[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
433acc83 by Moritz Muehlenhoff at 2023-12-21T11:08:54+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -57,6 +57,8 @@ CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository huggingfac
 	NOT-FOR-US: Transformers
 CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC=yes]
 	- systemd <unfixed>
+	[bookworm] - systemd <no-dsa> (Minor issue)
+	[bullseye] - systemd <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2222672
 CVE-2023-6912 (Lack of protection against brute force attacks in M-Files Server befor ...)
 	NOT-FOR-US: M-Files Server
@@ -299,6 +301,8 @@ CVE-2023-49489 (Reflective Cross Site Scripting (XSS) vulnerability in KodeExplo
 	NOT-FOR-US: kalcaddle KodExplorer
 CVE-2023-49006 (Cross Site Request Forgery (CSRF) vulnerability in Phpsysinfo version  ...)
 	- phpsysinfo 3.4.3-1
+	[bookworm] - phpsysinfo <no-dsa> (Minor issue)
+	[bullseye] - phpsysinfo <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/ca6d669f-fd82-4188-aae2-69e08740d982/
 	NOTE: https://github.com/phpsysinfo/phpsysinfo/commit/4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 (v3.4.3)
 CVE-2023-46804 (An attacker sending specially crafted data packets to the Mobile Devic ...)
@@ -679,6 +683,8 @@ CVE-2023-32230 (An improper handling of a malformed API request to an API server
 CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...)
 	- dropbear <unfixed> (bug #1059001)
 	- erlang 1:25.3.2.8+dfsg-1 (bug #1059002)
+	[bookworm] - erlang <no-dsa> (Minor issue)
+	[bullseye] - erlang <no-dsa> (Minor issue)
 	- golang-go.crypto <unfixed> (bug #1059003)
 	- jsch <not-affected> (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58)
 	- libssh <unfixed> (bug #1059004)
@@ -12113,6 +12119,8 @@ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open so
 	- nextcloud-server <itp> (bug #941708)
 CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability i ...)
 	- wordpress 6.3.2+dfsg1-1
+	[bookworm] - wordpress <no-dsa> (Minor issue)
+	[bullseye] - wordpress <not-affected> (Vulnerable code was introduced in 5.9)
 	[buster] - wordpress <not-affected> (Vulnerable code was introduced in 5.9)
 	NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/
 	NOTE: https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php
@@ -14953,7 +14961,9 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vu
 	NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-XXXX [AV1 codec parser buffer overflow]
 	- gst-plugins-bad1.0 1.22.8-1
-	- gst-plugins-bad0.10 <removed>
+	[bullseye] - gst-plugins-bad1.0 <not-affected> (Vulnerable code not present)
+	[buster] - gst-plugins-bad1.0 <not-affected> (Vulnerable code not present)
+	- gst-plugins-bad0.10 <not-affected> (Vulnerable code not present)
 	NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0011.html
 	NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5823
 	NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/890d59e97e291fe848147ebf4d5884bcec1101c9
@@ -241920,6 +241930,8 @@ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in P
 	NOTE: Probably fixed with r1832 and r1836 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/
 CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in PluginEXR ...)
 	- freeimage <unfixed> (bug #1051736)
+	[bookworm] - freeimage <postponed> (Revisit when patches are available)
+	[bullseye] - freeimage <postponed> (Revisit when patches are available)
 	[buster] - freeimage <postponed> (Revisit from patches are available)
 	NOTE: https://sourceforge.net/p/freeimage/bugs/300/
 	NOTE: it looks like the issue is in openexr. No relevant patches in freeimage are detected


=====================================
data/dsa-needed.txt
=====================================
@@ -29,6 +29,8 @@ frr
 --
 gpac/oldstable
 --
+gst-plugins-bad1.0 (jmm)
+--
 h2o (jmm)
 --
 haproxy (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231221/b308b0cd/attachment-0001.htm>