[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Dec 29 22:17:08 GMT 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ff7c8434 by Moritz Mühlenhoff at 2023-12-29T23:16:38+01:00
bookworm/bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -696,8 +696,13 @@ CVE-2023-51771 (In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _Par
NOT-FOR-US: MicroHttpServer
CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt before 5.15. ...)
- qt6-base <unfixed>
+ [bookworm] - qt6-base <no-dsa> (Minor issue)
- qtbase-opensource-src <unfixed>
+ [bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
+ [bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
- qtbase-opensource-src-gles <unfixed>
+ [bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
+ [bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524864
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524865/3
CVE-2023-49954 (The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 ...)
@@ -949,6 +954,8 @@ CVE-2023-49085 (Cacti provides an operational monitoring and fault management fr
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855
CVE-2023-48704 (ClickHouse is an open-source column-oriented database management syste ...)
- clickhouse <unfixed> (bug #1059367)
+ [bookworm] - clickhouse <no-dsa> (Minor issue)
+ [bullseye] - clickhouse <no-dsa> (Minor issue)
NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rmf-5g48-xv63
NOTE: https://github.com/ClickHouse/ClickHouse/pull/57107
CVE-2023-48670 (Dell SupportAssist for Home PCs version 3.14.1 and prior versions cont ...)
@@ -1090,6 +1097,8 @@ CVE-2023-48308 (Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can
NOT-FOR-US: Nextcloud calendar app
CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database management s ...)
- clickhouse <unfixed> (bug #1059261)
+ [bookworm] - clickhouse <no-dsa> (Minor issue)
+ [bullseye] - clickhouse <no-dsa> (Minor issue)
NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795
CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified that could ...)
@@ -1110,6 +1119,8 @@ CVE-2023-37519 (Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability.
NOT-FOR-US: HCL
CVE-2023-42465 (Sudo before 1.9.15 might allow row hammer attacks (for authentication ...)
- sudo 1.9.15p2-2
+ [bookworm] - sudo <no-dsa> (Minor issue)
+ [bullseye] - sudo <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/9
NOTE: https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f (SUDO_1_9_15p1)
CVE-2023-7047 (Inadequate validation of permissions when employing remote tools and ...)
@@ -1209,6 +1220,8 @@ CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has be
NOTE: Crash in CLI tool, no security impact
CVE-2023-4255 (An out-of-bounds write issue has been discovered in the backspace hand ...)
- w3m <unfixed> (bug #1059265)
+ [bookworm] - w3m <no-dsa> (Minor issue)
+ [bullseye] - w3m <no-dsa> (Minor issue)
[buster] - w3m <no-dsa> (Minor issue)
NOTE: https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3
NOTE: https://github.com/tats/w3m/issues/268
@@ -1442,6 +1455,8 @@ CVE-2023-47236 (Improper Neutralization of Special Elements used in an SQL Comma
NOT-FOR-US: WordPress plugin
CVE-2023-47118 (ClickHouse\xae is an open-source column-oriented database management s ...)
- clickhouse <unfixed> (bug #1059261)
+ [bookworm] - clickhouse <no-dsa> (Minor issue)
+ [bullseye] - clickhouse <no-dsa> (Minor issue)
NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v
CVE-2023-46311 (Authorization Bypass Through User-Controlled Key vulnerability in gVec ...)
NOT-FOR-US: WordPress plugin
@@ -1812,6 +1827,7 @@ CVE-2023-46104 (Uncontrolled resource consumption can be triggered by authentica
NOT-FOR-US: Apache Superset
CVE-2023-XXXX [RUSTSEC-2023-0074]
- rust-zerocopy <unfixed>
+ [bookworm] - rust-zerocopy <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0074.html
NOTE: https://github.com/google/zerocopy/issues/716
CVE-2023-6940 (with only one user interaction(download a malicious config), attackers ...)
@@ -2014,11 +2030,15 @@ CVE-2023-32230 (An improper handling of a malformed API request to an API server
CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...)
{DSA-5591-1 DSA-5588-1 DSA-5586-1 DLA-3694-1}
- dropbear <unfixed> (bug #1059001)
+ [bookworm] - dropbear <no-dsa> (Minor issue)
+ [bullseye] - dropbear <no-dsa> (Minor issue)
- erlang 1:25.3.2.8+dfsg-1 (bug #1059002)
[bookworm] - erlang <no-dsa> (Minor issue)
[bullseye] - erlang <no-dsa> (Minor issue)
[buster] - erlang <no-dsa> (Minor issue)
- filezilla 3.66.4-1
+ [bookworm] - filezilla <no-dsa> (Minor issue)
+ [bullseye] - filezilla <no-dsa> (Minor issue)
- golang-go.crypto <unfixed> (bug #1059003)
- jsch <not-affected> (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58)
- libssh 0.10.6-1 (bug #1059004)
@@ -2781,9 +2801,10 @@ CVE-2023-50564 (An arbitrary file upload vulnerability in the component /inc/mod
CVE-2023-50563 (Semcms v4.8 was discovered to contain a SQL injection vulnerability vi ...)
NOT-FOR-US: Semcms
CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...)
- - cjson 1.7.17-1 (bug #1059287)
+ - cjson 1.7.17-1 (unimportant; bug #1059287)
NOTE: https://github.com/DaveGamble/cJSON/issues/803
NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8
+ NOTE: Seems bogus, this isn't a DoS but only a broken use of an API
CVE-2023-50471 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...)
- cjson 1.7.17-1 (bug #1059287)
NOTE: https://github.com/DaveGamble/cJSON/issues/802
@@ -4274,14 +4295,20 @@ CVE-2023-49492 (DedeCMS v5.7.111 was discovered to contain a reflective cross-si
NOT-FOR-US: DedeCMS
CVE-2023-49468 (Libde265 v1.0.14 was discovered to contain a global buffer overflow vu ...)
- libde265 1.0.15-1 (bug #1059275)
+ [bookworm] - libde265 <no-dsa> (Minor issue)
+ [bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/432
NOTE: Fixed by: https://github.com/strukturag/libde265/commit/3e822a3ccf88df1380b165d6ce5a00494a27ceeb (v1.0.15)
CVE-2023-49467 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vuln ...)
- libde265 1.0.15-1 (bug #1059275)
+ [bookworm] - libde265 <no-dsa> (Minor issue)
+ [bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/434
NOTE: Fixed by: https://github.com/strukturag/libde265/commit/7e4faf254bbd2e52b0f216cb987573a2cce97b54 (v1.0.15)
CVE-2023-49465 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vuln ...)
- libde265 1.0.15-1 (bug #1059275)
+ [bookworm] - libde265 <no-dsa> (Minor issue)
+ [bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/435
NOTE: Fixed by: https://github.com/strukturag/libde265/commit/1475c7d2f0a6dc35c27e18abc4db9679bfd32568 (v1.0.15)
CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violation via ...)
@@ -5123,7 +5150,9 @@ CVE-2023-5332 (Patch in third party library Consul requires 'enable-script-check
NOTE: https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations
CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer overflows ...)
- falcosecurity-libs <unfixed> (bug #1059256)
+ [bookworm] - falcosecurity-libs <no-dsa> (Minor issue)
- gemmi <unfixed> (bug #1059257)
+ [bookworm] - gemmi <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1
NOTE: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf
NOTE: https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d (1.2.6)
@@ -18262,9 +18291,11 @@ CVE-2023-37755 (i-doit pro 25 and below and I-doit open 25 and below are configu
CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to path trave ...)
NOT-FOR-US: I-doit pro
CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version 3.0.2, allow ...)
- - hamster-time-tracker <unfixed> (bug #1059296)
+ - hamster-time-tracker <unfixed> (unimportant; bug #1059296)
NOTE: https://github.com/BrunoTeixeira1996/CVE-2023-36250/blob/main/README.md
NOTE: https://github.com/projecthamster/hamster/issues/750
+ NOTE: No security impact, responsibility lies within application opening the
+ NOTE: resultulting TSV file
CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hija ...)
NOT-FOR-US: Movim
CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff7c84347e0be6fdcea4dc7fc3c7c6ec84afde57
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff7c84347e0be6fdcea4dc7fc3c7c6ec84afde57
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231229/813e3b1c/attachment.htm>
More information about the debian-security-tracker-commits
mailing list