Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ba8fbe0b by Moritz Muehlenhoff at 2026-06-09T12:23:51+02:00
new spring issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -90,41 +90,76 @@ CVE-2026-41978 (Permission control vulnerability in the 
clone module.Impact: Suc
 CVE-2026-41975 (Permission management vulnerability in the network management 
module.I ...)
        NOT-FOR-US: Huawei
 CVE-2026-41855 (In an untrusted JMS environment, 
org.springframework.jms.support.conve ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41855
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41854 (Due to incorrect host parsing, applications that rely on 
UriComponents ...)
-       TODO: check
+       - libspring-java <not-affected> (Only affects Spring 6 and later)
+       NOTE: https://spring.io/security/cve-2026-41854
 CVE-2026-41853 (Spring MVC and WebFlux applications are vulnerable to 
Multipart reques ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41853
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41852 (A vulnerability in Spring Expression Language (SpEL) 
evaluation logic  ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41852
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41851 (Applications which accept user-supplied Spring Expression 
Language (Sp ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41851
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41850 (Applications that evaluate user-supplied Spring Expression 
Language (S ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41850
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41849 (An integer overflow vulnerability exists in the evaluation 
logic of th ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41849
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41848 (Applications may be vulnerable to a Regular Expression Denial 
of Servi ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41848
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41847 (Spring WebFlux applications may be vulnerable to a security 
bypass whe ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41847
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41846 (Spring MVC applications which accept user-supplied values in 
the cssCl ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41846
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41845 (Due to incorrect escaping, the use of 
JavaScriptUtils.javaScriptEscape ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41845
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41844 (A Spring MVC or Spring WebFlux application which configures a 
mapping  ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41844
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41843 (Spring MVC and WebFlux applications are vulnerable to Path 
Traversal a ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41843
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41842 (Spring MVC and WebFlux applications are vulnerable to Denial 
of Servic ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41842
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41841 (Spring MVC and WebFlux applications are vulnerable to 
Information Disc ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41841
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41840 (Spring WebFlux applications are vulnerable to Denial of 
Service (DoS)  ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41840
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41839 (A WebFlux application with a compromised subdomain (for 
example, compr ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41839
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41838 (IDs for WebSocket sessions in the spring-websocket module are 
not cryp ...)
-       TODO: check
+       - libspring-java <unfixed> (unimportant)
+       NOTE: https://spring.io/security/cve-2026-41838
+       NOTE: Only supported for building applications shipped in Debian, see 
README.Debian.security
 CVE-2026-41720 (Spring LDAP's DirContextAuthenticationStrategy implementations 
do not  ...)
        TODO: check
 CVE-2026-41715 (In specific scenarios involving HTTP redirects from a secure 
to an ins ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8fbe0b3c3191b7a034c6117ea01a471d1de114

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8fbe0b3c3191b7a034c6117ea01a471d1de114
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to