[Git][security-tracker-team/security-tracker][master] bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
041decee by Moritz Muehlenhoff at 2023-02-27T13:37:13+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -24418,11 +24418,13 @@ CVE-2022-3966 (A vulnerability, which was classified as critical, has been found
 	NOT-FOR-US: Ultimate Member Plugin
 CVE-2022-3965 (A vulnerability classified as problematic was found in ffmpeg. This vu ...)
 	- ffmpeg <unfixed>
+	[bookworm] - ffmpeg <postponed> (Wait until it lands in 5.1.x)
 	[bullseye] - ffmpeg <postponed> (Wait until it lands in 4.3.x)
 	[buster] - ffmpeg <postponed> (Wait until it lands in 4.1.x)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/13c13109759090b7f7182480d075e13b36ed8edd
 CVE-2022-3964 (A vulnerability classified as problematic has been found in ffmpeg. Th ...)
 	- ffmpeg <unfixed>
+	[bookworm] - ffmpeg <postponed> (Wait until it lands in 5.1.x)
 	[bullseye] - ffmpeg <postponed> (Wait until it lands in 4.3.x)
 	[buster] - ffmpeg <postponed> (Wait until it lands in 4.1.x)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984
@@ -33264,7 +33266,7 @@ CVE-2022-42965 (An exponential ReDoS (Regular Expression Denial of Service) can
 CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...)
 	- pymatgen <unfixed> (bug #1024017)
 	NOTE: https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/
-	NOTE: Doesn't seem to be reported upstream so far
+	NOTE: https://github.com/materialsproject/pymatgen/issues/2755
 CVE-2022-3520 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...)
 	- vim 2:9.0.0813-1 (unimportant)
 	NOTE: https://huntr.dev/bounties/c1db3b70-f4fe-481f-8a24-0b1449c94246
@@ -133015,6 +133017,7 @@ CVE-2021-32752 (Ether Logs is a package that allows one to check one's logs in t
 	NOT-FOR-US: Ether Logs
 CVE-2021-32751 (Gradle is a build tool with a focus on build automation. In versions p ...)
 	- gradle <unfixed> (bug #1014778)
+	[bookworm] - gradle <ignored> (Minor issue)
 	[bullseye] - gradle <ignored> (Minor issue)
 	[buster] - gradle <ignored> (Minor issue)
 	[stretch] - gradle <no-dsa> (Minor issue)
@@ -142066,12 +142069,14 @@ CVE-2021-29430 (Sydent is a reference Matrix identity server. Sydent does not li
 	NOT-FOR-US: Matrix Sydent
 CVE-2021-29429 (In Gradle before version 7.0, files created with open permissions in t ...)
 	- gradle <unfixed> (bug #987284)
+	[bookworm] - gradle <ignored> (Minor issue)
 	[bullseye] - gradle <no-dsa> (Minor issue)
 	[buster] - gradle <no-dsa> (Minor issue)
 	[stretch] - gradle <no-dsa> (Minor issue)
 	NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
 CVE-2021-29428 (In Gradle before version 7.0, on Unix-like systems, the system tempora ...)
 	- gradle <unfixed> (bug #987284)
+	[bookworm] - gradle <ignored> (Minor issue)
 	[bullseye] - gradle <no-dsa> (Minor issue)
 	[buster] - gradle <no-dsa> (Minor issue)
 	[stretch] - gradle <no-dsa> (Minor issue; sticky bit on /tmp is set by default)
@@ -260342,6 +260347,7 @@ CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Con
 	NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server
 CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials  ...)
 	- gradle <unfixed> (low; bug #941187)
+	[bookworm] - gradle <ignored> (Minor issue)
 	[bullseye] - gradle <no-dsa> (Minor issue)
 	[buster] - gradle <no-dsa> (Minor issue)
 	[stretch] - gradle <no-dsa> (Minor issue)
@@ -276806,11 +276812,9 @@ CVE-2019-9906
 CVE-2019-9905
 	RESERVED
 CVE-2019-9904 (An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2. ...)
-	- graphviz <unfixed> (low; bug #925284)
-	[bullseye] - graphviz <ignored> (Minor issue)
-	[buster] - graphviz <ignored> (Minor issue)
-	[stretch] - graphviz <ignored> (Minor issue)
-	[jessie] - graphviz <no-dsa> (Minor issue)
+	NOTE: Does not reproduce with the version of Graphviz in Bullseye, might be bogus
+	NOTE: or Windows-specific. Even if applicable to some older release, impact is
+	NOTE: negligible anyway
 	NOTE: https://gitlab.com/graphviz/graphviz/issues/1512
 CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict mark ...)
 	{DLA-3120-1}
@@ -432788,6 +432792,7 @@ CVE-2016-2569 (Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly ap
 	NOTE: Upstream confirmed it does not affect squid 2.7.x
 CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to escape to ...)
 	- policykit-1 <unfixed> (low; bug #816062; bug #812512)
+	[bookworm] - policykit-1 <ignored> (Minor issue)
 	[bullseye] - policykit-1 <ignored> (Minor issue)
 	[buster] - policykit-1 <ignored> (Minor issue)
 	[stretch] - policykit-1 <ignored> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/041deceea292a77d2cd9599163ea29f047057e03

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/041deceea292a77d2cd9599163ea29f047057e03
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230227/eff9e1c8/attachment-0001.htm>