[Git][security-tracker-team/security-tracker][master] Add initial tracking for some openexr CVEs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu May 7 09:09:18 BST 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ef0a5883 by Salvatore Bonaccorso at 2026-05-07T10:08:23+02:00
Add initial tracking for some openexr CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -102,9 +102,13 @@ CVE-2026-43576 (OpenClaw before 2026.4.5 contains a server-side request forgery
 CVE-2026-43575 (OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication ...)
 	NOT-FOR-US: OpenClaw
 CVE-2026-42217 (OpenEXR provides the specification and reference implementation of the ...)
-	TODO: check
+	- openexr <unfixed>
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3c67-4wwp-w52m
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/2378
+	NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/21eaa33bcbbb0c83a5fc42f6b6d65b70a996e63c
 CVE-2026-42216 (OpenEXR provides the specification and reference implementation of the ...)
-	TODO: check
+	- openexr <unfixed>
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4
 CVE-2026-42194 (Admidio is an open-source user management solution. Prior to version 5 ...)
 	NOT-FOR-US: Admidio
 CVE-2026-41891 (CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production ...)
@@ -170,7 +174,10 @@ CVE-2026-41201 (CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a prod
 CVE-2026-41143 (YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWi ...)
 	NOT-FOR-US: YesWiki
 CVE-2026-41142 (OpenEXR provides the specification and reference implementation of the ...)
-	TODO: check
+	- openexr <unfixed>
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m25w-72cj-q6mg
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/2367
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/0592ee539f33c122c90f09238579b902d838afb4
 CVE-2026-41139 (Math.js is an extensive math library for JavaScript and Node.js. From  ...)
 	TODO: check
 CVE-2026-41004 (When enabling trace logging in Spring Cloud Config Server sensitive in ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef0a58832f458d4ab837c1284f2ad9b53e34bc92

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef0a58832f458d4ab837c1284f2ad9b53e34bc92
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260507/c803e8f8/attachment.htm>

More information about the debian-security-tracker-commits mailing list