[Git][security-tracker-team/security-tracker][master] add nodejs commit references

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Mar 29 14:41:20 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e126fc5d by Moritz Muehlenhoff at 2026-03-29T15:38:15+02:00
add nodejs commit references

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3077,18 +3077,23 @@ CVE-2026-3836
 CVE-2026-21717
 	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#hashdos-in-v8-cve-2026-21717---medium
+	NOTE: Fixed by: https://github.com/nodejs/node/commit/af5c144ebcf9814ef5dc74555bbdcd2a4cb20a12 (v20.20.2)
 CVE-2026-21716
 	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#cve-2024-36137-patch-bypass---filehandlechmodchown-cve-2026-21716---low
+	NOTE: Fixed by: https://github.com/nodejs/node/commit/012330956669e06864a674917de352d2d69ff51c (v20.20.2)
 CVE-2026-21715
 	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#permission-model-bypass-in-realpathsyncnative-allows-file-existence-disclosure-cve-2026-21715---low
+	NOTE: Fixed by: https://github.com/nodejs/node/commit/00830712bc623ba04b08856462a56b79e29f5cc3 (v20.20.2)
 CVE-2026-21714
 	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#memory-leak-in-nodejs-http2-server-via-window_update-on-stream-0-leads-to-resource-exhaustion-cve-2026-21714---medium
+	NOTE: Fixed by: https://github.com/nodejs/node/commit/a0c73425da4c95fbcf6c13b7fe8921301290b8e6 (v20.20.2)
 CVE-2026-21713
 	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#timing-side-channel-in-hmac-verification-via-memcmp-in-crypto_hmaccc-leads-to-potential-mac-forgery-cve-2026-21713---medium
+	NOTE: Fixed by: https://github.com/nodejs/node/commit/cfb51fa9ce1da2a8c810ec35bcc7c000f8c94faf (v20.20.2)
 CVE-2026-21712
 	- nodejs <not-affected> (Vulnerable code not present)
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#assertion-error-in-node_urlcc-via-malformed-url-format-leads-to-nodejs-crash-cve-2026-21712---medium
@@ -3098,6 +3103,7 @@ CVE-2026-21711
 CVE-2026-21710
 	- nodejs 22.22.2+dfsg+~cs22.19.15-1
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#denial-of-service-via-__proto__-header-name-in-reqheadersdistinct-uncaught-typeerror-crashes-nodejs-process-cve-2026-21710---high
+	NOTE: Fixed by: https://github.com/nodejs/node/commit/00ad47a28eb2e3dc0ff5610d58c53341acf3cf8d (v20.20.2)
 CVE-2026-31788 (In the Linux kernel, the following vulnerability has been resolved:  x ...)
 	- linux 6.19.10-1
 	NOTE: https://xenbits.xen.org/xsa/advisory-482.html
@@ -32995,6 +33001,7 @@ CVE-2026-21637 (A flaw in Node.js TLS error handling allows remote attackers to
 	NOTE: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#tls-pskalpn-callback-exceptions-bypass-error-handlers-causing-dos-and-fd-leak-cve-2026-21637---medium
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/85f73e7057e9badf6e7713f7440769375cdb5df5 (v20.20.0)
 	NOTE: Fix was incomplete (but did not got a new CVE for the incomplete fix, original fix in unstable
+	NOTE: Followup fix: https://github.com/nodejs/node/commit/cc3f294507c715908b2b31a5301e295b3de04152 (v20.20.2)
 	NOTE: via nodejs/22.22.0+dfsg+~cs22.19.6-1 and DSA-6166-1)
 	NOTE: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#incomplete-fix-for-cve-2026-21637-loadsni-in-_tls_wrapjs-lacks-trycatch-leading-to-remote-dos-cve-2026-21637---high
 CVE-2026-21636 (A flaw in Node.js's permission model allows Unix Domain Socket (UDS) c ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e126fc5dfeae6b8546e74db031514f9aa9a5857c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e126fc5dfeae6b8546e74db031514f9aa9a5857c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260329/838b8143/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list