[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jun 28 11:27:04 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8ab4d6fb by Moritz Muehlenhoff at 2023-06-28T12:26:48+02:00
bullseye/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -241,6 +241,8 @@ CVE-2023-2992 (An unauthenticated denial of service vulnerability exists in the
 	NOT-FOR-US: Lenovo
 CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1. ...)
 	- mediawiki <unfixed>
+	[bookworm] - mediawiki <postponed> (Fix in next security release)
+	[bullseye] - mediawiki <postponed> (Fix in next security release)
 	NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/921452
 	NOTE: https://phabricator.wikimedia.org/T332889
 CVE-2023-36666 (INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php, page ...)
@@ -1356,6 +1358,8 @@ CVE-2023-31671 (PrestaShop postfinance <= 17.1.13 is vulnerable to SQL Injection
 	NOT-FOR-US: PrestaShop postfinance
 CVE-2023-2976 (Use of Java's default temporary directory for file creation in `FileBa ...)
 	- guava-libraries 32.0.1-1 (bug #1038979)
+	[bookworm] - guava-libraries <no-dsa> (Minor issue)
+	[bullseye] - guava-libraries <no-dsa> (Minor issue)
 	NOTE: https://github.com/google/guava/releases/tag/v32.0.0
 	NOTE: https://github.com/google/guava/issues/2575
 CVE-2023-35149 (A missing permission check in Jenkins Digital.ai App Management Publis ...)
@@ -2343,6 +2347,8 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse
 	[bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
 	[bullseye] - r-cran-jsonlite <no-dsa> (Minor issue)
 	- ruby-yajl <unfixed>
+	[bookworm] - ruby-yajl <no-dsa> (Minor issue)
+	[bullseye] - ruby-yajl <no-dsa> (Minor issue)
 CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...)
 	NOT-FOR-US: Sogou Workflow
 CVE-2023-33381 (A command injection vulnerability was found in the ping functionality  ...)
@@ -2552,6 +2558,8 @@ CVE-2023-34410 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9,
 	- qt6-base 6.4.2+dfsg-11 (bug #1037209)
 	[bookworm] - qt6-base <no-dsa> (Minor issue)
 	- qtbase-opensource-src 5.15.8+dfsg-12 (bug #1037210)
+	[bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
+	[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
 	[buster] - qtbase-opensource-src <no-dsa> (Minor issue)
 	- qtbase-opensource-src-gles <unfixed>
 	[bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
@@ -3879,6 +3887,7 @@ CVE-2023-33285 (An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2
 	- qt6-base 6.4.2+dfsg-10 (bug #1036848)
 	[bookworm] - qt6-base <no-dsa> (Minor issue)
 	- qtbase-opensource-src 5.15.8+dfsg-11
+	[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
 	[buster] - qtbase-opensource-src <no-dsa> (Minor issue)
 	- qtbase-opensource-src-gles <unfixed>
 	[bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
@@ -4042,6 +4051,7 @@ CVE-2019-25137 (Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Co
 CVE-2023-32763 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6. ...)
 	- qt6-base 6.4.2+dfsg-8
 	- qtbase-opensource-src 5.15.8+dfsg-10
+	[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
 	[buster] - qtbase-opensource-src <no-dsa> (Minor issue)
 	- qtbase-opensource-src-gles 5.15.8+dfsg-3 (bug #1036702)
 	[bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
@@ -4054,6 +4064,7 @@ CVE-2023-32763 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9,
 CVE-2023-32762 (An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6. ...)
 	- qt6-base 6.4.2+dfsg-9
 	- qtbase-opensource-src 5.15.8+dfsg-10
+	[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
 	[buster] - qtbase-opensource-src <postponed> (Can wait for next upload)
 	- qtbase-opensource-src-gles <not-affected> (Not built in GLES variant)
 	NOTE: https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
@@ -24400,6 +24411,7 @@ CVE-2023-24999 (HashiCorp Vault and Vault Enterprise\u2019s approle auth method
 CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number of requ ...)
 	- tomcat10 10.1.5-1
 	- tomcat9 9.0.70-2
+	[bullseye] - tomcat9 <postponed> (Minor issue, fix along with future update)
 	[buster] - tomcat9 <no-dsa> (Minor issue)
 	- libcommons-fileupload-java 1.4-2 (bug #1031733)
 	[bullseye] - libcommons-fileupload-java <no-dsa> (Minor issue)
@@ -58600,6 +58612,7 @@ CVE-2022-40717 (This vulnerability allows network-adjacent attackers to execute
 	NOT-FOR-US: D-Link
 CVE-2022-40716 (HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13. ...)
 	- consul <unfixed> (bug #1027161)
+	[bullseye] - consul <no-dsa> (Minor issue)
 	[buster] - consul <not-affected> (Vulnerable Code not present)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628
 	NOTE: https://github.com/hashicorp/consul/commit/ae822d752ad36007e353249691a0ef318cf55d08 (v1.11.9)
@@ -64897,6 +64910,7 @@ CVE-2022-2880 (Requests forwarded by ReverseProxy include the raw query paramete
 	- golang-1.18 1.18.7-1
 	- golang-1.17 <unfixed>
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://go.dev/issue/54663
@@ -64907,6 +64921,7 @@ CVE-2022-2879 (Reader.Read does not set a limit on the maximum size of file head
 	- golang-1.18 1.18.7-1
 	- golang-1.17 <unfixed>
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://go.dev/issue/54853
@@ -244559,6 +244574,8 @@ CVE-2020-8909
 	RESERVED
 CVE-2020-8908 (A temp directory creation vulnerability exists in all versions of Guav ...)
 	- guava-libraries 32.0.1-1 (bug #1038979)
+	[bookworm] - guava-libraries <no-dsa> (Minor issue)
+	[bullseye] - guava-libraries <no-dsa> (Minor issue)
 	NOTE: https://github.com/google/guava/issues/4011
 	NOTE: https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40
 	NOTE: Issue incompletely fixed:



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ab4d6fba2521504196476b7fbcfe05efdc17261

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ab4d6fba2521504196476b7fbcfe05efdc17261
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230628/8b7293d0/attachment.htm>

More information about the debian-security-tracker-commits mailing list