Your message dated Mon, 09 Mar 2026 11:04:34 +0000
with message-id <[email protected]>
and subject line Bug#1129427: fixed in vim 2:9.2.0119-1
has caused the Debian Bug report #1129427,
regarding vim: CVE-2026-28417
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129427
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vim
Version: 2:9.1.2141-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for vim.
CVE-2026-28417[0]:
| Vim is an open source, command line text editor. Prior to version
| 9.2.0073, an OS command injection vulnerability exists in the
| `netrw` standard plugin bundled with Vim. By inducing a user to open
| a crafted URL (e.g., using the `scp://` protocol handler), an
| attacker can execute arbitrary shell commands with the privileges of
| the Vim process. Version 9.2.0073 fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-28417
https://www.cve.org/CVERecord?id=CVE-2026-28417
[1] https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336
[2] https://github.com/vim/vim/commit/79348dbbc09332130f4c86045e1541d68514fcc1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vim
Source-Version: 2:9.2.0119-1
Done: James McCoy <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 09 Mar 2026 06:50:59 -0400
Source: vim
Architecture: source
Version: 2:9.2.0119-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Vim Maintainers <[email protected]>
Changed-By: James McCoy <[email protected]>
Closes: 1127930 1129427 1129428 1129429 1129430 1129431 1129432
Changes:
vim (2:9.2.0119-1) unstable; urgency=medium
.
* New upstream release
+ See ":help vim-9.2" for new features
+ Security fixes
- 9.1.2148: buffer overflow in netbeans special_keys() handling (Closes:
#1127930, CVE-2026-26269)
* Merge upstream tag v9.2.0119
+ Security fixes
- 9.2.0073: possible command injection using netrw (Closes: #1129427,
CVE-2026-28417)
- 9.2.0074: crash with overlong emacs tag file (Closes: #1129428,
CVE-2026-28418)
- 9.2.0075: buffer underflow with emacs tag file (Closes: #1129429,
CVE-2026-28419)
- 9.2.0076: buffer-overflow with combining characters in terminal
handling (Closes: #1129430, CVE-2026-28420)
- 9.2.0077: crash when recovering a corrupted swap file (Closes:
#1129431, CVE-2026-28421)
- 9.2.0078: stack buffer overflow when rendering a statusline with a
multi-byte fill character on a very wide terminal (Closes: #1129432,
CVE-2026-28422)
Checksums-Sha1:
7322d7a4f05cfab24a57dce355d483627b689930 3198 vim_9.2.0119-1.dsc
85a9c3c4fc2898a311f695f4b606a1850a4a120a 13322268 vim_9.2.0119.orig.tar.xz
48e913fc7c5df27b16e9a7214683f2f7a5cfeca5 163812 vim_9.2.0119-1.debian.tar.xz
5bef0ba78d758429de080dd1bc9a05c8500996a6 25859756 vim_9.2.0119-1.git.tar.xz
abe545ded40ce2ced76bd0e691e79ecc8c4c605c 17294 vim_9.2.0119-1_source.buildinfo
Checksums-Sha256:
7e2e0b1262f777cb4f98606e933a5a1b96ac5e9760099a1ab85b65fdf7df3f1f 3198
vim_9.2.0119-1.dsc
ce8f25091127cc5bbc15adb09f616177729c8a71fc9f81418085e9d4fbc08b71 13322268
vim_9.2.0119.orig.tar.xz
73dcf2eecc1da8dedef590edec3d7aeb575bb8052577728870c701f8edff9c69 163812
vim_9.2.0119-1.debian.tar.xz
ac8516a7ed4a401d1617eaa6c2be62e59d270c093bc3cbe46cf43853be1110c7 25859756
vim_9.2.0119-1.git.tar.xz
ccf1e1e02bb31e684ad7235972e73bdd4bdd35ff2fda9b0c99674e0bbc0643e0 17294
vim_9.2.0119-1_source.buildinfo
Files:
ee01abb426bd8300058cdafaa75608b9 3198 editors optional vim_9.2.0119-1.dsc
607efbafa9c9cd64c5580067854cf350 13322268 editors optional
vim_9.2.0119.orig.tar.xz
6d8ab10ad7368a26fa8be57eaf55f302 163812 editors optional
vim_9.2.0119-1.debian.tar.xz
3457dc28979740d1ed4a605090a63a92 25859756 editors None
vim_9.2.0119-1.git.tar.xz
40752f0f52c189ee472fd44e68afb14c 17294 editors optional
vim_9.2.0119-1_source.buildinfo
Git-Tag-Info: tag=2df3e4438e7cf5fb7743ee4c389fdd9b0e2cafcf
fp=91bfbf4d6956bd5df7b72d23dfe691ae331ba3db
Git-Tag-Tagger: James McCoy <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmmupvIACgkQYG0ITkaD
wHlVxA//Ub2OKoO4U5y5WKSnkEjPItyxl80SQeeJpbtgQYwd7Ch3Y0IeDdAolBhW
jxe7gss/BTuu36Nc7/E8xbO1y9QInTtkOzvlNmU3DbNN06lYrNcwDWlzwcO6qFr6
vNeXWVZW1iWUKLcl0tvoNEnA6mB7bcq65m912Wxz/FD4qF7kRG41fDi44FbsEcC9
eUh86lqWQdQN4KcfBoufxwrTOJRC1JRTuY5EUkJ/uNr/wotbZx3NA3spMc1A1h9G
KE5e3RckxRjAVcmzs9GTJu9aTQfYZv3t9KZK6E6+3RslY+c8orr5gHZZmaV3cZP5
KJ9pcK8n1fng539bgcCp1EoUByGv/i4RBLVILrqkq7Y9BMzzkWrNYiVxTj9XgWpe
I5L9c1m6E75/zo5+9pnkfUYPc8mO5U1DCr4MmLKa9nJGkPPcM+48l6a9i4IVXv8L
x7SJQsJ5NYLUGCix/BzKw/TnHS4G3CWtgXJgAdV3EYmFn3qtd6Oi01CE+TdClmH8
CW9gzRrp5/UIOqknirIkuidQE46g+SA0pJJGLMIZ56Lxdo2iB+xSJ06fZcAZnTPa
Zz0OX/qn/jMrtJXZFvEoaxZgjFevReyHmAq/WlKDsMMltaLOVzne68kR241HX4ro
Mji4Qd/V2OjeoTMJLK2RUbhI5LMqV7PYGkwgCr3c5BwN5HRhLH4=
=fLH7
-----END PGP SIGNATURE-----
pgpAtyR1mWNdS.pgp
Description: PGP signature
--- End Message ---
