sed - Debian Package Tracker

general

source: sed (main)
version: 4.9-3
maintainer: Clint Adams (DMD)
arch: any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.7-1
oldstable: 4.9-1
stable: 4.9-2
testing: 4.9-3
unstable: 4.9-3

versioned links

4.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.9-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.9-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

sed (15 bugs: 0, 9, 6, 0)

action needed

A new upstream version is available: 4.10 high

A new upstream version 4.10 is available, you should consider packaging it.

Created: 2026-04-25 Last update: 2026-04-26 11:30

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-5958: When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.

Created: 2026-04-20 Last update: 2026-04-23 17:30

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-04-26 11:00

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2026-04-20 Last update: 2026-04-20 21:30

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-01-02 Last update: 2024-01-02 11:36

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-5958: (needs triaging) When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-04-20 Last update: 2026-04-23 17:30

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2026-5958: (needs triaging) When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-04-20 Last update: 2026-04-23 17:30

news

[rss feed]

[2026-04-24] sed 4.9-3 MIGRATED to testing (Debian testing watch)
[2026-04-20] Accepted sed 4.9-3 (source) into unstable (Clint Adams)
[2024-01-04] sed 4.9-2 MIGRATED to testing (Debian testing watch)
[2024-01-02] Accepted sed 4.9-2 (source) into unstable (Clint Adams)
[2023-01-11] sed 4.9-1 MIGRATED to testing (Debian testing watch)
[2023-01-05] Accepted sed 4.9-1 (source) into unstable (Clint Adams)
[2022-12-31] Accepted sed 4.8-1.1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2021-09-02] sed 4.8-1 MIGRATED to testing (Debian testing watch)
[2021-08-31] Accepted sed 4.8-1 (source) into unstable (Clint Adams)
[2018-12-25] sed 4.7-1 MIGRATED to testing (Debian testing watch)
[2018-12-22] Accepted sed 4.7-1 (source) into unstable (Clint Adams)
[2018-10-20] sed 4.5-2 MIGRATED to testing (Debian testing watch)
[2018-10-17] Accepted sed 4.5-2 (source) into unstable (Clint Adams)
[2018-07-07] sed 4.5-1 MIGRATED to testing (Debian testing watch)
[2018-07-04] Accepted sed 4.5-1 (source) into unstable (Clint Adams)
[2018-02-04] sed 4.4-2 MIGRATED to testing (Debian testing watch)
[2018-01-30] Accepted sed 4.4-2 (source) into unstable (Clint Adams)
[2017-02-15] sed 4.4-1 MIGRATED to testing (Debian testing watch)
[2017-02-04] Accepted sed 4.4-1 (source) into unstable (Clint Adams)
[2017-01-18] sed 4.3-3 MIGRATED to testing (Debian testing watch)
[2017-01-07] Accepted sed 4.3-3 (source) into unstable (Clint Adams)
[2017-01-07] Accepted sed 4.3-2 (source) into unstable (Clint Adams)
[2017-01-05] Accepted sed 4.3-1 (source amd64) into unstable (Clint Adams)
[2016-09-19] Accepted sed 4.2.2-4+deb8u1 (source) into proposed-updates->stable-new, proposed-updates (Clint Adams) (signed by: Santiago Vila)
[2016-09-06] sed 4.2.2-8 MIGRATED to testing (Debian testing watch)
[2016-09-01] Accepted sed 4.2.2-8 (source) into unstable (Clint Adams)
[2016-03-17] sed 4.2.2-7.1 MIGRATED to testing (Debian testing watch)
[2016-03-11] Accepted sed 4.2.2-7.1 (source) into unstable (Niels Thykier)
[2016-02-17] sed 4.2.2-7 MIGRATED to testing (Debian testing watch)
[2016-02-12] Accepted sed 4.2.2-7 (source) into unstable (Clint Adams)

bugs [bug history graph]

all: 16
RC: 0
I&N: 10
M&W: 6
F&P: 0
patch: 1

links

homepage
lintian (0, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
l10n (-, 84)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.9-2build3
6 bugs