Your message dated Mon, 11 May 2026 14:50:41 +0000
with message-id <[email protected]>
and subject line Bug#1136172: fixed in kdenlive 26.04.1-1
has caused the Debian Bug report #1136172,
regarding kdenlive: CVE-2026-45184
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136172
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kdenlive
Version: 26.04.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for kdenlive.
I'm still marking it as RC level at least so for forky it ensured to
make sure it is fixed before the release (still long way), although it
is likely a good idea to not just popen untrusted projects.
CVE-2026-45184[0]:
| Kdenlive before 26.04.1 allows dangerous proxy parameters when an
| attacker-controlled project file is used.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45184
https://www.cve.org/CVERecord?id=CVE-2026-45184
[1] https://kde.org/info/security/advisory-20260508-1.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kdenlive
Source-Version: 26.04.1-1
Done: Patrick Matthäi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kdenlive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <[email protected]> (supplier of updated kdenlive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 May 2026 15:26:25 +0200
Source: kdenlive
Architecture: source
Version: 26.04.1-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <[email protected]>
Changed-By: Patrick Matthäi <[email protected]>
Closes: 1136172
Changes:
kdenlive (26.04.1-1) unstable; urgency=high
.
* New upstream release.
- Fixes CVE-2026-45184: Dangerous proxy parameters, when an
attacker-controlled project file is used.
Closes: #1136172
Checksums-Sha1:
0803fe3d9257f839bf5ca5496cfc70e31e9af5e9 2839 kdenlive_26.04.1-1.dsc
d366fc3251a25751d6e19ea65d5166a5904529eb 19727180 kdenlive_26.04.1.orig.tar.xz
44d3c46ac0d874a48a94846c7724ec74b7b666e1 833 kdenlive_26.04.1.orig.tar.xz.asc
7fc7819fd574c0a471088932705e6e79b8735894 18900 kdenlive_26.04.1-1.debian.tar.xz
8a0b23114511d9d121982e62f9b9d6797f9cb403 13641
kdenlive_26.04.1-1_source.buildinfo
Checksums-Sha256:
37c299b2dc885ceac0918531d13046abcfbefc0416a9930c669e7edf390f3c7d 2839
kdenlive_26.04.1-1.dsc
fd515a827f66f5e2c8d60272001e993fb96ebccf7c7d21f78adb16ff210530ac 19727180
kdenlive_26.04.1.orig.tar.xz
4629930ca05566bcf54b5af42f472a1bc28a6c0452911c500be60165cc125197 833
kdenlive_26.04.1.orig.tar.xz.asc
374a0fdffad96a0af707d98744d838a8d9e4e612a64295ad7e61d82d5cb17579 18900
kdenlive_26.04.1-1.debian.tar.xz
825848b3cc484a67ff828cf5bca30fbf5a8e7f13aec0a5f99d362cf70f7573b4 13641
kdenlive_26.04.1-1_source.buildinfo
Files:
b05de4fdc20677b3f20034d07e44ad83 2839 video optional kdenlive_26.04.1-1.dsc
deea1c1ea799b03f8afc43983982403d 19727180 video optional
kdenlive_26.04.1.orig.tar.xz
5abe8adaae62c154d06ceb0b7d073f88 833 video optional
kdenlive_26.04.1.orig.tar.xz.asc
3151c7485f13b19baab5e22dfc0a27b4 18900 video optional
kdenlive_26.04.1-1.debian.tar.xz
8bcb25519ba7560ee805b28879d1c123 13641 video optional
kdenlive_26.04.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAmoB540ACgkQEtmwSpDL
2ORang//SS4vOsVmb6SAxBtoR5/Jh4svw74M9R5kLM1KWWVqTNsdpc1gqaTKrRI8
58+uhKlsTE7fdM/+TS92YhRom1nBeI0BqbyfRLp7qkmieUya4Gj6YFEh9DU68aa2
b5HpoF0Jx4L/aAHpzMd20ju37ziBQ6C1WsBP5tgezfp7HBbodyV/E2WgTDMp4eo8
f/3J7tVz39lBt8wlYIrflVORkiXq6FgX+1xHd3nwbQhwIofk4TLYN7GdI6DIyXWY
GcWIdrTky9n0w6NvjZZqUZqq/IJeKujbeVqJEoiv4wVzKQKTbPRc2CL2WGR9a8kC
mWIox8cWT0NdYwMdCIBegWvYn7R02RB21AZFwWI10XBI1hNbrxvhBwdYIEoA5xd1
pEw/nJ9yFxsrBYCFMGmXig2De0UgYCnJjQxIsO/PJLCBA7pvPTcm50cFWVIbd28g
BlLUJzWv0F9isWOak9xuFWHYS/XZbFzRrzlsBKPICqzb3rnv5he0Vvwml8RlgrK2
EiW5ZBQwe73vsl0+EGM6FcCZejtHbR8hT8q9icfNQDImZp7tg8H0LBKlbJpXzKGD
WkEUivRZUg8ZXYcN4WOCev8uBfBbIdWal+a2WvKgTuBILxtN3ziYaOya4hgwND8e
mzCSCrLKjpwefeRYaEtupyyF6Y5uXCcfftiG/UNz+DJjboOvnKM=
=RIYW
-----END PGP SIGNATURE-----
pgpcvPMRD89J1.pgp
Description: PGP signature
--- End Message ---
