[Git][security-tracker-team/security-tracker][master] Track fixed version for some openexr issues fixed via unstable

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Mar 12 11:49:34 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1eed3da6 by Salvatore Bonaccorso at 2026-03-12T12:47:22+01:00
Track fixed version for some openexr issues fixed via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4373,7 +4373,7 @@ CVE-2026-27932 (joserfc is a Python library that provides an implementation of s
 CVE-2026-27905 (BentoML is a Python library for building online serving systems optimi ...)
 	NOT-FOR-US: BentoML
 CVE-2026-27622 (OpenEXR provides the specification and reference implementation of the ...)
-	- openexr <unfixed> (bug #1130041)
+	- openexr 3.4.6+ds-1 (bug #1130041)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963
 	NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/e69bf4b929b9c4f17d8546e28ee4c410c3d0a088 (v3.2.6, v3.2.6-rc)
 CVE-2026-27601 (Underscore.js is a utility-belt library for JavaScript. Prior to 1.13. ...)
@@ -33877,14 +33877,14 @@ CVE-2025-13698 (Deciso OPNsense diag_backup.php filename Directory Traversal Arb
 CVE-2025-13407 (The Gravity Forms WordPress plugin before 2.9.23.1 does not properly p ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-12840 (Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer ...)
-	- openexr <unfixed> (bug #1123963)
+	- openexr 3.4.6+ds-1 (bug #1123963)
 	[trixie] - openexr <postponed> (Revisit when fixed upstream)
 	[bookworm] - openexr <postponed> (Revisit when fixed upstream)
 	[bullseye] - openexr <postponed> (Revisit when fixed upstream)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-25-991/
 	NOTE: https://lists.aswf.io/g/openexr-dev/topic/openexr_v3_4_3_is_staged_for/116040425
 CVE-2025-12839 (Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer ...)
-	- openexr <unfixed> (bug #1123963)
+	- openexr 3.4.6+ds-1 (bug #1123963)
 	[trixie] - openexr <postponed> (Revisit when fixed upstream)
 	[bookworm] - openexr <postponed> (Revisit when fixed upstream)
 	[bullseye] - openexr <postponed> (Revisit when fixed upstream)
@@ -33893,7 +33893,7 @@ CVE-2025-12839 (Academy Software Foundation OpenEXR EXR File Parsing Heap-based
 CVE-2025-12838 (MSP360 Free Backup Link Following Local Privilege Escalation Vulnerabi ...)
 	NOT-FOR-US: MSP360
 CVE-2025-12495 (Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer ...)
-	- openexr <unfixed> (bug #1123963)
+	- openexr 3.4.6+ds-1 (bug #1123963)
 	[trixie] - openexr <postponed> (Revisit when fixed upstream)
 	[bookworm] - openexr <postponed> (Revisit when fixed upstream)
 	[bullseye] - openexr <postponed> (Revisit when fixed upstream)
@@ -49698,7 +49698,7 @@ CVE-2025-64182 (OpenEXR provides the specification and reference implementation
 	- openexr <not-affected> (Python bindings introduced in 3.2)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-vh63-9mqx-wmjr
 CVE-2025-64181 (OpenEXR provides the specification and reference implementation of the ...)
-	- openexr <unfixed> (bug #1120700)
+	- openexr 3.4.6+ds-1 (bug #1120700)
 	[trixie] - openexr <no-dsa> (Minor issue)
 	[bookworm] - openexr <no-dsa> (Minor issue)
 	[bullseye] - openexr <not-affected> (Vulnerable code not present)
@@ -84612,7 +84612,7 @@ CVE-2025-49832 (Asterisk is an open source private branch exchange and telephony
 	NOTE: Fixed by: https://github.com/asterisk/asterisk/commit/723410e3126e2d6a6a05e89cdf0cb23f4556af3a (master)
 	NOTE: Fixed by: https://github.com/asterisk/asterisk/commit/f8c6ad7916a9d233eb9e685365132e0435535216 (22.5.1)
 CVE-2025-48074 (OpenEXR provides the specification and reference implementation of the ...)
-	- openexr <unfixed> (bug #1110261)
+	- openexr 3.4.6+ds-1 (bug #1110261)
 	[trixie] - openexr <no-dsa> (Minor issue)
 	[bookworm] - openexr <no-dsa> (Minor issue)
 	[bullseye] - openexr <postponed> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eed3da656c24704c0b919c859d86e6b35b31f6b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eed3da656c24704c0b919c859d86e6b35b31f6b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260312/16785876/attachment.htm>

More information about the debian-security-tracker-commits mailing list