Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker
/ security-tracker
Commits:
1b80400d by Carlos Henrique Lima Melara at 2026-02-28T12:41:33-03:00
CVE-2026-28295,28296/gvfs: add NOTE with fixing commits
Upstream fixed in 1.59.x, 1.58.x (gnome-49 branch) and 1.56.x (gnome-47 branch).
- - - - -
441d2770 by Carlos Henrique Lima Melara at 2026-02-28T13:01:18-03:00
LTS: add gvfs to dla-needed.txt
CVE-2026-28296 is the greater problem, users connecting to a FTP server
with malicious files can end up executing arbitrary FTP commands. Since
this is a high popcon package used by gnome, let's fix it.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -558,11 +558,17 @@ CVE-2026-28296 (A flaw was found in the FTP GVfs backend.
A remote attacker coul
[trixie] - gvfs <no-dsa> (Minor issue)
[bookworm] - gvfs <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/gvfs/-/issues/833
+ NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/gvfs/-/commit/21dda19047b86c3e92fae668eb9dc80e33ca71fd
(1.59.90)
+ NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/gvfs/-/commit/2916e8deea297f300056265530c7ca3ea443775f
(1.58.2)
+ NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/gvfs/-/commit/447ee8a32fe56529bf92c0a733f6d35e724c2689
(1.56.2)
CVE-2026-28295 (A flaw was found in the FTP GVfs backend. A malicious FTP
server can e ...)
- gvfs <unfixed>
[trixie] - gvfs <no-dsa> (Minor issue)
[bookworm] - gvfs <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/gvfs/-/issues/832
+ NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/gvfs/-/commit/20db8173252ea88a4af05dc9a24aad6f29b807ad
(1.59.90)
+ NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/gvfs/-/commit/30f50ce256c2fb66828373973c4fd1542088de72
(1.58.2)
+ NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/gvfs/-/commit/30b89fc61ef620dfa81492f68a21ee1fdb7021f3
(1.56.2)
CVE-2026-28138 (Deserialization of Untrusted Data vulnerability in Stylemix
uListing u ...)
NOT-FOR-US: WordPress plugin or theme
CVE-2026-28136 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
=====================================
data/dla-needed.txt
=====================================
@@ -166,6 +166,12 @@ grub2
NOTE: 20251129: Maintainer (jak) replied: work underway, proposed to skip
next point release (2026-01, too soon)
NOTE: 20251129: also uncertainty on whether a shim/SBAT (revocation) update
is feasible/needed.
--
+gvfs
+ NOTE: 20260228: Added by Front-Desk (charles)
+ NOTE: 20260228: CVE-2026-28296 is the greater problem, users connecting to a
+ NOTE: 20260228: FTP server with malicious files can end up executing
arbitrary
+ NOTE: 20260228: FTP commands (charles)
+--
jackson-core (Markus Koschany)
NOTE: 20250707: Added by Front-Desk (apo)
NOTE: 20251016: A single patch is not possible to apply to fix the CVE. I'm
working on backporting more than one.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/004ed47c6c82f3b1b2578d77f8be1e220957d1ac...441d2770a7a635ccff7c6bca01c0613ea6f19f97
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/004ed47c6c82f3b1b2578d77f8be1e220957d1ac...441d2770a7a635ccff7c6bca01c0613ea6f19f97
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
