[Git][security-tracker-team/security-tracker][master] 5 commits: dla: drop node-bn.js

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Thu Mar 26 08:44:32 GMT 2026 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7348c818 by Sylvain Beucler at 2026-03-26T09:44:10+01:00
dla: drop node-bn.js

1 no-dsa issue, no sponsors, low popcon

- - - - -
63aa1f57 by Sylvain Beucler at 2026-03-26T09:44:12+01:00
dla: drop node-elliptic

1 stalled issue, no sponsors, low popcon

- - - - -
8afa51cd by Sylvain Beucler at 2026-03-26T09:44:12+01:00
dla: drop universal-ctags

1 unimportant issue

- - - - -
e03ba36d by Sylvain Beucler at 2026-03-26T09:44:15+01:00
dla: drop django-allauth

No activity in stable/oldstable, no sponsors, low popcon

- - - - -
6613b276 by Sylvain Beucler at 2026-03-26T09:44:17+01:00
dla: drop ccextractor

Not in stable/oldstable, no sponsors, low popcon

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -11078,6 +11078,7 @@ CVE-2026-27983 (Incorrect Privilege Assignment vulnerability in designthemes LMS
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-27982 (An open redirect vulnerability exists in django-allauth versions prior ...)
 	- django-allauth 65.15.0-1 (bug #1130044)
+	[bullseye] - django-allauth <postponed> (Minor issue, open redirect)
 	NOTE: https://allauth.org/news/2026/02/django-allauth-65.14.1-released/
 CVE-2026-27898 (Vaultwarden is an unofficial Bitwarden compatible server written in Ru ...)
 	- vaultwarden <itp> (bug #1067023)
@@ -15379,6 +15380,7 @@ CVE-2026-2894 (A vulnerability was identified in funadmin up to 7.1.0-rc4. Affec
 	NOT-FOR-US: funadmin
 CVE-2026-2889 (A vulnerability was detected in CCExtractor up to 0.96.5. Affected is  ...)
 	- ccextractor <removed>
+	[bullseye] - ccextractor <postponed> (Fix along with next DLA)
 	NOTE: https://github.com/CCExtractor/ccextractor/issues/2055
 	NOTE: https://github.com/CCExtractor/ccextractor/pull/2057
 	NOTE: Fixed by: https://github.com/CCExtractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925 (v0.96.6)
@@ -16296,6 +16298,7 @@ CVE-2026-2739 (This affects versions of the package bn.js before 5.2.3. Calling
 	- node-bn.js 5.2.3+~5.2.0-1 (bug #1128619)
 	[trixie] - node-bn.js <no-dsa> (Minor issue)
 	[bookworm] - node-bn.js <no-dsa> (Minor issue)
+	[bullseye] - node-bn.js <postponed> (Minor issue, DoS)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301
 	NOTE: https://github.com/indutny/bn.js/issues/316
 	NOTE: https://github.com/indutny/bn.js/issues/186
@@ -21318,6 +21321,7 @@ CVE-2026-2246 (A security vulnerability has been detected in AprilRobotics april
 	NOT-FOR-US: AprilRobotics apriltag
 CVE-2026-2245 (A vulnerability was identified in CCExtractor up to 183. This affects  ...)
 	- ccextractor <removed>
+	[bullseye] - ccextractor <postponed> (Minor issue, OOB read)
 	NOTE: https://github.com/CCExtractor/ccextractor/issues/2053
 	NOTE: https://github.com/CCExtractor/ccextractor/pull/2057
 CVE-2026-2242 (A vulnerability was determined in janet-lang janet up to 1.40.1. This  ...)
@@ -33396,6 +33400,7 @@ CVE-2025-14574 (The weDocs plugin for WordPress is vulnerable to Sensitive Infor
 	NOT-FOR-US: WordPress plugin
 CVE-2025-14505 (The ECDSA implementation of the Elliptic package generates incorrect s ...)
 	- node-elliptic <unfixed> (bug #1125180)
+	[bullseye] - node-elliptic <postponed> (Revisit when fixed upstream)
 	NOTE: https://github.com/indutny/elliptic/issues/321
 	NOTE: https://github.com/indutny/elliptic/pull/345
 CVE-2025-14436 (The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored ...)
@@ -45192,6 +45197,7 @@ CVE-2025-65431 (An issue was discovered in allauth-django before 65.13.0. Both O
 	NOTE: https://github.com/pennersr/django-allauth/commit/8feef46e0e07b25fc5594c8f268afa247ebc3412 (65.13.0)
 CVE-2025-65430 (An issue was discovered in allauth-django before 65.13.0. IdP: marking ...)
 	- django-allauth 65.15.0-1 (bug #1123085)
+	[bullseye] - django-allauth <postponed> (Fix along with next DLA)
 	NOTE: https://allauth.org/news/2025/10/django-allauth-65.13.0-released/
 CVE-2025-65213 (MooreThreads torch_musa through all versions contains an unsafe deseri ...)
 	NOT-FOR-US: MooreThreads torch_musa


=====================================
data/dla-needed.txt
=====================================
@@ -62,16 +62,10 @@ ca-certificates
 calibre (Abhijith PA)
   NOTE: 20260222: Added by Front-Desk (rouca)
 --
-ccextractor
-  NOTE: 20260216: Added by Front-Desk (rouca)
---
 ckeditor
   NOTE: 20241002: Added by Front-Desk (Beuc)
   NOTE: 20241002: Multiple CVEs have been piling up (Beuc/front-desk)
 --
-django-allauth
-  NOTE: 20260216: Added by Front-Desk (rouca)
---
 docker.io
   NOTE: 20250805: Added by Front-Desk (rouca)
 --
@@ -296,12 +290,6 @@ netty (rouca)
   NOTE: 20251127: all CVEs fixed under sid (rouca)
   NOTE: 20260114: fix remaining CVE wait DSA (rouca)
 --
-node-bn.js
-  NOTE: 20260222: Added by Front-Desk (rouca)
---
-node-elliptic
-  NOTE: 20260216: Added by Front-Desk (rouca)
---
 node-lodash (utkarsh)
   NOTE: 20260131: Added by Front-Desk (Beuc)
   NOTE: 20260201: this package is pure madness - 290 vendored sources and origtars. :)
@@ -463,9 +451,6 @@ trafficserver
   NOTE: 20250403: There are multiple new CVEs. But none of them is addresses in Sid and maintainers didn't reply to me last time (dleidert)
   NOTE: 20250405: DSA 5896-1 is out (Beuc/front-desk)
 --
-universal-ctags
-  NOTE: 20260219: Added by Front-Desk (rouca)
---
 vim (paride)
   NOTE: 20260217: Added by Front-Desk (rouca)
   NOTE: 20260228: I enabled the salsa pipeline, there are (previously undetected)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ab4cc6cdef4fb3cf3eb72e59eae3678e87139a4...6613b276ae51fb03ca5c1052bf0ea8f0d5d040a6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ab4cc6cdef4fb3cf3eb72e59eae3678e87139a4...6613b276ae51fb03ca5c1052bf0ea8f0d5d040a6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260326/20465a65/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list