Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e9bd88d1 by Emilio Pozuelo Monfort at 2026-01-21T10:20:10+01:00
lts: triage CVE-2025-13837/pypy3 as no-dsa
- - - - -
20652010 by Emilio Pozuelo Monfort at 2026-01-21T10:20:10+01:00
lts: drop pypy3
- - - - -
3998433f by Emilio Pozuelo Monfort at 2026-01-21T10:20:12+01:00
lts: triage CVE-2026-0992/libxml2 as postponed
- - - - -
5a0122f9 by Emilio Pozuelo Monfort at 2026-01-21T10:20:12+01:00
lts: add vlc
- - - - -
99ccd237 by Emilio Pozuelo Monfort at 2026-01-21T10:20:13+01:00
lts: triage CVE-2025-56225/fluidsynth as postponed
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1591,6 +1591,7 @@ CVE-2026-0992 (A flaw was found in the libxml2 library.
This uncontrolled resour
- libxml2 <unfixed> (bug #1125696)
[trixie] - libxml2 <no-dsa> (Minor issue)
[bookworm] - libxml2 <no-dsa> (Minor issue)
+ [bullseye] - libxml2 <postponed> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/1019
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/f75abfcaa419a740a3191e56c60400f3ff18988d
CVE-2026-0990 (A flaw was found in libxml2, an XML parsing library. This
uncontrolled ...)
@@ -4072,6 +4073,7 @@ CVE-2025-56225 (fluidsynth-2.4.6 and earlier versions is
vulnerable to Null poin
- fluidsynth 2.4.7+dfsg-1
[trixie] - fluidsynth <no-dsa> (Minor issue)
[bookworm] - fluidsynth <no-dsa> (Minor issue)
+ [bullseye] - fluidsynth <postponed> (Minor issue)
NOTE: https://github.com/FluidSynth/fluidsynth/issues/1602
NOTE: https://github.com/FluidSynth/fluidsynth/pull/1607
NOTE: Fixed by:
https://github.com/FluidSynth/fluidsynth/commit/45f2a79f4265dcc4f98cfbafdb10727fb1c0d411
(v2.4.7)
@@ -22773,6 +22775,7 @@ CVE-2025-13837 (When loading a plist file, the plistlib
module reads data in siz
- pypy3 <unfixed>
[trixie] - pypy3 <no-dsa> (Minor issue)
[bookworm] - pypy3 <no-dsa> (Minor issue)
+ [bullseye] - pypy3 <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/issues/119342
NOTE: https://github.com/python/cpython/pull/119343
NOTE:
https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70
(main)
=====================================
data/dla-needed.txt
=====================================
@@ -313,13 +313,6 @@ pyasn1 (utkarsh)
NOTE: 20260119: Added by Front-Desk (dleidert)
NOTE: 20260119: Follow DSA and maybe help the security team here (dleidert)
--
-pypy3
- NOTE: 20260102: Added by Front-Desk (Beuc)
- NOTE: 20260102: Lots of postponed CVEs pile-up
- NOTE: 20260102: Consider fixing bookworm/trixie too (Beuc/front-desk)
- NOTE: 20260102:
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/274
- NOTE: 20260102: No more sponsors for pypy/pypy3 in bullseye, hence low
priority (Beuc)
---
python-aiohttp (dleidert)
NOTE: 20260106: Added by Front-Desk (lamby)
--
@@ -380,6 +373,10 @@ trafficserver
NOTE: 20250403: There are multiple new CVEs. But none of them is addresses
in Sid and maintainers didn't reply to me last time (dleidert)
NOTE: 20250405: DSA 5896-1 is out (Beuc/front-desk)
--
+vlc
+ NOTE: 20260120: Added by Front-Desk (pochu)
+ NOTE: 20260120: Update to 3.0.23 (pochu)
+--
watcher
NOTE: 20250908: Added by Front-Desk (apo)
NOTE: 20250908: See also nova. (apo)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8356c40e0dee29d334c28e7b82616ebc163fe150...99ccd237a7ea3e54257c224258f4b8e99371421a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8356c40e0dee29d334c28e7b82616ebc163fe150...99ccd237a7ea3e54257c224258f4b8e99371421a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
