Daniel Leidert pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2890c6a0 by Daniel Leidert at 2026-06-01T03:54:52+02:00
lts: mark CVE-2026-41150,CVE-2026-41159/node-mermaid as postponed
- - - - -
567a40ed by Daniel Leidert at 2026-06-01T03:54:53+02:00
lts: mark CVE-2026-48850..CVE-2026-48852/putty as postponed
- - - - -
5c837c3b by Daniel Leidert at 2026-06-01T03:54:53+02:00
lts: mark CVE-2026-46644/php-symfony-polyfill as postponed
- - - - -
30aa26be by Daniel Leidert at 2026-06-01T03:54:53+02:00
lts: mark CVE-2026-49299/neutron as postponed
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -576,11 +576,13 @@ CVE-2026-42929 (Danelec MacGregor Voyage Data Recorder
includes default accounts
NOT-FOR-US: Danelec
CVE-2026-41159 (Mermaid is a JavaScript tool that uses Markdown-inspired text
to creat ...)
- node-mermaid <removed>
+ [bullseye] - node-mermaid <postponed> (Minor issue, no rdeps)
NOTE:
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p
NOTE:
https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa
([email protected])
NOTE:
https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
(v10.9.6)
CVE-2026-41150 (Mermaid is a JavaScript tool that uses Markdown-inspired text
to creat ...)
- node-mermaid <removed>
+ [bullseye] - node-mermaid <postponed> (Minor issue, no rdeps)
NOTE:
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh
NOTE:
https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e
([email protected])
NOTE:
https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6
(v10.9.6)
@@ -1229,6 +1231,7 @@ CVE-2026-49299 (In OpenStack Neutron before 28.0.1, the
tagging controller enfor
- neutron 2:28.0.0-4 (bug #1138172)
[trixie] - neutron <no-dsa> (Minor issue)
[bookworm] - neutron <no-dsa> (Minor issue)
+ [bullseye] - neutron <postponed> (Minor issue; can be fixed with next
upload)
NOTE: https://security.openstack.org/ossa/OSSA-2026-016.html
CVE-2026-49130 (Music Player Daemon (MPD) before version 0.24.11 contains a
CRLF injec ...)
- mpd <unfixed> (bug #1138215)
@@ -5151,6 +5154,7 @@ CVE-2025-14361 (Missing Authorization vulnerability in
AA-Team Woocommerce Envat
CVE-2026-46644 [insecure equivalence in symfony/polyfill-intl-idn for
ASCII-only xn-- labels]
- php-symfony-polyfill 1.38.1-1
[bookworm] - php-symfony-polyfill <no-dsa> (Minor issue)
+ [bullseye] - php-symfony-polyfill <postponed> (Minor issue; can be
fixed with next upload)
NOTE:
https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-polyfill-intl-idn-for-ascii-only-xn-labels
NOTE:
https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq
CVE-2026-48962 (IO::Compress versions before 2.220 for Perl can execute
arbitrary code ...)
@@ -5704,6 +5708,7 @@ CVE-2026-48852 (PuTTY 0.71 before 0.84 has an assertion
failure in ECDSA signatu
- putty 0.84-1
[trixie] - putty <no-dsa> (Minor issue)
[bookworm] - putty <no-dsa> (Minor issue)
+ [bullseye] - putty <postponed> (Minor issue; can be fixed with next
upload)
NOTE:
https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
NOTE:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/ecdsa-remotely-triggerable-assertion.html
NOTE: Fixed by:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=65b8f37c34cd80680693e813e0081cdafaf58324
(0.84)
@@ -5711,6 +5716,7 @@ CVE-2026-48851 (PuTTY 0.77 before 0.84 uses a copy of the
PuTTY icon as a trust
- putty 0.84-1
[trixie] - putty <no-dsa> (Minor issue)
[bookworm] - putty <no-dsa> (Minor issue)
+ [bullseye] - putty <postponed> (Minor issue; can be fixed with next
upload)
NOTE:
https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
NOTE:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/telnet-trust-sigil.html
NOTE: Fixed by:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=64712be3cbc4a02bda4a92ca97e8d4f294abbe9a
(0.84)
@@ -5718,6 +5724,7 @@ CVE-2026-48850 (PuTTY 0.72 before 0.84 has a double free
in RSA KEX.)
- putty 0.84-1
[trixie] - putty <no-dsa> (Minor issue)
[bookworm] - putty <no-dsa> (Minor issue)
+ [bullseye] - putty <postponed> (Minor issue; can be fixed with next
upload)
NOTE:
https://lists.tartarus.org/pipermail/putty-announce/2026/000042.html
NOTE:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rsakex-double-free.html
NOTE: Fixed by:
https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=ba3ed53e0bf6682f89940bc2c3e83da6b1524024
(0.84)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9d661b54b9989d19768a1abf292be3da2289827b...30aa26be0f77e1dbaa1c173e7c14784f17777e03
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9d661b54b9989d19768a1abf292be3da2289827b...30aa26be0f77e1dbaa1c173e7c14784f17777e03
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
