[Git][security-tracker-team/security-tracker][master] 2 commits: Ignore CVE-2026-3446 for python3.11 (bookworm)

Tue, 12 May 2026 00:40:44 -0700 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e2bbbeb5 by Arnaud Rebillout at 2026-05-12T09:38:46+02:00
Ignore CVE-2026-3446 for python3.11 (bookworm)

- - - - -
9ba6af61 by Salvatore Bonaccorso at 2026-05-12T09:39:53+02:00
Expand note for CVE-2026-3446

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -17824,7 +17824,7 @@ CVE-2026-3446 (When calling base64.b64decode() or 
related functions the decoding
        - python3.13 <unfixed>
        [trixie] - python3.13 <no-dsa> (Minor issue)
        - python3.11 <removed>
-       [bookworm] - python3.11 <no-dsa> (Minor issue)
+       [bookworm] - python3.11 <ignored> (Not backported to older Python 
releases due to compat concerns)
        - python3.9 <removed>
        - python2.7 <removed>
        [bullseye] - python2.7 <end-of-life> (limited support in bullseye)
@@ -17838,6 +17838,8 @@ CVE-2026-3446 (When calling base64.b64decode() or 
related functions the decoding
        NOTE: Fixed by: 
https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e
 (v3.15.0a8)
        NOTE: Fixed by: 
https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa
 (v3.14.4)
        NOTE: Fixed by: 
https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474
 (v3.13.13)
+       NOTE: Risk for broken compatibility concerns for older versions, thus 
will not be backported upstream:
+       NOTE: 
https://github.com/python/cpython/issues/145264#issuecomment-4409789500
 CVE-2026-36236 (SourceCodester Engineers Online Portal v1.0 is vulnerable to 
SQL Injec ...)
        NOT-FOR-US: SourceCodester
 CVE-2026-36235 (A SQL injection vulnerability was found in the 
scheduleSubList.php fil ...)
@@ -34562,6 +34564,7 @@ CVE-2025-13462 (The "tarfile" module would still apply 
normalization of AREGTYPE
        NOTE: 
https://github.com/python/cpython/commit/7ad3093d76a748af55bdb1d2e8aad3638163b017
 (3.14 branch)
        NOTE: 
https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
 (3.13 branch)
        NOTE: 
https://github.com/python/cpython/commit/9a23b753552afa28e3a2f4d8863572fc66479406
 (3.11 branch)
+       NOTE: Reproducer: https://github.com/PyO3/maturin/issues/2855
 CVE-2019-25543 (Netartmedia Real Estate Portal 5.0 contains an SQL injection 
vulnerabi ...)
        NOT-FOR-US: Netartmedia
 CVE-2019-25542 (Netartmedia Real Estate Portal 5.0 contains a SQL injection 
vulnerabil ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d42e1f2fad4a42f97821de223490cfe51d613505...9ba6af61bbe2bb1ec74100c2c9b17fd93b35df46

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d42e1f2fad4a42f97821de223490cfe51d613505...9ba6af61bbe2bb1ec74100c2c9b17fd93b35df46
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to