openexr -- multiple vulnerabilities

Cary Phillips reports:

[OpenEXR 3.4.9] addresses the following CVEs:

• CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
• CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
• CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
• CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
• CVE-2026-34378 Signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x

[source]