[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Dec 15 15:54:09 GMT 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
420bed9d by Moritz Muehlenhoff at 2023-12-15T16:53:00+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -222,6 +222,8 @@ CVE-2023-47261 (Dokmee ECM 7.4.6 allows remote code execution because the respon
 	NOT-FOR-US: Dokmee ECM
 CVE-2023-46750 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability when ...)
 	- shiro <unfixed>
+	[bookworm] - shiro <no-dsa> (Minor issue)
+	[bullseye] - shiro <no-dsa> (Minor issue)
 	NOTE: https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9
 CVE-2023-46348 (SQL njection vulnerability in SunnyToo sturls before version 1.1.13, a ...)
 	NOT-FOR-US: PrestaShop module
@@ -298,32 +300,43 @@ CVE-2023-6680
 CVE-2023-6564
 	- gitlab <not-affected> (Specific to EE)
 CVE-2023-49347 (Temporary data passed between application components by Budgie Extras  ...)
-	- budgie-extras 1.7.1-1
+	- budgie-extras 1.7.1-1 (unimportant)
 	NOTE: https://bugs.launchpad.net/bugs/2044373
 	NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
 	NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/588cbe6ffa72df904213d77728a3fd5bfae7195e (v1.7.1)
+	NOTE: Neutralised by kernel hardening
 CVE-2023-49346 (Temporary data passed between application components by Budgie Extras  ...)
 	- budgie-extras 1.7.1-1
+	[bookworm] - budgie-extras <no-dsa> (Minor issue)
+	[bullseye] - budgie-extras <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/bugs/2044373
 	NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
 	NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/0092025ef25b48c287a75946c0ee797d3c142760 (v1.7.1)
 CVE-2023-49345 (Temporary data passed between application components by Budgie Extras  ...)
 	- budgie-extras 1.7.1-1
+	[bookworm] - budgie-extras <no-dsa> (Minor issue)
+	[bullseye] - budgie-extras <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/bugs/2044373
 	NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
 	NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/588cbe6ffa72df904213d77728a3fd5bfae7195e (v1.7.1)
 CVE-2023-49344 (Temporary data passed between application components by Budgie Extras  ...)
 	- budgie-extras 1.7.1-1
+	[bookworm] - budgie-extras <no-dsa> (Minor issue)
+	[bullseye] - budgie-extras <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/bugs/2044373
 	NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
 	NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/11b02011ad2f6d46485b292713af09f7314843a5 (v1.7.1)
 CVE-2023-49343 (Temporary data passed between application components by Budgie Extras  ...)
 	- budgie-extras 1.7.1-1
+	[bookworm] - budgie-extras <no-dsa> (Minor issue)
+	[bullseye] - budgie-extras <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/bugs/2044373
 	NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
 	NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/e75c94af249191bdbd33eebf7a62d4234a0d8be5 (v1.7.1)
 CVE-2023-49342 (Temporary data passed between application components by Budgie Extras  ...)
 	- budgie-extras 1.7.1-1
+	[bookworm] - budgie-extras <no-dsa> (Minor issue)
+	[bullseye] - budgie-extras <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/bugs/2044373
 	NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
 	NOTE: https://github.com/UbuntuBudgie/budgie-extras/commit/d03083732569126d2f21c8810d5a69554ccc5900 (v1.7.1)
@@ -349,6 +362,9 @@ CVE-2023-50439 (ZED containers produced by PRIMX ZED! for Windows before Q.2020.
 	NOT-FOR-US: PRIMX
 CVE-2023-50268 (jq is a command-line JSON processor. Version 1.7 is vulnerable to stac ...)
 	- jq <unfixed>
+	[bookworm] - jq <not-affected> (Introduced in 1.7)
+	[bullseye] - jq <not-affected> (Introduced in 1.7)
+	[buster] - jq <not-affected> (Introduced in 1.7)
 	NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j
 	NOTE: https://github.com/jqlang/jq/pull/2804
 	NOTE: Fixed by: https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b (jq-1.7.1)
@@ -361,6 +377,9 @@ CVE-2023-50248 (CKAN is an open-source data management system for powering data
 	NOT-FOR-US: CKAN
 CVE-2023-50246 (jq is a command-line JSON processor. Version 1.7 is vulnerable to heap ...)
 	- jq <unfixed>
+	[bookworm] - jq <not-affected> (Introduced in 1.7)
+	[bullseye] - jq <not-affected> (Introduced in 1.7)
+	[buster] - jq <not-affected> (Introduced in 1.7)
 	NOTE: https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vc
 	NOTE: Fixed by: https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297 (jq-1.7.1)
 CVE-2023-49878 (IBM System Storage Virtualization Engine TS7700 3957-VEC, 3948-VED and ...)
@@ -849,6 +868,8 @@ CVE-2023-6193 (quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable t
 	NOT-FOR-US: Cloudflare quiche
 CVE-2023-50495 (NCurse v6.4-20230418 was discovered to contain a segmentation fault vi ...)
 	- ncurses 6.4+20230625-1
+	[bookworm] - ncurses <no-dsa> (Minor issue)
+	[bullseye] - ncurses <no-dsa> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html
 	NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html
 	NOTE: Fixed in ncurses-6.4-20230424 patchlevel
@@ -4267,6 +4288,7 @@ CVE-2023-6134 (A flaw was found in Keycloak that prevents certain schemes in red
 	NOT-FOR-US: Keycloak
 CVE-2023-5764 (A template injection flaw was found in Ansible where a user's controll ...)
 	- ansible-core <unfixed> (bug #1057427)
+	[bookworm] - ansible-core <no-dsa> (Minor issue)
 	- ansible 5.4.0-1
 	[bullseye] - ansible <no-dsa> (Minor issue)
 	NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
@@ -11688,6 +11710,7 @@ CVE-2023-34324 [linux/xen: Possible deadlock in Linux kernel event handling]
 	NOTE: https://git.kernel.org/linus/87797fad6cce28ec9be3c13f031776ff4f104cfc (6.6-rc6)
 CVE-2023-46837 [arm32: The cache may not be properly cleaned/invalidated (take two)]
 	- xen <unfixed>
+	[bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
 	[bullseye] - xen <end-of-life> (EOLed in Bullseye)
 	[buster] - xen <end-of-life> (DSA 4677-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-447.html
@@ -16651,6 +16674,7 @@ CVE-2023-39510 (Cacti is an open source operational monitoring and fault managem
 CVE-2023-39366 (Cacti is an open source operational monitoring and fault management fr ...)
 	- cacti 1.2.25+ds1-1
 	[bookworm] - cacti 1.2.24+ds1-1+deb12u1
+	[bullseye] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv
 	NOTE: https://github.com/Cacti/cacti/commit/c67daa614d91c8592b8792298da8e3aa017c4009
 CVE-2023-39365 (Cacti is an open source operational monitoring and fault management fr ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
+--
+asterisk
 --
 bluez (carnil)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/420bed9d3494e66231d49fd26371edf5222611aa

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/420bed9d3494e66231d49fd26371edf5222611aa
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231215/76a1c4c5/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list