[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue May 23 20:11:37 BST 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0fd31e5c by Moritz Mühlenhoff at 2023-05-23T21:11:20+02:00
bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -916,6 +916,7 @@ CVE-2023-2641 (A vulnerability was found in SourceCodester Online Internship Man
NOT-FOR-US: SourceCodester Online Internship Management System
CVE-2023-32076 (in-toto is a framework to protect supply chain integrity. The in-toto ...)
- in-toto <unfixed> (bug #1035934)
+ [bookworm] - in-toto <no-dsa> (Minor issue)
[bullseye] - in-toto <no-dsa> (Minor issue)
NOTE: https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
NOTE: https://github.com/in-toto/in-toto/commit/f88138c90861953c77a1384ea2fcc58126e6fe59 (v2.0.0)
@@ -5983,6 +5984,7 @@ CVE-2023-29660
RESERVED
CVE-2023-29659 (A Segmentation fault caused by a floating point exception exists in li ...)
- libheif <unfixed> (bug #1035607)
+ [bookworm] - libheif <no-dsa> (Minor issue)
[bullseye] - libheif <no-dsa> (Minor issue)
[buster] - libheif <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libheif/issues/794
@@ -9968,6 +9970,7 @@ CVE-2023-1437
RESERVED
CVE-2023-1436 (An infinite recursion is triggered in Jettison when constructing a JSO ...)
- libjettison-java <unfixed> (bug #1033846)
+ [bookworm] - libjettison-java <no-dsa> (Minor issue)
[bullseye] - libjettison-java <no-dsa> (Minor issue)
[buster] - libjettison-java <postponed> (Minor issue, DoS)
NOTE: https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/
@@ -10180,6 +10183,7 @@ CVE-2023-28429 (Pimcore is an open source data and experience management platfor
NOT-FOR-US: Pimcore
CVE-2023-28428 (PDFio is a C library for reading and writing PDF files. In versions 1. ...)
- ippsample <unfixed> (bug #1034155)
+ [bookworm] - ippsample <no-dsa> (Minor issue)
NOTE: https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31 (v1.1.1)
NOTE: https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf
CVE-2023-28427 (matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for Jav ...)
@@ -14347,12 +14351,14 @@ CVE-2023-27104
RESERVED
CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflow via ...)
- libde265 <unfixed> (bug #1033257)
+ [bookworm] - libde265 <no-dsa> (Minor issue)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/394
NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995
CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...)
- libde265 <unfixed> (bug #1033257)
+ [bookworm] - libde265 <no-dsa> (Minor issue)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/393
@@ -16806,6 +16812,8 @@ CVE-2023-26126 (All versions of the package m.static are vulnerable to Directory
NOT-FOR-US: m.static
CVE-2023-26125 (Versions of the package github.com/gin-gonic/gin before 1.9.0 are vuln ...)
- golang-github-gin-gonic-gin <unfixed> (bug #1035498)
+ [bookworm] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
+ [bullseye] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
NOTE: https://github.com/gin-gonic/gin/pull/3500
NOTE: https://github.com/gin-gonic/gin/pull/3503
NOTE: https://github.com/gin-gonic/gin/commit/81ac7d55a09e34013225db0aeac6e70c1ae68928 (v1.9.0)
@@ -21921,6 +21929,8 @@ CVE-2023-0476 (A LDAP injection vulnerability exists in Tenable.sc due to improp
NOT-FOR-US: Tenable
CVE-2023-0475 (HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompressi ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1032100)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125
CVE-2023-0474 (Use after free in GuestView in Google Chrome prior to 109.0.5414.119 a ...)
@@ -26294,10 +26304,9 @@ CVE-2023-0198 (NVIDIA GPU Display Driver for Linux contains a vulnerability in t
CVE-2023-0197 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...)
NOT-FOR-US: NVIDIA vGPU software
CVE-2023-0196 (NVIDIA CUDA Toolkit SDK contains a bug in cuobjdump, where a local use ...)
- - nvidia-cuda-toolkit <unfixed> (bug #1032668)
- [bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
- [buster] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+ - nvidia-cuda-toolkit <unfixed> (unimportant; bug #1032668)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5446
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-0195 (NVIDIA GPU Display Driver for Windows contains a vulnerability in the ...)
- nvidia-open-gpu-kernel-modules 525.105.17-1 (bug #1033783)
- nvidia-graphics-drivers-tesla 525.105.17-1 (bug #1033782)
@@ -26341,10 +26350,9 @@ CVE-2023-0194 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner
[buster] - nvidia-graphics-drivers <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5452
CVE-2023-0193 (NVIDIA CUDA Toolkit SDK contains a vulnerability in cuobjdump, where a ...)
- - nvidia-cuda-toolkit <unfixed> (bug #1032668)
- [bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
- [buster] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+ - nvidia-cuda-toolkit <unfixed> (unimportant; bug #1032668)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5446
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-0192 (NVIDIA GPU Display Driver for Windows contains a vulnerability in the ...)
NOT-FOR-US: NVIDIA GPU Display Driver for Windows
CVE-2023-0191 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
@@ -27617,6 +27625,7 @@ CVE-2014-125042
REJECTED
CVE-2023-22665 (There is insufficient checking of user queries in Apache Jena versions ...)
- apache-jena <unfixed> (bug #1035952)
+ [bookworm] - apache-jena <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
CVE-2023-22652
RESERVED
@@ -68002,6 +68011,7 @@ CVE-2022-31471 (untangle is a python library to convert XML data to python objec
NOTE: https://github.com/stchris/untangle/pull/94
CVE-2022-2393 (A flaw was found in pki-core, which could allow a user to get a certif ...)
- dogtag-pki <unfixed> (bug #1034802)
+ [bookworm] - dogtag-pki <no-dsa> (Minor issue)
[bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2101046
CVE-2022-2392 (The Lana Downloads Manager WordPress plugin before 1.8.0 is affected b ...)
@@ -83144,6 +83154,7 @@ CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 w
- nomad <not-affected> (In Debian Nomad doesn't bundle go-getter, but build depends a shared deb)
CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing password-pro ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
@@ -83151,6 +83162,7 @@ CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing passwo
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustio ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
@@ -83158,6 +83170,7 @@ CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exh
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go- ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
@@ -93246,6 +93259,7 @@ CVE-2022-26946
RESERVED
CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless r ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
@@ -121652,6 +121666,7 @@ CVE-2021-42837 (An issue was discovered in Talend Data Catalog before 7.3-202109
CVE-2021-42836 (GJSON before 1.9.3 allows a ReDoS (regular expression denial of servic ...)
[experimental] - golang-github-tidwall-gjson 1.14.4-1
- golang-github-tidwall-gjson <unfixed> (bug #1000225)
+ [bookworm] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
[bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
[buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944
@@ -124481,6 +124496,7 @@ CVE-2021-42249
CVE-2021-42248 (GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON inpu ...)
[experimental] - golang-github-tidwall-gjson 1.14.4-1
- golang-github-tidwall-gjson <unfixed> (bug #1011616)
+ [bookworm] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
[bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
[buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://github.com/tidwall/gjson/issues/237
@@ -260180,6 +260196,7 @@ CVE-2020-1697 (It was found in all keycloak versions before 9.0.0 that links to
NOT-FOR-US: Keycloak
CVE-2020-1696 (A flaw was found in the all pki-core 10.x.x versions, where Token Proc ...)
- dogtag-pki <unfixed> (bug #1014854)
+ [bookworm] - dogtag-pki <no-dsa> (Minor issue)
[bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780707
CVE-2020-1695 (A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd31e5c0d922eca7e74459721102d59d8e542d4
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd31e5c0d922eca7e74459721102d59d8e542d4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230523/66cf29a2/attachment.htm>
More information about the debian-security-tracker-commits
mailing list