Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
73c14599 by Moritz Muehlenhoff at 2026-06-19T14:26:26+02:00
nodejs commit references
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -152,33 +152,42 @@ CVE-2026-55766
CVE-2026-48931
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#http-response-queue-poisoning-via-toctou-race-condition-in-httpagent-cve-2026-48931---low
+ NOTE:
https://github.com/nodejs/node/commit/0a22d40180cb796e0d68e94c1a7a8a05a8f47c10
(v22.23.0)
CVE-2026-48936
- nodejs <not-affected> (Only affects Node.js v26)
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#unix-domain-socket-server-bypasses---permission-network-restrictions-incomplete-cve-2026-21636-fix-cve-2026-48936---low
CVE-2026-48935
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#permission-model-bypass-via-filehandleutimes-in-the-promises-api-cve-2026-48935---low
+ NOTE:
https://github.com/nodejs/node/commit/28dcd388644c676b5b8149abfe18ec32cd010781
(v22.23.0)
CVE-2026-48934
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#tls-host-identity-verification-bypass-via-session-reuse-with-different-servername-leads-to-unauthorized-connections-cve-2026-48934---medium
+ NOTE:
https://github.com/nodejs/node/commit/fd890ba01d508ac111bbba302981d7fdf734d2ce
(v22.23.0)
CVE-2026-48930
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#embedded-nul-hostnames-can-lead-to-silent-authority-rebinding-due-to-c-string-truncation-in-resolver-bindings-cve-2026-48930---medium
+ NOTE:
https://github.com/nodejs/node/commit/c551a51d0c58dfc91961fb3f24c2c86af6183eca
(v22.23.0)
CVE-2026-48928
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#uppercase-sni-context-matching-can-lead-to-mtls-authorization-bypass-due-to-case-sensitive-hostname-matching-cve-2026-48928---medium
+ NOTE:
https://github.com/nodejs/node/commit/39d1d0968471a144d93dc293d640008f57d3c58e
(v22.23.0)
CVE-2026-48619
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#unbounded-memory-growth-in-nodehttp2-clients-via-attacker-controlled-origin-frames-cve-2026-48619---medium
+ NOTE:
https://github.com/nodejs/node/commit/c79968e108002c2394bdb9e9cefb2c8c8cc202f8
(v22.23.0)
CVE-2026-48615
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#proxy-credentials-leaked-in-err_proxy_tunnel-error-message-cve-2026-48615---medium
+ NOTE:
https://github.com/nodejs/node/commit/9b6af26132f6e87659ce360e6a59f42a03ff1701
(v22.23.0)
CVE-2026-48618
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#nodejs-unicode-dot-separator-handling-can-lead-to-tls-wildcard-depth-authentication-bypass-due-to-resolver-and-verifier-hostname-normalization-mismat-cve-2026-48618---high
+ NOTE:
https://github.com/nodejs/node/commit/2197a47144f3356ab451c5dcd858a49eb5957a70
(v22.23.0)
CVE-2026-48933
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#nodejs-webcrypto-aes-integer-overflow-leads-to-remote-process-abort-dos-cve-2026-48933---high
+ NOTE:
https://github.com/nodejs/node/commit/38b4c5ed51b2ec81c28fbd379fea72e22fa12a15
(v22.23.0)
CVE-2026-9815 (The MagicForm WordPress plugin through 0.1.3 does not properly
validat ...)
NOT-FOR-US: WordPress plugin
CVE-2026-9158 (In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially
crafted DE ...)
@@ -273,6 +282,7 @@ CVE-2026-48937 (A flaw in Node.js HTTP/2 server API can
cause servers to keep ac
CVE-2026-48617 (A flaw in Node.js Permission Model enforcement allows Bypass
via `proc ...)
- nodejs 24.17.0+dfsg+~cs24.13.2-1
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#permission-model-bypass-via-processreportwritereport-path-misvalidation-cve-2026-48617---low
+ NOTE:
https://github.com/nodejs/node/commit/2f62693801a12bc8a485b3b7da3239ac522f607d
(v22.23.0)
CVE-2026-47833 (setupBpmLogs follows symlink for bpm.log open and chown \u2014
contain ...)
NOT-FOR-US: setupBpmLogs
CVE-2026-46580 (In Eclipse Theia versions prior to 1.71.0, files matching the
pattern ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73c14599f319dbc015b5067bc7c394027f34d180
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73c14599f319dbc015b5067bc7c394027f34d180
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
