[Git][security-tracker-team/security-tracker][master] 9 commits: CVE-2023-38199,modsecurity-crs: mark buster as postponed

Sun Jul 30 23:57:30 BST 2023


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
01f830da by Markus Koschany at 2023-07-31T00:57:09+02:00
CVE-2023-38199,modsecurity-crs: mark buster as postponed

Minor issue

- - - - -
1da0ed93 by Markus Koschany at 2023-07-31T00:57:10+02:00
CVE-2023-38336,netkit-rcp: buster is no-dsa

Minor issue.

- - - - -
9f78cb14 by Markus Koschany at 2023-07-31T00:57:10+02:00
CVE-2021-31294,redis: buster is no-dsa

Minor issue. According to upstream:

"Versions before 6.2 were not intended to have safety guarantees related to
this."

- - - - -
94b8336e by Markus Koschany at 2023-07-31T00:57:10+02:00
Add zabbix to dla-needed.txt

- - - - -
13a8636d by Markus Koschany at 2023-07-31T00:57:10+02:00
Add sox to dla-needed.txt

- - - - -
d3a8f3ed by Markus Koschany at 2023-07-31T00:57:10+02:00
Add pdfcrack to dla-needed.txt

- - - - -
28f97c8c by Markus Koschany at 2023-07-31T00:57:10+02:00
CVE-2023-3019,CVE-2023-1386,qemu: no-dsa in Buster

Minor issue

- - - - -
7e8c934b by Markus Koschany at 2023-07-31T00:57:10+02:00
Triage plantuml CVE as no-dsa for Buster

Minor issues.

- - - - -
100de074 by Markus Koschany at 2023-07-31T00:57:11+02:00
CVE-2023-37369,qtbase-opensource-src: Buster is no-dsa

Minor issue

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -152,6 +152,7 @@ CVE-2023-37369
 	- qtbase-opensource-src 5.15.10+dfsg-3
 	[bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
 	[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
+	[buster] - qtbase-opensource-src <no-dsa> (Minor issue)
 	- qt4-x11 <removed>
 	NOTE: https://www.qt.io/blog/security-advisory-qxmlstreamreader
 	NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/455027
@@ -1521,6 +1522,7 @@ CVE-2023-38336 (netkit-rcp in rsh-client 0.17-24 allows command injection via fi
 	- netkit-rsh <unfixed> (bug #1039689)
 	[bookworm] - netkit-rsh <no-dsa> (Minor issue)
 	[bullseye] - netkit-rsh <no-dsa> (Minor issue)
+	[buster] - netkit-rsh <no-dsa> (Minor issue)
 CVE-2023-37794 (WAYOS FBM-291W 19.09.11V was discovered to contain a command injection ...)
 	NOT-FOR-US: WAYOS
 CVE-2023-37793 (WAYOS FBM-291W 19.09.11V was discovered to contain a buffer overflow v ...)
@@ -1792,6 +1794,7 @@ CVE-2023-38199 (coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4
 	- modsecurity-crs <unfixed> (bug #1041109)
 	[bookworm] - modsecurity-crs <no-dsa> (Minor issue)
 	[bullseye] - modsecurity-crs <no-dsa> (Minor issue)
+	[buster] - modsecurity-crs <postponed> (Minor issue)
 	NOTE: https://github.com/coreruleset/coreruleset/issues/3191
 	NOTE: https://github.com/coreruleset/coreruleset/pull/3237
 CVE-2023-38198 (acme.sh before 3.0.6 runs arbitrary commands from a remote server via  ...)
@@ -2094,6 +2097,7 @@ CVE-2023-3019 (A DMA reentrancy issue leading to a use-after-free error was foun
 	- qemu <unfixed> (bug #1041102)
 	[bookworm] - qemu <no-dsa> (Minor issue)
 	[bullseye] - qemu <no-dsa> (Minor issue)
+	[buster] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59243
 	NOTE: Proposed upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html
 CVE-2023-3011 (The ARMember plugin for WordPress is vulnerable to Cross-Site Request  ...)
@@ -4010,12 +4014,14 @@ CVE-2023-3432 (Server-Side Request Forgery (SSRF) in GitHub repository plantuml/
 	- plantuml <unfixed> (bug #1040000)
 	[bookworm] - plantuml <no-dsa> (Minor issue)
 	[bullseye] - plantuml <no-dsa> (Minor issue)
+	[buster] - plantuml <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/8ac3316f-431c-468d-87e4-3dafff2ecf51/
 	NOTE: https://github.com/plantuml/plantuml/commit/b32500bb61ae617bb312496d6d832e4be8190797 (v1.2023.9)
 CVE-2023-3431 (Improper Access Control in GitHub repository plantuml/plantuml prior t ...)
 	- plantuml <unfixed> (bug #1039999)
 	[bookworm] - plantuml <no-dsa> (Minor issue)
 	[bullseye] - plantuml <no-dsa> (Minor issue)
+	[buster] - plantuml <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/fa741f95-b53c-4ed7-b157-e32c5145164c/
 	NOTE: https://github.com/plantuml/plantuml/commit/fbe7fa3b25b4c887d83927cffb1009ec6cb8ab1e (v1.2023.9)
 CVE-2023-3405 (Unchecked parameter value in M-Files Server in versions before 23.6.12 ...)
@@ -18793,6 +18799,7 @@ CVE-2023-1386 (A flaw was found in the 9p passthrough filesystem (9pfs) implemen
 	- qemu <unfixed>
 	[bookworm] - qemu <no-dsa> (Minor issue)
 	[bullseye] - qemu <no-dsa> (Minor issue)
+	[buster] - qemu <no-dsa> (Minor issue)
 	NOTE: https://github.com/v9fs/linux/issues/29
 CVE-2023-1385 (Improper JPAKE implementation allows offline PIN brute-forcing due to  ...)
 	NOT-FOR-US: Amazon Fire TV Stick 3rd gen and Insignia TV with FireOS
@@ -96833,6 +96840,7 @@ CVE-2022-1231 (XSS via Embedded SVG in SVG Diagram Format in GitHub repository p
 	- plantuml <unfixed> (bug #1039989)
 	[bookworm] - plantuml <no-dsa> (Minor issue)
 	[bullseye] - plantuml <no-dsa> (Minor issue)
+	[buster] - plantuml <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/27db9509-6cd3-4148-8d70-5942f3837604/
 	NOTE: https://github.com/plantuml/plantuml/commit/c9137be051ce98b3e3e27f65f54ec7d9f8886903 (v1.2022.4)
 CVE-2022-1230 (This vulnerability allows local attackers to execute arbitrary code on ...)
@@ -161110,6 +161118,7 @@ CVE-2021-31295
 CVE-2021-31294 (Redis before 6cbea7d allows a replica to cause an assertion failure in ...)
 	- redis 5:7.0.1-4
 	[bullseye] - redis <no-dsa> (Minor issue)
+	[buster] - redis <no-dsa> (Minor issue)
 	NOTE: Introduced with: https://github.com/redis/redis/pull/8170 (6.2-rc2, but feature partially backported to 6.0.y)
 	NOTE: Fixed by: https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f (6.2.3)
 	NOTE: https://github.com/redis/redis/issues/8712


=====================================
data/dla-needed.txt
=====================================
@@ -129,6 +129,9 @@ openssl
 orthanc
   NOTE: 20230731: Added by Front-Desk (apo)
 --
+pdfcrack
+  NOTE: 20230731: Added by Front-Desk (apo)
+--
 python-glance-store
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
@@ -188,6 +191,9 @@ samba
   NOTE: 20220904: Many postponed or open CVE in general. (apo)
   NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee)
 --
+sox
+  NOTE: 20230731: Added by Front-Desk (apo)
+--
 suricata (Adrian Bunk)
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie,
@@ -203,3 +209,6 @@ xqilla (tobi)
   NOTE: 20230706: Added by Front-Desk (gladk)
   NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), not having the vulnerable code.
 --
+zabbix
+  NOTE: 20230731: Added by Front-Desk (apo)
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9d2fe87396afc5cf833af681135009a43ab407d3...100de07409cc1e9355ff10f99a499aa3e9e163b6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9d2fe87396afc5cf833af681135009a43ab407d3...100de07409cc1e9355ff10f99a499aa3e9e163b6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230730/8bc06eff/attachment-0001.htm>
