[Git][security-tracker-team/security-tracker][master] bullseye triage

Mon May 8 17:00:07 BST 2023


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
47fd1137 by Moritz Muehlenhoff at 2023-05-08T17:27:21+02:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2334,6 +2334,7 @@ CVE-2023-30609 (matrix-react-sdk is a react-based SDK for inserting a Matrix cha
 	NOTE: https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw
 CVE-2023-30608 (sqlparse is a non-validating SQL parser module for Python. In affected ...)
 	- sqlparse <unfixed> (bug #1034615)
+	[bullseye] - sqlparse <no-dsa> (Minor issue)
 	NOTE: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
 	NOTE: Introduced by: https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a (0.1.15)
 	NOTE: Fixed by: https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb (0.4.4)
@@ -2753,6 +2754,7 @@ CVE-2023-2005
 	RESERVED
 CVE-2023-2004 (An integer overflow vulnerability was discovered in Freetype in tt_hva ...)
 	- freetype 2.12.1+dfsg-5 (bug #1034612)
+	[bullseye] - freetype <postponed> (Minor issue)
 	[buster] - freetype <postponed> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
 	NOTE: https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611 (VER-2-13-0)
@@ -2860,18 +2862,21 @@ CVE-2023-1994 (GQUIC dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.
 	{DLA-3402-1}
 	[experimental] - wireshark 4.0.5-1~exp1
 	- wireshark <unfixed> (bug #1034721)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18947
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2023-11.html
 CVE-2023-1993 (LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6 ...)
 	{DLA-3402-1}
 	[experimental] - wireshark 4.0.5-1~exp1
 	- wireshark <unfixed> (bug #1034721)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18900
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2023-10.html
 CVE-2023-1992 (RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6. ...)
 	{DLA-3402-1}
 	[experimental] - wireshark 4.0.5-1~exp1
 	- wireshark <unfixed> (bug #1034721)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18852
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2023-09.html
 CVE-2023-1991
@@ -4873,6 +4878,7 @@ CVE-2023-29580 (yasm 1.3.0.55.g101bc was discovered to contain a segmentation vi
 	NOTE: Crash in CLI tool, no security impact
 CVE-2023-29579 (yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via th ...)
 	- yasm <unfixed>
+	[bullseye] - yasm <no-dsa> (Minor issue)
 	NOTE: https://github.com/yasm/yasm/issues/214
 CVE-2023-29578 (mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the  ...)
 	NOT-FOR-US: MP4v2
@@ -5195,6 +5201,7 @@ CVE-2023-29492 (Novi Survey before 8.9.43676 allows remote attackers to execute
 	NOT-FOR-US: Novi Survey
 CVE-2023-29491 (ncurses before 6.4 20230408, when used by a setuid application, allows ...)
 	- ncurses <unfixed> (bug #1034372)
+	[bullseye] - ncurses <no-dsa> (Minor issue)
 	NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230408
 	NOTE: http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
 	NOTE: https://github.com/ThomasDickey/ncurses-snapshots/commit/a6d3f92bb5bba1a71c7c3df39497abbe5fe999ff
@@ -5439,6 +5446,7 @@ CVE-2023-1907
 	RESERVED
 CVE-2023-1906 (A heap-based buffer overflow issue was discovered in ImageMagick's Imp ...)
 	- imagemagick <unfixed> (bug #1034373)
+	[bullseye] - imagemagick <no-dsa> (Minor issue)
 	[buster] - imagemagick <no-dsa> (Minor issue)
 	NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d (ImageMagick 6.9.12-84)
@@ -9061,6 +9069,7 @@ CVE-2023-28372
 	RESERVED
 CVE-2023-28371 (In Stellarium through 1.2, attackers can write to files that are typic ...)
 	- stellarium <unfixed> (bug #1034183)
+	[bullseye] - stellarium <no-dsa> (Minor issue)
 	NOTE: https://github.com/Stellarium/stellarium/commit/1261f74dc4aa6bbd01ab514343424097f8cf46b7
 	NOTE: https://github.com/Stellarium/stellarium/commit/787a894897b7872ae96e6f5804a182210edd5c78
 	NOTE: https://github.com/Stellarium/stellarium/commit/eba61df3b38605befcb43687a4c0a159dbc0c5cb
@@ -17588,18 +17597,23 @@ CVE-2023-25515
 	RESERVED
 CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in  ...)
 	- nvidia-cuda-toolkit <unfixed> (bug #1034793; bug #1034799)
+	[bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
 CVE-2023-25513 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in  ...)
 	- nvidia-cuda-toolkit <unfixed> (bug #1034799)
+	[bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
 CVE-2023-25512 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in  ...)
 	- nvidia-cuda-toolkit <unfixed> (bug #1034799)
+	[bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
 CVE-2023-25511 (NVIDIA CUDA Toolkit for Linux and Windows contains a vulnerability in  ...)
 	- nvidia-cuda-toolkit <unfixed> (bug #1034793; bug #1034799)
+	[bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
 CVE-2023-25510 (NVIDIA CUDA Toolkit SDK for Linux and Windows contains a NULL pointer  ...)
 	- nvidia-cuda-toolkit <unfixed> (bug #1034793; bug #1034799)
+	[bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
 CVE-2023-25509 (NVIDIA DGX-1 SBIOS contains a vulnerability in Bds, which may lead to  ...)
 	NOT-FOR-US: NVIDIA DGX-1 SBIOS
@@ -97628,6 +97642,7 @@ CVE-2022-24919 (An authenticated user can create a link with reflected Javascrip
 	NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe (5.0.21rc1)
 CVE-2022-24918 (An authenticated user can create a link with reflected Javascript code ...)
 	- zabbix 1:6.0.7+dfsg-2
+	[bullseye] - zabbix <no-dsa> (Minor issue)
 	[buster] - zabbix <not-affected> (The vulnerable code was introduced later)
 	[stretch] - zabbix <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://support.zabbix.com/browse/ZBX-20680
@@ -222724,6 +222739,7 @@ CVE-2020-14422 (Lib/ipaddress.py in Python through 3.8.3 improperly computes has
 	[jessie] - python3.4 <postponed> (Minor issue, DoS with constraints)
 	- python2.7 <not-affected> (ipaddress module introduced in 3.3)
 	- python-ipaddress <removed>
+	[bullseye] - python-ipaddress <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue41004
 	NOTE: https://github.com/python/cpython/pull/20956
 	NOTE: https://github.com/python/cpython/pull/21033


=====================================
data/dsa-needed.txt
=====================================
@@ -17,10 +17,14 @@ gpac (aron)
 jupyter-core
   Maintainer asked for availability to prepare updates
 --
+libapache2-mod-auth-openidc (jmm)
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y versions
 --
+nbconvert
+--
 netatalk (apo)
   open regression with MacOS, tentative patch not yet merged upstream
 --
@@ -28,6 +32,8 @@ openjdk-11 (jmm)
 --
 openjdk-17 (jmm)
 --
+owslib
+--
 php-cas
 --
 php-horde-mime-viewer
@@ -41,6 +47,8 @@ python-werkzeug
 ring
   might make sense to rebase to current version
 --
+ruby2.7
+--
 ruby-nokogiri
 --
 ruby-rack



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47fd1137ae88d9cedab245a6a8b1462bf6c284e0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47fd1137ae88d9cedab245a6a8b1462bf6c284e0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230508/8161accd/attachment-0001.htm>
