[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Aug 25 10:39:01 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9625bc10 by Moritz Muehlenhoff at 2023-08-25T11:33:30+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -79,14 +79,20 @@ CVE-2023-XXXX [tryton-server lack of record validation]
 	NOTE: https://discuss.tryton.org/t/security-release-for-issue-12428
 CVE-2023-4513 (BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to  ...)
 	- wireshark 4.0.8-1
+	[bookworm] - wireshark <no-dsa> (Minor issue)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19259
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2023-25.html
 CVE-2023-4512 (CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of serv ...)
 	- wireshark 4.0.8-1
+	[bookworm] - wireshark <no-dsa> (Minor issue)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19144
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2023-23.html
 CVE-2023-4511 (BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 t ...)
 	- wireshark 4.0.8-1
+	[bookworm] - wireshark <no-dsa> (Minor issue)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19258
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2023-24.html
 CVE-2023-4230 (A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4 ...)
@@ -1715,6 +1721,7 @@ CVE-2023-32560 (An attacker can send a specially crafted message to the Wavelink
 	NOT-FOR-US: Ivanti
 CVE-2023-39418 (A vulnerability was found in PostgreSQL with the use of the MERGE comm ...)
 	- postgresql-15 15.4-1
+	[bookworm] - postgresql-15 <postponed> (Minor issue, fix along with next round of updates)
 	- postgresql-13 <not-affected> (Only affects 15.x)
 	- postgresql-11 <not-affected> (Only affects 15.x)
 	NOTE: https://www.postgresql.org/support/security/CVE-2023-39418/
@@ -1722,7 +1729,9 @@ CVE-2023-39418 (A vulnerability was found in PostgreSQL with the use of the MERG
 	NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229 (REL_15_4)
 CVE-2023-39417 (IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in Po ...)
 	- postgresql-15 15.4-1
+	[bookworm] - postgresql-15 <postponed> (Minor issue, fix along with next round of updates)
 	- postgresql-13 <removed>
+	[bullseye] - postgresql-13 <postponed> (Minor issue, fix along with next round of updates)
 	- postgresql-11 <removed>
 	NOTE: https://www.postgresql.org/support/security/CVE-2023-39417/
 	NOTE: https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/
@@ -50311,6 +50320,8 @@ CVE-2022-45583
 	RESERVED
 CVE-2022-45582 (Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1. ...)
 	- horizon 3:23.1.0-3
+	[bookworm] - horizon <no-dsa> (Minor issue)
+	[bullseye] - horizon <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/horizon/+bug/1982676
 	NOTE: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9 (19.4.0)
 	NOTE: https://opendev.org/openstack/horizon/commit/2f600272bfffb3024e6f06a369f9b4768dd1a0b0 (20.1.4)
@@ -65091,6 +65102,7 @@ CVE-2022-41445 (A cross-site scripting (XSS) vulnerability in Record Management
 	NOT-FOR-US: Record Management System
 CVE-2022-41444 (Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted P ...)
 	- cacti 1.2.22+ds1-1
+	[bullseye] - cacti <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/enferas/9079535112e4f4ff2c1d2ce1c099d4c2
 	NOTE: Fixed by: https://github.com/Cacti/cacti/commit/ccb8b62de0f27f59d5e6073c2ae577a9ca7adaf8 (release/1.2.22)
 CVE-2022-41443 (phpipam v1.5.0 was discovered to contain a header injection vulnerabil ...)
@@ -142406,18 +142418,28 @@ CVE-2021-40267
 	RESERVED
 CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vul ...)
 	- freeimage <unfixed>
+	[bookworm] - freeimage <no-dsa> (Minor issue)
+	[bullseye] - freeimage <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/freeimage/bugs/334/
 CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function ...)
 	- freeimage <unfixed>
+	[bookworm] - freeimage <no-dsa> (Minor issue)
+	[bullseye] - freeimage <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/freeimage/bugs/337/
 CVE-2021-40264 (NULL pointer dereference vulnerability in FreeImage before 1.18.0 via  ...)
 	- freeimage <unfixed>
+	[bookworm] - freeimage <no-dsa> (Minor issue)
+	[bullseye] - freeimage <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/freeimage/bugs/335/
 CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad funct ...)
 	- freeimage <unfixed>
+	[bookworm] - freeimage <no-dsa> (Minor issue)
+	[bullseye] - freeimage <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/freeimage/bugs/336/
 CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 1.18.0 via ...)
 	- freeimage <unfixed>
+	[bookworm] - freeimage <no-dsa> (Minor issue)
+	[bullseye] - freeimage <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/freeimage/bugs/338/
 CVE-2021-40261 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCod ...)
 	NOT-FOR-US: SourceCodester
@@ -157443,6 +157465,7 @@ CVE-2021-34194
 	RESERVED
 CVE-2021-34193 (Stack overflow vulnerability in OpenSC smart card middleware before 0. ...)
 	- opensc 0.22.0-1
+	[bullseye] - opensc <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185
 	NOTE: https://github.com/OpenSC/OpenSC/commit/f015746d22d249642c19674298a18ad824db0ed7 (0.22.0-rc1)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843
@@ -209004,9 +209027,10 @@ CVE-2020-26685
 CVE-2020-26684
 	RESERVED
 CVE-2020-26683 (A memory leak issue discovered in /pdf/pdf-font-add.c in Artifex Softw ...)
-	- mupdf 1.19.0+ds1-1
+	- mupdf 1.19.0+ds1-1 (unimportant)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=702566
 	NOTE: https://git.ghostscript.com/?p=mupdf.git;h=05720b4ee3dbae57e65546dc2eecc3021c08eeea (1.18.0-rc1)
+	NOTE: Memory leak in CLI tool, no security impact
 CVE-2020-26682 (In libass 0.14.0, the `ass_outline_construct`'s call to `outline_strok ...)
 	- libass 1:0.15.0-1 (bug #975108)
 	[buster] - libass <no-dsa> (Minor issue)
@@ -213491,6 +213515,7 @@ CVE-2020-24905
 	RESERVED
 CVE-2020-24904 (An issue was discovered in attach parameter in GNOME Gmail version 2.5 ...)
 	- gnome-gmail <removed>
+	[bullseye] - gnome-gmail <no-dsa> (Minor issue)
 	NOTE: https://github.com/davesteele/gnome-gmail/issues/84
 	TODO: check, might be an issue as well in src:viagee
 CVE-2020-24903 (Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scri ...)
@@ -220172,6 +220197,7 @@ CVE-2020-21897
 	RESERVED
 CVE-2020-21896 (A Use After Free vulnerability in svg_dev_text_span_as_paths_defs func ...)
 	- mupdf 1.19.0+ds1-1
+	[bullseye] - mupdf <no-dsa> (Minor issue)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701294
 	NOTE: https://git.ghostscript.com/?p=mupdf.git;h=8719e07834d6a72b6b4131539e49ed1e8e2ff79e
 CVE-2020-21895


=====================================
data/dsa-needed.txt
=====================================
@@ -14,10 +14,12 @@ If needed, specify the release by adding a slash after the name of the source pa
 --
 aom/oldstable (apo)
 --
-chromium
+chromium (jmm)
 --
 cinder/oldstable
 --
+flac/oldstable
+--
 frr (aron)
   maintainer proposed to update to 8.4.4 for bookworm, which might be a good idea
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9625bc103ed629722072e1208a6675b2dea70300

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9625bc103ed629722072e1208a6675b2dea70300
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230825/95234846/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list