[Git][security-tracker-team/security-tracker][master] Track fixed version for nodejs issues addressed via unstable

Wed Mar 25 19:31:44 GMT 2026


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e184dfda by Salvatore Bonaccorso at 2026-03-25T20:31:16+01:00
Track fixed version for nodejs issues addressed via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -771,19 +771,19 @@ CVE-2026-3836
 	- dnf5 <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2445770
 CVE-2026-21717
-	- nodejs <unfixed>
+	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#hashdos-in-v8-cve-2026-21717---medium
 CVE-2026-21716
-	- nodejs <unfixed>
+	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#cve-2024-36137-patch-bypass---filehandlechmodchown-cve-2026-21716---low
 CVE-2026-21715
-	- nodejs <unfixed>
+	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#permission-model-bypass-in-realpathsyncnative-allows-file-existence-disclosure-cve-2026-21715---low
 CVE-2026-21714
-	- nodejs <unfixed>
+	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#memory-leak-in-nodejs-http2-server-via-window_update-on-stream-0-leads-to-resource-exhaustion-cve-2026-21714---medium
 CVE-2026-21713
-	- nodejs <unfixed>
+	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#timing-side-channel-in-hmac-verification-via-memcmp-in-crypto_hmaccc-leads-to-potential-mac-forgery-cve-2026-21713---medium
 CVE-2026-21712
 	- nodejs <unfixed>
@@ -792,7 +792,7 @@ CVE-2026-21711
 	- nodejs <not-affected> (Vulnerable code not present)
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#nodejs-permission-model-bypass-uds-server-bindlisten-works-without---allow-net-cve-2026-21711---medium
 CVE-2026-21710
-	- nodejs <unfixed>
+	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#denial-of-service-via-__proto__-header-name-in-reqheadersdistinct-uncaught-typeerror-crashes-nodejs-process-cve-2026-21710---high
 CVE-2026-31788
 	- linux <unfixed>
@@ -30560,10 +30560,11 @@ CVE-2025-55132 (A flaw in Node.js's permission model allows a file's access and
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/14fbbb510c6d62b4510e3f48ee801807d9a5fbab (v20.20.0)
 CVE-2026-21637 (A flaw in Node.js TLS error handling allows remote attackers to crash  ...)
 	{DSA-6166-1}
-	- nodejs 22.22.0+dfsg+~cs22.19.6-1
+	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#tls-pskalpn-callback-exceptions-bypass-error-handlers-causing-dos-and-fd-leak-cve-2026-21637---medium
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/85f73e7057e9badf6e7713f7440769375cdb5df5 (v20.20.0)
-	NOTE: Fix was incomplete (but did not got a new CVE for the incomplete fix):
+	NOTE: Fix was incomplete (but did not got a new CVE for the incomplete fix, original fix in unstable
+	NOTE: via nodejs/22.22.0+dfsg+~cs22.19.6-1 and DSA-6166-1)
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#incomplete-fix-for-cve-2026-21637-loadsni-in-_tls_wrapjs-lacks-trycatch-leading-to-remote-dos-cve-2026-21637---high
 CVE-2026-21636 (A flaw in Node.js's permission model allows Unix Domain Socket (UDS) c ...)
 	- nodejs <not-affected> (Only affects Node.js v25)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e184dfdad81e6002af2f750d02b77e50f76704b0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e184dfdad81e6002af2f750d02b77e50f76704b0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260325/c34e6298/attachment.htm>
