pillow: bullseye postponed

Sylvain Beucler (@beuc) Thu, 21 May 2026 01:17:25 -0700


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
030adf81 by Sylvain Beucler at 2026-05-21T10:16:48+02:00
CVE-2026-42308,CVE-2026-42310/pillow: bullseye postponed

- - - - -
58649c97 by Sylvain Beucler at 2026-05-21T10:16:51+02:00
CVE-2026-8723/node-qs: bullseye postponed

- - - - -
c8dd66ae by Sylvain Beucler at 2026-05-21T10:16:54+02:00
CVE-2026-6321,CVE-2026-6322/node-ajv: fast-uri provided with >=forky, bullseye 
not-affected

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1581,6 +1581,7 @@ CVE-2026-8724 (A security flaw has been discovered in 
Dataease 2.10.20. Impacted
        NOT-FOR-US: Dataease
 CVE-2026-8723 (### Summary    `qs.stringify` throws `TypeError` when called 
with `arr ...)
        - node-qs <unfixed>
+       [bullseye] - node-qs <postponed> (Minor issue, DoS)
        NOTE: 
https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
        NOTE: Fixed by: 
https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41 
(v6.15.2)
 CVE-2026-8721 (Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates 
passwo ...)
@@ -6591,6 +6592,7 @@ CVE-2026-42311 (Pillow is a Python imaging library. From 
version 10.3.0 to befor
        NOTE: Introduced by: 
https://github.com/python-pillow/Pillow/commit/c2907dc04967109391a77eea00f7d583a0a0395f
 (10.3.0)
 CVE-2026-42310 (Pillow is a Python imaging library. From version 4.2.0 to 
before versi ...)
        - pillow 12.2.0-1
+       [bullseye] - pillow <postponed> (Minor issue, DoS)
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7
        NOTE: https://github.com/python-pillow/Pillow/pull/9519
        NOTE: Fixed by: 
https://github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468
 (12.2.0)
@@ -6602,6 +6604,7 @@ CVE-2026-42309 (Pillow is a Python imaging library. From 
version 11.2.1 to befor
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2
 CVE-2026-42308 (Pillow is a Python imaging library. Prior to version 12.2.0, 
if a font ...)
        - pillow 12.2.0-1
+       [bullseye] - pillow <postponed> (Minor issue, UBSAN)
        NOTE: 
https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j
        TODO: research fixing commit(s), maybe 
https://github.com/python-pillow/Pillow/pull/9518/changes
 CVE-2026-42307 (Vim is an open source, command line text editor. Prior to 
version 9.2. ...)
@@ -10929,9 +10932,10 @@ CVE-2026-6322 (fast-uri normalize() decoded 
percent-encoded authority delimiters
        - node-ajv 8.20.0~ds+~cs6.1.3-1 (bug #1135998)
        [trixie] - node-ajv <no-dsa> (Minor issue)
        [bookworm] - node-ajv <no-dsa> (Minor issue)
+       [bullseye] - node-ajv <not-affected> (fast-uri not provided)
        NOTE: 
https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc
        NOTE: 
https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293
 (v3.1.2)
-       NOTE: Embedded fast-uri used and provided as node-fast-uri
+       NOTE: Embedded fast-uri used and provided as node-fast-uri, starting 
with forky
 CVE-2026-6262 (The Betheme theme for WordPress is vulnerable to Arbitrary File 
Deleti ...)
        NOT-FOR-US: WordPress plugin
 CVE-2026-6261 (The Betheme theme for WordPress is vulnerable to Arbitrary File 
Upload ...)
@@ -11292,9 +11296,10 @@ CVE-2026-6321 (fast-uri decoded percent-encoded path 
separators and dot segments
        - node-ajv 8.20.0~ds+~cs6.1.3-1 (bug #1135998)
        [trixie] - node-ajv <no-dsa> (Minor issue)
        [bookworm] - node-ajv <no-dsa> (Minor issue)
+       [bullseye] - node-ajv <not-affected> (fast-uri not provided)
        NOTE: 
https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6
        NOTE: Fixed by: 
https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35
 (v3.1.1)
-       NOTE: Embedded fast-uri used and provided as node-fast-uri
+       NOTE: Embedded fast-uri used and provided as node-fast-uri, starting 
with forky
 CVE-2026-6266 (A flaw was found in the AAP gateway. The user auto-link 
strategy, intr ...)
        NOT-FOR-US: Red Hat AAP gateway
 CVE-2026-6255 (The Simple Owl Shortcodes plugin for WordPress is vulnerable to 
Stored ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d4f16921b3673ea964a3adc01a13db029b08ab27...c8dd66ae17c720754f6c5355643de5249567ff6f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d4f16921b3673ea964a3adc01a13db029b08ab27...c8dd66ae17c720754f6c5355643de5249567ff6f
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2026-42308,CVE-2026-42310/pillow: bullseye postponed

Reply via email to