[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Aug 25 10:39:01 BST 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
9625bc10 by Moritz Muehlenhoff at 2023-08-25T11:33:30+02:00
bullseye/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -79,14 +79,20 @@ CVE-2023-XXXX [tryton-server lack of record validation]
NOTE: https://discuss.tryton.org/t/security-release-for-issue-12428
CVE-2023-4513 (BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to ...)
- wireshark 4.0.8-1
+ [bookworm] - wireshark <no-dsa> (Minor issue)
+ [bullseye] - wireshark <no-dsa> (Minor issue)
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19259
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-25.html
CVE-2023-4512 (CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of serv ...)
- wireshark 4.0.8-1
+ [bookworm] - wireshark <no-dsa> (Minor issue)
+ [bullseye] - wireshark <no-dsa> (Minor issue)
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19144
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-23.html
CVE-2023-4511 (BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 t ...)
- wireshark 4.0.8-1
+ [bookworm] - wireshark <no-dsa> (Minor issue)
+ [bullseye] - wireshark <no-dsa> (Minor issue)
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19258
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-24.html
CVE-2023-4230 (A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4 ...)
@@ -1715,6 +1721,7 @@ CVE-2023-32560 (An attacker can send a specially crafted message to the Wavelink
NOT-FOR-US: Ivanti
CVE-2023-39418 (A vulnerability was found in PostgreSQL with the use of the MERGE comm ...)
- postgresql-15 15.4-1
+ [bookworm] - postgresql-15 <postponed> (Minor issue, fix along with next round of updates)
- postgresql-13 <not-affected> (Only affects 15.x)
- postgresql-11 <not-affected> (Only affects 15.x)
NOTE: https://www.postgresql.org/support/security/CVE-2023-39418/
@@ -1722,7 +1729,9 @@ CVE-2023-39418 (A vulnerability was found in PostgreSQL with the use of the MERG
NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229 (REL_15_4)
CVE-2023-39417 (IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in Po ...)
- postgresql-15 15.4-1
+ [bookworm] - postgresql-15 <postponed> (Minor issue, fix along with next round of updates)
- postgresql-13 <removed>
+ [bullseye] - postgresql-13 <postponed> (Minor issue, fix along with next round of updates)
- postgresql-11 <removed>
NOTE: https://www.postgresql.org/support/security/CVE-2023-39417/
NOTE: https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/
@@ -50311,6 +50320,8 @@ CVE-2022-45583
RESERVED
CVE-2022-45582 (Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1. ...)
- horizon 3:23.1.0-3
+ [bookworm] - horizon <no-dsa> (Minor issue)
+ [bullseye] - horizon <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/horizon/+bug/1982676
NOTE: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9 (19.4.0)
NOTE: https://opendev.org/openstack/horizon/commit/2f600272bfffb3024e6f06a369f9b4768dd1a0b0 (20.1.4)
@@ -65091,6 +65102,7 @@ CVE-2022-41445 (A cross-site scripting (XSS) vulnerability in Record Management
NOT-FOR-US: Record Management System
CVE-2022-41444 (Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted P ...)
- cacti 1.2.22+ds1-1
+ [bullseye] - cacti <no-dsa> (Minor issue)
NOTE: https://gist.github.com/enferas/9079535112e4f4ff2c1d2ce1c099d4c2
NOTE: Fixed by: https://github.com/Cacti/cacti/commit/ccb8b62de0f27f59d5e6073c2ae577a9ca7adaf8 (release/1.2.22)
CVE-2022-41443 (phpipam v1.5.0 was discovered to contain a header injection vulnerabil ...)
@@ -142406,18 +142418,28 @@ CVE-2021-40267
RESERVED
CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vul ...)
- freeimage <unfixed>
+ [bookworm] - freeimage <no-dsa> (Minor issue)
+ [bullseye] - freeimage <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/334/
CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function ...)
- freeimage <unfixed>
+ [bookworm] - freeimage <no-dsa> (Minor issue)
+ [bullseye] - freeimage <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/337/
CVE-2021-40264 (NULL pointer dereference vulnerability in FreeImage before 1.18.0 via ...)
- freeimage <unfixed>
+ [bookworm] - freeimage <no-dsa> (Minor issue)
+ [bullseye] - freeimage <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/335/
CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad funct ...)
- freeimage <unfixed>
+ [bookworm] - freeimage <no-dsa> (Minor issue)
+ [bullseye] - freeimage <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/336/
CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 1.18.0 via ...)
- freeimage <unfixed>
+ [bookworm] - freeimage <no-dsa> (Minor issue)
+ [bullseye] - freeimage <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/338/
CVE-2021-40261 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCod ...)
NOT-FOR-US: SourceCodester
@@ -157443,6 +157465,7 @@ CVE-2021-34194
RESERVED
CVE-2021-34193 (Stack overflow vulnerability in OpenSC smart card middleware before 0. ...)
- opensc 0.22.0-1
+ [bullseye] - opensc <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185
NOTE: https://github.com/OpenSC/OpenSC/commit/f015746d22d249642c19674298a18ad824db0ed7 (0.22.0-rc1)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843
@@ -209004,9 +209027,10 @@ CVE-2020-26685
CVE-2020-26684
RESERVED
CVE-2020-26683 (A memory leak issue discovered in /pdf/pdf-font-add.c in Artifex Softw ...)
- - mupdf 1.19.0+ds1-1
+ - mupdf 1.19.0+ds1-1 (unimportant)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=702566
NOTE: https://git.ghostscript.com/?p=mupdf.git;h=05720b4ee3dbae57e65546dc2eecc3021c08eeea (1.18.0-rc1)
+ NOTE: Memory leak in CLI tool, no security impact
CVE-2020-26682 (In libass 0.14.0, the `ass_outline_construct`'s call to `outline_strok ...)
- libass 1:0.15.0-1 (bug #975108)
[buster] - libass <no-dsa> (Minor issue)
@@ -213491,6 +213515,7 @@ CVE-2020-24905
RESERVED
CVE-2020-24904 (An issue was discovered in attach parameter in GNOME Gmail version 2.5 ...)
- gnome-gmail <removed>
+ [bullseye] - gnome-gmail <no-dsa> (Minor issue)
NOTE: https://github.com/davesteele/gnome-gmail/issues/84
TODO: check, might be an issue as well in src:viagee
CVE-2020-24903 (Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scri ...)
@@ -220172,6 +220197,7 @@ CVE-2020-21897
RESERVED
CVE-2020-21896 (A Use After Free vulnerability in svg_dev_text_span_as_paths_defs func ...)
- mupdf 1.19.0+ds1-1
+ [bullseye] - mupdf <no-dsa> (Minor issue)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701294
NOTE: https://git.ghostscript.com/?p=mupdf.git;h=8719e07834d6a72b6b4131539e49ed1e8e2ff79e
CVE-2020-21895
=====================================
data/dsa-needed.txt
=====================================
@@ -14,10 +14,12 @@ If needed, specify the release by adding a slash after the name of the source pa
--
aom/oldstable (apo)
--
-chromium
+chromium (jmm)
--
cinder/oldstable
--
+flac/oldstable
+--
frr (aron)
maintainer proposed to update to 8.4.4 for bookworm, which might be a good idea
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9625bc103ed629722072e1208a6675b2dea70300
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9625bc103ed629722072e1208a6675b2dea70300
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230825/95234846/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list