[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Mar 1 11:26:09 GMT 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e6c2bacf by Moritz Muehlenhoff at 2023-03-01T12:25:54+01:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3276,6 +3276,7 @@ CVE-2023-0912 (A vulnerability classified as critical has been found in SourceCo
 	NOT-FOR-US: SourceCodester Auto Dealer Management System
 CVE-2019-25104 (A vulnerability has been found in rtcwcoop 1.0.2 and classified as pro ...)
 	- iortcw <unfixed> (bug #1031732)
+	[bullseye] - iortcw <no-dsa> (Minor issue)
 	NOTE: https://github.com/rtcwcoop/rtcwcoop/pull/45
 	NOTE: Reported against a version based on iortcw, but seems missing in iortcw
 CVE-2016-15026 (A vulnerability was found in 3breadt dd-plist 1.17 and classified as p ...)
@@ -6903,6 +6904,7 @@ CVE-2023-24810 (Misskey is an open source, decentralized social media platform.
 	NOT-FOR-US: Misskey
 CVE-2023-24809 (NetHack is a single player dungeon exploration game. Starting with ver ...)
 	- nethack <unfixed> (bug #1031869)
+	[bullseye] - nethack <no-dsa> (Minor issue)
 	[buster] - nethack <no-dsa> (Minor issue)
 	NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-2cqv-5w4v-mgch
 	NOTE: https://nethack.org/security/CVE-2023-24809.html
@@ -8318,6 +8320,7 @@ CVE-2023-24330
 CVE-2023-24329 (An issue in the urllib.parse component of Python before v3.11 allows a ...)
 	- python3.11 <unfixed>
 	- python3.9 <removed>
+	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	NOTE: https://pointernull.com/security/python-url-parse-problem.html
 	NOTE: https://github.com/python/cpython/pull/99421
@@ -11655,11 +11658,13 @@ CVE-2023-23111
 CVE-2023-23110 (An exploitable firmware modification vulnerability was discovered in c ...)
 	NOT-FOR-US: Netgear
 CVE-2023-23109 (In crasm 1.8-3, invalid input validation, specific files passed to the ...)
-	- crasm <unfixed>
+	- crasm <unfixed> (unimportant)
 	NOTE: https://github.com/colinbourassa/crasm/pull/7
+	NOTE: Crash in CLI tool, no security impact
 CVE-2023-23108 (In crasm 1.8-3, invalid input validation, specific files passed to the ...)
-	- crasm <unfixed>
+	- crasm <unfixed> (unimportant)
 	NOTE: https://github.com/colinbourassa/crasm/pull/7
+	NOTE: Crash in CLI tool, no security impact
 CVE-2023-23107
 	RESERVED
 CVE-2023-23106
@@ -81586,6 +81591,7 @@ CVE-2022-21223 (The package cocoapods-downloader before 1.6.2 are vulnerable to
 	NOT-FOR-US: cocoapods-downloader
 CVE-2022-21222 (The package css-what before 2.1.3 are vulnerable to Regular Expression ...)
 	- node-css-what 5.0.1
+	[bullseye] - node-css-what <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
 	NOTE: ReDoS issue fixed with rewrite of module to TypeScript
 	NOTE: Not fixed in 4.0.0 see https://sources.debian.org/src/node-css-what/4.0.0-3/src/parse.ts/#L84


=====================================
data/dsa-needed.txt
=====================================
@@ -17,6 +17,8 @@ apr (carnil)
 jupyter-core
   Maintainer asked for availability to prepare updates
 --
+libreswan
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y versions
@@ -26,6 +28,9 @@ netatalk
 --
 nodejs (aron)
 --
+openimageio
+  some issues allow for RCE, the other ones can also be ignored for stable
+--
 php-cas
 --
 php-horde-mime-viewer
@@ -34,6 +39,9 @@ php-horde-turba
 --
 rails (aron)
 --
+ring
+  might make sense to rebase to current version
+--
 ruby-nokogiri
 --
 ruby-rack
@@ -50,6 +58,8 @@ sofia-sip
 spip (seb)
   Maintainer prepared updates
 --
+syslog-ng
+--
 xrdp
   needs some additional clarification, tentatively DSA worthy
   maybe upgrade to 0.9.21 within bullseye?



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6c2bacfee370b446f649ac41ff3482b0c5f72d5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6c2bacfee370b446f649ac41ff3482b0c5f72d5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230301/c498683c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list