[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Aug 11 22:03:55 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8e9524f3 by Moritz Muehlenhoff at 2023-08-11T23:03:29+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -252,6 +252,8 @@ CVE-2023-37625 (A stored cross-site scripting (XSS) vulnerability in Netbox v3.4
 	- netbox <itp> (bug #1017079)
 CVE-2023-37543 (Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) for  ...)
 	- cacti <unfixed>
+	[bookworm] - cacti <no-dsa> (Minor issue)
+	[bullseye] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj
 	NOTE: https://medium.com/%40hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed
 	TODO: check details once GHSA-4x82-8w8m-w8hj accessible, 1.2.6 does not seem correct, reporter claims 1.2.25 wich is not released
@@ -1430,6 +1432,8 @@ CVE-2023-3329 (SpiderControl SCADA Webserver versions 2.08 and prior are vulnera
 	NOT-FOR-US: SpiderControl SCADA Webserver
 CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling data ...)
 	- qemu 1:8.0.4+dfsg-1
+	[bookworm] - qemu <no-dsa> (Minor issue)
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2 (v2.8.0-rc0)
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 (master)
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f (v8.0.4)
@@ -1722,6 +1726,8 @@ CVE-2023-3364 (An issue has been discovered in GitLab CE/EE affecting all versio
 	- gitlab <unfixed>
 CVE-2023-3301 [net: triggerable assertion due to race condition in hot-unplug]
 	- qemu 1:8.0.3+dfsg-1
+	[bookworm] - qemu <no-dsa> (Minor issue)
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	[buster] - qemu <not-affected> (vhost-vdpa introduced in v5.1)
 	NOTE: https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 (v8.1.0-rc0)
 	NOTE: https://github.com/qemu/qemu/commit/aab37b2002811f112d5c26337473486d7d585881 (v8.0.3)
@@ -3209,6 +3215,8 @@ CVE-2023-37889 (Cross-Site Request Forgery (CSRF) vulnerability in WPAdmin WPAdm
 	NOT-FOR-US: WordPress plugin
 CVE-2023-37788 (goproxy v1.1 was discovered to contain an issue which can lead to a De ...)
 	- golang-github-elazarl-goproxy <unfixed> (bug #1042474)
+	[bookworm] - golang-github-elazarl-goproxy <no-dsa> (Minor issue)
+	[bullseye] - golang-github-elazarl-goproxy <no-dsa> (Minor issue)
 	NOTE: https://github.com/elazarl/goproxy/issues/502
 CVE-2023-37758 (D-LINK DIR-815 v1.01 was discovered to contain a buffer overflow via t ...)
 	NOT-FOR-US: D-LINK
@@ -17013,6 +17021,7 @@ CVE-2023-29409 (Extremely large RSA keys in certificate chains can cause a clien
 	- golang-1.20 1.20.7-1
 	- golang-1.19 1.19.12-1
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI
@@ -17031,6 +17040,7 @@ CVE-2023-29406 (The HTTP/1 client does not fully validate the contents of the Ho
 	- golang-1.19 1.19.11-1
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
@@ -27388,6 +27398,7 @@ CVE-2023-26082
 CVE-2023-26081 (In Epiphany (aka GNOME Web) through 43.0, untrusted web content can tr ...)
 	{DLA-3423-1}
 	- epiphany-browser 43.1-1 (bug #1031727)
+	[bullseye] - epiphany-browser <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/commit/b8f34863485095bc59b97a6c250ed5e976d39dd4 (43.1)


=====================================
data/dsa-needed.txt
=====================================
@@ -19,6 +19,8 @@ cinder/oldstable
 frr (aron)
   maintainer proposed to update to 8.4.4 for bookworm, which might be a good idea
 --
+gst-plugins-ugly1.0 (jmm)
+--
 librsvg
 --
 linux (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e9524f390a2359ca74dacd7faaad6bc74ec533c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e9524f390a2359ca74dacd7faaad6bc74ec533c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230811/52839e9d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list