[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Jul 16 20:17:59 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
119aca37 by Moritz Muehlenhoff at 2023-07-16T21:14:44+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -322,6 +322,8 @@ CVE-2023-3319 (Improper Neutralization of Input During Web Page Generation ('Cro
 	NOT-FOR-US: PlatPlay DSr
 CVE-2023-38199 (coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does n ...)
 	- modsecurity-crs <unfixed> (bug #1041109)
+	[bookworm] - modsecurity-crs <no-dsa> (Minor issue)
+	[bullseye] - modsecurity-crs <no-dsa> (Minor issue)
 	NOTE: https://github.com/coreruleset/coreruleset/issues/3191
 	NOTE: https://github.com/coreruleset/coreruleset/pull/3237
 CVE-2023-38198 (acme.sh before 3.0.6 runs arbitrary commands from a remote server via  ...)
@@ -3840,13 +3842,15 @@ CVE-2023-34867 (Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an As
 CVE-2023-34865 (Directory traversal vulnerability in ujcms 6.0.2 allows attackers to m ...)
 	NOT-FOR-US: ujcms
 CVE-2023-34824 (fdkaac before 1.0.5 was discovered to contain a heap buffer overflow i ...)
-	- fdkaac <unfixed> (bug #1038951)
+	- fdkaac <unfixed> (unimportant; bug #1038951)
 	NOTE: https://github.com/nu774/fdkaac/issues/55
 	NOTE: https://github.com/nu774/fdkaac/commit/22dbf72491541aa854835fdf2a9a0d92532728d8 (v1.0.5)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2023-34823 (fdkaac before 1.0.5 was discovered to contain a stack overflow in read ...)
-	- fdkaac <unfixed> (bug #1038951)
+	- fdkaac <unfixed> (unimportant; bug #1038951)
 	NOTE: https://github.com/nu774/fdkaac/issues/55
 	NOTE: https://github.com/nu774/fdkaac/commit/22dbf72491541aa854835fdf2a9a0d92532728d8 (v1.0.5)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2023-34756 (bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerabili ...)
 	NOT-FOR-US: bloofox
 CVE-2023-34755 (bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerabili ...)
@@ -4916,8 +4920,11 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse
 	NOTE: Introduced with: https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb (2.0.0)
 	NOTE: The original fix uploaded as 2.1.0-3.1 was incomplete.
 	- burp <unfixed>
+	[bookworm] - burp <no-dsa> (Minor issue)
+	[bullseye] - burp <no-dsa> (Minor issue)
 	[buster] - burp <postponed> (Minor issue; fix only after newer releases got a fix)
 	- epics-base <unfixed>
+	[bookworm] - epics-base <no-dsa> (Minor issue)
 	[buster] - epics-base <postponed> (Minor issue; fix only after newer releases got a fix)
 	- r-cran-jsonlite <unfixed>
 	[bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
@@ -6628,6 +6635,8 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant
 	NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4)
 CVE-2023-33201 (Bouncy Castle For Java before 1.74 is affected by an LDAP injection vu ...)
 	- bouncycastle <unfixed> (bug #1040050)
+	[bookworm] - bouncycastle <no-dsa> (Minor issue)
+	[bullseye] - bouncycastle <no-dsa> (Minor issue)
 	NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201
 CVE-2023-31729 (TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection.)
 	NOT-FOR-US: TOTOLINK
@@ -13339,6 +13348,7 @@ CVE-2023-29407
 CVE-2023-29406 (The HTTP/1 client does not fully validate the contents of the Host hea ...)
 	- golang-1.20 1.20.6-1
 	- golang-1.19 1.19.11-1
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
 	NOTE: https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
@@ -106475,7 +106485,10 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation
 	[bookworm] - yajl <no-dsa> (Minor issue)
 	[bullseye] - yajl <no-dsa> (Minor issue)
 	- burp <unfixed> (bug #1040146)
+	[bookworm] - burp <no-dsa> (Minor issue)
+	[bullseye] - burp <no-dsa> (Minor issue)
 	- epics-base <unfixed> (bug #1040159)
+	[bookworm] - epics-base <no-dsa> (Minor issue)
 	- r-cran-jsonlite <unfixed> (bug #1040161)
 	[bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
 	[bullseye] - r-cran-jsonlite <no-dsa> (Minor issue)
@@ -152746,6 +152759,7 @@ CVE-2021-33797 (Buffer-overflow in jsdtoa.c in Artifex MuJS in versions 1.0.1 to
 	NOTE: https://github.com/ccxvii/mujs/commit/833b6f1672b4f2991a63c4d05318f0b84ef4d550 (1.1.2)
 CVE-2021-33796 (In MuJS before version 1.1.2, a use-after-free flaw in the regexp sour ...)
 	- mujs 1.1.3-2
+	[bullseye] - mujs <no-dsa> (Minor issue)
 	NOTE: https://github.com/ccxvii/mujs/commit/7ef066a3bb95bf83e7c5be50d859e62e58fe8515 (1.1.2)
 CVE-2021-3573 (A use-after-free in function hci_sock_bound_ioctl() of the Linux kerne ...)
 	{DLA-2690-1 DLA-2689-1}
@@ -384237,7 +384251,10 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is
 	[bookworm] - yajl <no-dsa> (Minor issue)
 	[bullseye] - yajl <no-dsa> (Minor issue)
 	- burp <unfixed> (bug #1040146)
+	[bookworm] - burp <no-dsa> (Minor issue)
+	[bullseye] - burp <no-dsa> (Minor issue)
 	- epics-base <unfixed> (bug #1040159)
+	[bookworm] - epics-base <no-dsa> (Minor issue)
 	- r-cran-jsonlite <unfixed> (bug #1040161)
 	[bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
 	[bullseye] - r-cran-jsonlite <no-dsa> (Minor issue)


=====================================
data/dsa-needed.txt
=====================================
@@ -36,6 +36,8 @@ netatalk/oldstable
   open regression with MacOS, tentative patch not yet merged upstream
   See discussion on team mailing list.
 --
+nodejs
+--
 nova/oldstable
 --
 openjdk-11/oldstable (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/119aca372b3486a3903206d2da472e591c17391a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/119aca372b3486a3903206d2da472e591c17391a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230716/ef070599/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list