Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d7b54c72 by Sylvain Beucler at 2026-05-23T09:05:15+02:00
CVE-2026-8376/perl: bullseye postponed
- - - - -
3f1c6b8e by Sylvain Beucler at 2026-05-23T09:05:18+02:00
golang-go.crypto: limited bullseye support
- - - - -
c4f26fbe by Sylvain Beucler at 2026-05-23T09:05:21+02:00
CVE-2026-42154/prometheus: bullseye postponed
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -314,58 +314,71 @@ CVE-2026-47101 (LiteLLM prior to 1.83.14 allows an
authenticated internal_user t
NOT-FOR-US: LiteLLM
CVE-2026-46598 (For certain crafted inputs, a 'ed25519.PrivateKey' was created
by cast ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79596
CVE-2026-46597 (An incorrectly placed cast from bytes to int allowed for
server-side p ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79561
CVE-2026-46595 (Previously, CVE-2024-45337 fixed an authorization bypass for
misused s ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79570
CVE-2026-44409 (There is an an information disclosure vulnerability in ZTE
MU5250. Due ...)
NOT-FOR-US: ZTE
CVE-2026-42508 (Previously, a revoked 'SignatureKey' belonging to a CA was not
correct ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79568
CVE-2026-3481 (The WP Blockade plugin for WordPress is vulnerable to Reflected
Cross- ...)
NOT-FOR-US: WordPress plugin
CVE-2026-39835 (SSH servers which use CertChecker as a public key callback
without set ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79563
CVE-2026-39834 (When writing data larger than 4GB in a single Write call on an
SSH cha ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79567
CVE-2026-39833 (The in-memory keyring returned by NewKeyring() silently
accepted keys ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79436
CVE-2026-39832 (When adding a key to a remote agent constraint extensions such
as rest ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79435
CVE-2026-39831 (The Verify() method for FIDO/U2F security key types
(sk-ecdsa-sha2-nis ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79566
CVE-2026-39830 (A malicious SSH peer could send unsolicited global request
responses t ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79564
CVE-2026-39829 (The RSA and DSA public key parsers did not enforce size limits
on key ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79565
CVE-2026-39828 (When an SSH server authentication callback returned
PartialSuccessErro ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/79562
CVE-2026-39827 (An authenticated SSH client that repeatedly opened channels
which were ...)
- golang-go.crypto <unfixed>
+ [bullseye] - golang-go.crypto <postponed> (Limited support, follow
bookworm DSAs/point-releases)
NOTE: https://www.openwall.com/lists/oss-security/2026/05/22/6
NOTE: https://github.com/golang/go/issues/35127
CVE-2026-34911 (A malicious actor with access to the network and low
privileges could ...)
@@ -393,6 +406,7 @@ CVE-2026-8376 [Buffer overflow in Perl_study_chunk]
- perl <unfixed> (bug #1137345)
[trixie] - perl <no-dsa> (Minor issue; can be fixed in point release)
[bookworm] - perl <no-dsa> (Minor issue; can be fixed in point release)
+ [bullseye] - perl <postponed> (Minor issue; can be fixed in point
release)
NOTE: https://github.com/Perl/perl5/pull/24433
CVE-2026-9157 (Improper input validation, Unrestricted upload of file with
dangerous ...)
NOT-FOR-US: Gmission
@@ -12207,6 +12221,7 @@ CVE-2026-42220 (Nginx UI is a web user interface for
the Nginx web server. Prior
NOT-FOR-US: Nginx UI
CVE-2026-42154 (Prometheus is an open-source monitoring system and time series
databas ...)
- prometheus <unfixed> (bug #1135999)
+ [bullseye] - prometheus <postponed> (Minor issue, DoS)
NOTE:
https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm
NOTE: https://github.com/prometheus/prometheus/pull/18584
NOTE: https://github.com/prometheus/prometheus/pull/18585
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d6327e855696c49c5da9ee80c2f8446fdcee718...c4f26fbe8b24c1df0d6e5ce0f6ab8a4fbb408b63
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d6327e855696c49c5da9ee80c2f8446fdcee718...c4f26fbe8b24c1df0d6e5ce0f6ab8a4fbb408b63
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
