Hi

[ Reason ]
libnet-cidr-lite-perl is vulnerable to CVE-2026-45190 and
CVE-2026-45191, which do not warrant a DSA. While I'm not authorized
to judge a no-DLA for bookworm, given the bookworm point release is
around the corner and and still want to contribute this update I'm
submitting it for the last point release.

[ Impact ]
Debian bookworm would remain open to both CVEs.

[ Tests ]
Both fixes contain upstream updated testsuite to cover the issues.
Additionally debusine runs at:
https://debusine.debian.net/debian/developers/work-request/895603/

[ Risks ]
Patches applied from upstream and are targeted for the two issues.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Reject Unicode digits and trailing newlines in parsers (for
CVE-2026-45190) and reject zero-padded CIDR masks (for
CVE-2026-45191). Add tests cases for both.

[ Other info ]
None

Regards,
Salvatore

package release.debian.org
tags 1140834 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: libnet-cidr-lite-perl
Version: 0.22-3~deb12u2

Explanation: fix IP/CIDR parser validation: reject non-ASCII digits and trailing newlines [CVE-2026-55190]; reject zero-padded CIDR masks [CVE-2026-45191]

package release.debian.org
tags 1140834 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: libnet-cidr-lite-perl
Version: 0.22-3~deb12u2

Explanation: fix IP/CIDR parser validation: reject non-ASCII digits and trailing newlines [CVE-2026-55190]; reject zero-padded CIDR masks [CVE-2026-45191]