[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Jul 16 14:15:54 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cb137028 by Moritz Muehlenhoff at 2023-07-16T15:15:09+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -96,11 +96,13 @@ CVE-2023-38325 (The cryptography package before 41.0.2 for Python mishandles SSH
 	NOTE: Fixed by: https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3 (main)
 	NOTE: Fixed by: https://github.com/pyca/cryptography/commit/e190ef190525999d1f599cf8c3aef5cb7f3a8bc4 (41.0.2)
 CVE-2023-38253 (An out-of-bounds read flaw was found in w3m, in the growbuf_to_Str fun ...)
-	- w3m <unfixed>
+	- w3m <unfixed> (unimportant)
 	NOTE: https://github.com/tats/w3m/issues/271
+	NOTE: Crash in CLI tool, no security impact
 CVE-2023-38252 (An out-of-bounds read flaw was found in w3m, in the Strnew_size functi ...)
-	- w3m <unfixed>
+	- w3m <unfixed> (unimportant)
 	NOTE: https://github.com/tats/w3m/issues/270
+	NOTE: Crash in CLI tool, no security impact
 CVE-2023-37474 (Copyparty is a portable file server. Versions prior to 1.8.2 are subje ...)
 	NOT-FOR-US: copyparty
 CVE-2023-37473 (zenstruck/collections is a set of helpers for iterating/paginating/fil ...)
@@ -619,22 +621,27 @@ CVE-2023-3023 (The WP EasyCart plugin for WordPress is vulnerable to time-based
 	NOT-FOR-US: WP EasyCart plugin for WordPress
 CVE-2023-3019 [e1000e: heap use-after-free in e1000e_write_packet_to_guest()]
 	- qemu <unfixed> (bug #1041102)
+	[bookworm] - qemu <no-dsa> (Minor issue)
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59243
 	NOTE: Proposed upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html
 CVE-2023-3011 (The ARMember plugin for WordPress is vulnerable to Cross-Site Request  ...)
 	NOT-FOR-US: ARMember plugin for WordPress
 CVE-2023-37767 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <ignored> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	NOTE: https://github.com/gpac/gpac/issues/2514
 	NOTE: https://github.com/gpac/gpac/commit/d414df635c773b21bbb3a9fbf17b101b1e8ea345
 CVE-2023-37766 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <ignored> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	NOTE: https://github.com/gpac/gpac/issues/2516
 	NOTE: https://github.com/gpac/gpac/commit/a64c60ef0983be6db8ab1e4a663e0ce83ff7bf2c
 CVE-2023-37765 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <ignored> (Minor issue)
 	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	NOTE: https://github.com/gpac/gpac/issues/2515
 	NOTE: https://github.com/gpac/gpac/commit/36e1b9900ff638576cb88636bbbe2116ed06dfdc
@@ -789,6 +796,7 @@ CVE-2023-36825 (Decidim is a participatory democracy framework, written in Ruby
 	NOT-FOR-US: Decidim
 CVE-2023-36824 (Redis is an in-memory database that persists on disk. In Redit 7.0 pri ...)
 	- redis 5:7.0.12-1 (bug #1040879)
+	[bookworm] - redis <no-dsa> (Minor issue)
 	[bullseye] - redis <not-affected> (Vulnerable code introduced later)
 	[buster] - redis <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3


=====================================
data/dsa-needed.txt
=====================================
@@ -18,8 +18,13 @@ cjose
 --
 cinder/oldstable
 --
+frr
+  maintainer proposed to update to 8.4.4 for bookworm-stable, which might be a good idea
+--
 iperf3 (aron)
 --
+kanboard (jmm)
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y and 6.1.y versions
@@ -71,6 +76,10 @@ salt/oldstable
 --
 samba/oldstable
 --
+sox
+  all issues unfixed upstream
+  for CVE-2023-34432, rest can be ignored
+--
 wpewebkit
 --
 xrdp/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb13702815ca326ed196f2d6df6a2e05d6539618

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb13702815ca326ed196f2d6df6a2e05d6539618
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230716/e0c669f3/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list