Hi,
On Mon, 9 Feb 2026 09:46:48 +0100 Sylvain Beucler <[email protected]> wrote:
Additionally, while working on ELTS py* packages, I excluded/postponed:
- CVE-2025-15366, CVE-2025-15367: potential regressions are being
investigated, which explain why upstream didn't backport to the fix to
its 3.xx release branches
- CVE-2026-0865: overreaching fix so a follow-up is under review
(also this may be considered unimportant as upstream now added a
security disclaimer for wsgiref)
Tracker updated:
https://security-tracker.debian.org/tracker/CVE-2025-15366
https://security-tracker.debian.org/tracker/CVE-2025-15367
https://security-tracker.debian.org/tracker/CVE-2026-0865
I would recommend postponing them for now.
Update:
- CVE-2026-0865 regression fix merged
- imaplib and poplib not backported to released branches
(probably won't be)
- CVE-2026-0672 got a follow-up CVE-2026-3644
Cheers!
Sylvain Beucler
Debian LTS Team
(Front Desk this week)
