01
@@ -236259,7 +236256,6 @@ CVE-2023-52168 (The NtfsHandler.cpp NTFS handler in
7-Zip before 24.01 (for 7zz)
[bookworm] - 7zip 22.01+dfsg-8+deb12u1
- p7zip 16.02+transitional.1
[bookworm] - p7zip <no-dsa> (Minor issue)
- [bullseye] - p7zip <postponed> (Minor issue, sourceforge but is not
public)
NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/
NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
NOTE: https://www.openwall.com/lists/oss-security/2024/07/03/10
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[11 May 2026] DLA-4576-1 p7zip - security update
+ {CVE-2022-47069 CVE-2023-31102 CVE-2023-40481 CVE-2023-52168
CVE-2023-52169 CVE-2024-11612 CVE-2025-11001 CVE-2025-11002 CVE-2025-53817
CVE-2025-55188}
+ [bullseye] - p7zip 16.02+really25.01+dfsg-0+deb11u1
[09 May 2026] DLA-4575-1 firefox-esr - security update
{CVE-2026-8090 CVE-2026-8092 CVE-2026-8094}
[bullseye] - firefox-esr 140.10.2esr-1~deb11u1
=====================================
data/dla-needed.txt
=====================================
@@ -392,29 +392,6 @@ openvswitch
orthanc
NOTE: 20260419: Added by Front-Desk (rouca)
--
-p7zip (Sylvain Beucler)
- NOTE: 20251020: Added by Front-Desk (dleidert)
- NOTE: 20251020: I disagree with the low-severity ratings; but finding the
patches might be a hard (dleidert/front-desk)
- NOTE: 20260106: CVE-2023-52168 & CVE-2025-55188: should be patchable
- NOTE: 20260106: CVE-2025-11001 & CVE-2025-11002: no isolated patch
- NOTE: 20260106: Proposed EOL or full replacement with 7zip (Beuc)
- NOTE: 20260106:
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/306
- NOTE: 20260211: Proposed semi-backport for 7zip/bookworm (Beuc)
- NOTE: 20260211: https://lists.debian.org/debian-lts/2026/02/msg00019.html
- NOTE: 20260303: Ongoing similar work for _p_7zip/bookworm, and then
downwards (Beuc)
- NOTE: 20260305: Proposed _p_7zip-compatible bookworm->stretch packages (Beuc)
- NOTE: 20260305: https://lists.debian.org/debian-lts/2026/03/msg00009.html
- NOTE: 20260306: Proposed semi-backport for 7zip/bookworm as OSPU (Beuc)
- NOTE: 20260306: https://bugs.debian.org/1129934
- NOTE: 20260321: Ping'd OSPU ^ (Beuc)
- NOTE: 20260410: Lower 7zip/bookworm OSPU version scheme 25 -> 22+really25
- NOTE: 20260410: to avoid bookworm->trixie and bookworm-backports upgrade
conflicts
- NOTE: 20260410: 7zip/bookworm-backports updated to better test
bookworm->trixie upgrades
- NOTE: 20260410: 7zip/trixie SPU submitted to fix transition versions (Beuc)
- NOTE: 20260410: https://bugs.debian.org/1133148
- NOTE: 20260430: Still waiting for SRMs review, no feedback (Beuc)
- NOTE: 20260503: SRM approved, user testing through bookworm-proposed-updates
until OSPU freeze 2026-05-09 (Beuc)
---
p7zip-rar (Sylvain Beucler)
NOTE: 20250719: Added by Front-Desk (Beuc)
NOTE: 20260106: CVE-2025-53816: no isolated patch, hard to determine if
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8310829139bc2d33684271b20f8f28e40f97f3c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8310829139bc2d33684271b20f8f28e40f97f3c
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
