[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Apr 10 16:22:11 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
10a900d6 by Moritz Muehlenhoff at 2023-04-10T17:21:32+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3098,6 +3098,8 @@ CVE-2023-29142
 	RESERVED
 CVE-2023-29141 (An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1. ...)
 	- mediawiki <unfixed>
+	[bookworm] - mediawiki <no-dsa> (Minor issue)
+	[bullseye] - mediawiki <no-dsa> (Minor issue)
 	NOTE: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39
 	NOTE: https://phabricator.wikimedia.org/T285159
 CVE-2023-29140 (An issue was discovered in the GrowthExperiments extension for MediaWi ...)
@@ -17063,6 +17065,7 @@ CVE-2023-0467 (The WP Dark Mode WordPress plugin before 4.0.8 does not properly
 	NOT-FOR-US: WordPress plugin
 CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to implicit ...)
 	- openssl <unfixed>
+	[bookworm] - openssl <no-dsa> (Minor issue)
 	[bullseye] - openssl <no-dsa> (Minor issue)
 	[buster] - openssl <no-dsa> (Minor issue)
 	NOTE: https://www.openssl.org/news/secadv/20230328.txt
@@ -17070,6 +17073,7 @@ CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to imp
 	NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (OpenSSL_1_1_1-stable)
 CVE-2023-0465 (Applications that use a non-default option when verifying certificates ...)
 	- openssl <unfixed>
+	[bookworm] - openssl <no-dsa> (Minor issue)
 	[bullseye] - openssl <no-dsa> (Minor issue)
 	[buster] - openssl <no-dsa> (Minor issue)
 	NOTE: https://www.openssl.org/news/secadv/20230328.txt
@@ -17077,6 +17081,7 @@ CVE-2023-0465 (Applications that use a non-default option when verifying certifi
 	NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b013765abfa80036dc779dd0e50602c57bb3bf95 (OpenSSL_1_1_1-stable)
 CVE-2023-0464 (A security vulnerability has been identified in all supported versions ...)
 	- openssl <unfixed>
+	[bookworm] - openssl <no-dsa> (Minor issue)
 	[bullseye] - openssl <no-dsa> (Minor issue)
 	[buster] - openssl <no-dsa> (Minor issue)
 	NOTE: https://www.openssl.org/news/secadv/20230322.txt
@@ -84938,6 +84943,7 @@ CVE-2022-28043
 CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-after-fr ...)
 	{DLA-3305-1}
 	- libstb <unfixed> (bug #1014531)
+	[bookworm] - libstb <no-dsa> (Minor issue)
 	[bullseye] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1289
 	NOTE: https://github.com/nothings/stb/pull/1297
@@ -84948,6 +84954,7 @@ CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-af
 CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer overflow via th ...)
 	{DLA-3305-1}
 	- libstb <unfixed> (bug #1014531)
+	[bookworm] - libstb <no-dsa> (Minor issue)
 	[bullseye] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1292
 	NOTE: https://github.com/nothings/stb/pull/1297
@@ -116734,6 +116741,7 @@ CVE-2021-42717 (ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON
 	NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/ac79c1c29b7e6323e26cc984ad4f76ef62c731cd (v3.0.6)
 CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...)
 	- libstb <unfixed> (bug #1014532)
+	[bookworm] - libstb <no-dsa> (Minor issue)
 	[bullseye] - libstb <not-affected> (Vulnerable code introduced later)
 	[buster] - libstb <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/nothings/stb/issues/1166
@@ -116744,6 +116752,7 @@ CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader
 CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR  ...)
 	{DLA-3305-1}
 	- libstb <unfixed> (bug #1014532)
+	[bookworm] - libstb <no-dsa> (Minor issue)
 	[bullseye] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/1224
 	NOTE: https://github.com/nothings/stb/pull/1223
@@ -133848,6 +133857,7 @@ CVE-2021-36490
 	RESERVED
 CVE-2021-36489 (Buffer Overflow vulnerability in Allegro through 5.2.6 allows attacker ...)
 	- allegro4.4 <unfixed> (bug #1032670)
+	[bookworm] - allegro4.4 <no-dsa> (Minor issue)
 	[bullseye] - allegro4.4 <no-dsa> (Minor issue)
 	[buster] - allegro4.4 <no-dsa> (Minor issue)
 	- allegro5 2:5.2.8.0-1
@@ -161495,6 +161505,7 @@ CVE-2021-25744
 	RESERVED
 CVE-2021-25743 (kubectl does not neutralize escape, meta or control sequences containe ...)
 	- kubernetes <unfixed> (bug #1016441)
+	[bookworm] - kubernetes <no-dsa> (Minor issue)
 	[bullseye] - kubernetes <no-dsa> (Minor issue)
 	NOTE: https://github.com/kubernetes/kubernetes/issues/101695
 CVE-2021-25742 (A security issue was discovered in ingress-nginx where a user that can ...)
@@ -161522,11 +161533,10 @@ CVE-2021-25736
 	RESERVED
 	- kubernetes <not-affected> (Windows-specific)
 CVE-2021-25735 (A security issue was discovered in kube-apiserver that could allow nod ...)
-	- kubernetes <unfixed> (bug #990793)
-	[bullseye] - kubernetes <not-affected> (Kubernetes in Bullseye only ships the client)
+	- kubernetes 1.20.5+really1.20.2-1 (bug #990793)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/04/14/1
 	NOTE: https://github.com/kubernetes/kubernetes/issues/100096
-	NOTE: Server components no longer built since 1.20.5+really1.20.2-1
+	NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed
 CVE-2021-25734
 	RESERVED
 CVE-2021-25733
@@ -235783,10 +235793,9 @@ CVE-2020-8563 (In Kubernetes clusters using VSphere as a cloud provider, with a
 	NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
 	NOTE: https://github.com/kubernetes/kubernetes/issues/95621
 CVE-2020-8562 (As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes att ...)
-	- kubernetes <unfixed> (bug #990793)
-	[bullseye] - kubernetes <not-affected> (Kubernetes in Bullseye only ships the client)
+	- kubernetes 1.20.5+really1.20.2-1 (bug #990793)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/8
-	NOTE: Server components no longer built since 1.20.5+really1.20.2-1
+	NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed
 CVE-2020-8561 (A security issue was discovered in Kubernetes where actors that contro ...)
 	- kubernetes 1.20.5+really1.20.2-1
 	NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10a900d66c65b87a870a1a2878a32700b7ec3a72

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10a900d66c65b87a870a1a2878a32700b7ec3a72
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230410/df51e130/attachment.htm>

More information about the debian-security-tracker-commits mailing list