[Git][security-tracker-team/security-tracker][master] bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a85187f8 by Moritz Muehlenhoff at 2023-03-15T19:07:14+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -123601,6 +123601,7 @@ CVE-2021-38085 (The Canon TR150 print driver through 3.71.2.10 is vulnerable to
 	NOT-FOR-US: Canon
 CVE-2021-38084 (An issue was discovered in the POP3 component of Courier Mail Server b ...)
 	- courier <unfixed> (bug #989375)
+	[bookworm] - courier <no-dsa> (Minor issue)
 	[bullseye] - courier <no-dsa> (Minor issue)
 	[buster] - courier <no-dsa> (Minor issue)
 	[stretch] - courier <postponed> (Minor issue, include in next update)
@@ -230813,9 +230814,10 @@ CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Devic
 CVE-2020-8032 (A Insecure Temporary File vulnerability in the packaging of cyrus-sasl ...)
 	- cyrus-sasl2 <not-affected> (openSUSE specific packaging issue)
 CVE-2020-8031 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...)
-	- open-build-service <unfixed> (bug #983576)
+	- open-build-service 2.9.4-4 (bug #983576)
 	[stretch] - open-build-service <postponed> (Minor issue, XSS in web app)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1178880
+	NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version
 CVE-2020-8030 (A Insecure Temporary File vulnerability in skuba of SUSE CaaS Platform ...)
 	NOT-FOR-US: SuSE CaaS
 CVE-2020-8029 (A Incorrect Permission Assignment for Critical Resource vulnerability  ...)
@@ -230836,14 +230838,16 @@ CVE-2020-8022 (A Incorrect Default Permissions vulnerability in the packaging of
 	NOT-FOR-US: SAP
 CVE-2020-8021 (a Improper Access Control vulnerability in of Open Build Service allow ...)
 	{DLA-2545-1}
-	- open-build-service <unfixed> (bug #983576)
+	- open-build-service 2.9.4-4 (bug #983576)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171649
 	NOTE: https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb
+	NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version
 CVE-2020-8020 (A Improper Neutralization of Input During Web Page Generation vulnerab ...)
 	{DLA-2545-1}
-	- open-build-service <unfixed> (bug #983576)
+	- open-build-service 2.9.4-4 (bug #983576)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171439
 	NOTE: https://github.com/openSUSE/open-build-service/commit/7cc32c8e2ff7290698e101d9a80a9dc29a5500fb
+	NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version
 CVE-2020-8019 (A UNIX Symbolic Link (Symlink) Following vulnerability in the packagin ...)
 	NOT-FOR-US: SAP
 CVE-2020-8018 (A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST- ...)
@@ -293499,6 +293503,7 @@ CVE-2019-5428
 	REJECTED
 CVE-2019-5427 (c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack  ...)
 	- c3p0 <unfixed> (low; bug #927936)
+	[bookworm] - c3p0 <no-dsa> (Minor issue)
 	[bullseye] - c3p0 <no-dsa> (Minor issue)
 	[buster] - c3p0 <no-dsa> (Minor issue)
 	[stretch] - c3p0 <no-dsa> (Minor issue)
@@ -327340,11 +327345,12 @@ CVE-2018-12467 (Authorized users of the openbuildservice before 2.9.4 could dele
 	NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063
 	NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
 CVE-2018-12466 (openSUSE openbuildservice before 9.2.4 allowed authenticated users to  ...)
-	- open-build-service <unfixed> (bug #911797)
+	- open-build-service 2.9.4-4 (bug #911797)
 	[stretch] - open-build-service <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1098934
 	NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063
 	NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
+	NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version
 CVE-2018-12465 (An OS command injection vulnerability in the web administration compon ...)
 	NOT-FOR-US: Micro Focus
 CVE-2018-12464 (A SQL injection vulnerability in the web administration and quarantine ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85187f840c5f028834e9be400833199da643682

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85187f840c5f028834e9be400833199da643682
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230315/ffad3ef7/attachment.htm>