[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun May 28 19:22:06 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2e88c288 by Moritz Mühlenhoff at 2023-05-28T20:21:24+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -458,6 +458,7 @@ CVE-2023-32409
 CVE-2023-32373
 	- webkit2gtk <unfixed>
 	- wpewebkit <unfixed>
+	[bullseye] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
 	NOTE: https://bugs.webkit.org/show_bug.cgi?id=254840
 	NOTE: https://github.com/WebKit/WebKit/commit/85fd2302d16a09a82d9a6e81eb286babb23c4b3c
 CVE-2023-32350 (Versions 00.07.00 through 00.07.03 of Teltonika\u2019s RUT router firm ...)
@@ -1506,6 +1507,7 @@ CVE-2023-2614 (Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pim
 	NOT-FOR-US: pimcore
 CVE-2023-2610 (Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9 ...)
 	- vim <unfixed> (bug #1035955)
+	[bookworm] - vim <no-dsa> (Minor issue)
 	[bullseye] - vim <no-dsa> (Minor issue)
 	[buster] - vim <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/31e67340-935b-4f6c-a923-f7246bc29c7d
@@ -6647,6 +6649,7 @@ CVE-2023-29580 (yasm 1.3.0.55.g101bc was discovered to contain a segmentation vi
 	NOTE: Crash in CLI tool, no security impact
 CVE-2023-29579 (yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via th ...)
 	- yasm <unfixed> (bug #1035951)
+	[bookworm] - yasm <no-dsa> (Minor issue)
 	[bullseye] - yasm <no-dsa> (Minor issue)
 	[buster] - yasm <no-dsa> (Minor issue)
 	NOTE: https://github.com/yasm/yasm/issues/214
@@ -7457,6 +7460,7 @@ CVE-2014-125094 (A vulnerability classified as problematic was found in phpMiniA
 	NOT-FOR-US: phpMiniAdmin
 CVE-2023-29383 (In Shadow 4.13, it is possible to inject control characters into field ...)
 	- shadow <unfixed> (bug #1034482)
+	[bookworm] - shadow <no-dsa> (Minor issue)
 	[bullseye] - shadow <no-dsa> (Minor issue)
 	[buster] - shadow <no-dsa> (Minor issue)
 	NOTE: https://github.com/shadow-maint/shadow/pull/687
@@ -8584,6 +8588,7 @@ CVE-2023-29008 (The SvelteKit framework offers developers an option to create si
 	NOT-FOR-US: SvelteKit
 CVE-2023-29007 (Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2. ...)
 	- git 1:2.40.1-1 (bug #1034835)
+	[bookworm] - git <no-dsa> (Minor issue)
 	[bullseye] - git <no-dsa> (Minor issue)
 	[buster] - git <no-dsa> (Minor issue)
 	NOTE: https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
@@ -9987,6 +9992,8 @@ CVE-2023-22300 (An unauthenticated remote attacker could force all authenticated
 CVE-2023-1523
 	RESERVED
 	- snapd 2.59.5-1
+	[bookworm] - snapd <no-dsa> (Minor issue)
+	[bullseye] - snapd <no-dsa> (Minor issue)
 	NOTE: Preparation: https://github.com/snapcore/snapd/commit/e4681c57bd5805c8d2dec5c3ddf7d85ebf1d2c4c (2.59.5)
 	NOTE: Fixed by: https://github.com/snapcore/snapd/commit/dddcfd6ac8daa84feb80eb6fd88f852ced70629c (2.59.5)
 	NOTE: Fixed by: https://github.com/snapcore/snapd/commit/52af545f3c0d8b086500ab86f161703905638951 (2.59.5)
@@ -10602,6 +10609,7 @@ CVE-2023-28451
 	RESERVED
 CVE-2023-28450 (An issue was discovered in Dnsmasq before 2.90. The default maximum ED ...)
 	- dnsmasq <unfixed> (bug #1033165)
+	[bookworm] - dnsmasq <no-dsa> (Minor issue)
 	[bullseye] - dnsmasq <no-dsa> (Minor issue)
 	[buster] - dnsmasq <no-dsa> (Minor issue)
 	NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
@@ -11473,6 +11481,7 @@ CVE-2023-28204
 	- qtwebkit-opensource-src <unfixed>
 	- webkit2gtk <unfixed>
 	- wpewebkit <unfixed>
+	[bullseye] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
 	NOTE: https://bugs.webkit.org/show_bug.cgi?id=254930
 	NOTE: https://github.com/WebKit/WebKit/commit/698c6e293734c3c46f223b77d5b4ee48b320e32c
 CVE-2023-28203
@@ -11650,6 +11659,8 @@ CVE-2023-28156
 	RESERVED
 CVE-2023-28155 (The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...)
 	- node-request <unfixed> (bug #1033250)
+	[bookworm] - node-request <no-dsa> (Minor issue)
+	[bullseye] - node-request <no-dsa> (Minor issue)
 	NOTE: https://github.com/request/request/issues/3442
 CVE-2023-28154 (Webpack 5 before 5.76.0 does not avoid cross-realm object access. Impo ...)
 	- node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (bug #1032904)
@@ -18245,6 +18256,7 @@ CVE-2023-25816 (Nextcloud is an Open Source private cloud software. Versions 25.
 	- nextcloud-server <itp> (bug #941708)
 CVE-2023-25815 (In Git for Windows, the Windows port of Git, no localized messages are ...)
 	- git 1:2.40.1-1 (bug #1034835)
+	[bookworm] - git <no-dsa> (Minor issue)
 	[bullseye] - git <no-dsa> (Minor issue)
 	[buster] - git <no-dsa> (Minor issue)
 	NOTE: https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
@@ -18985,6 +18997,7 @@ CVE-2023-25653 (node-jose is a JavaScript implementation of the JSON Object Sign
 	NOTE: https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhw
 CVE-2023-25652 (Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2. ...)
 	- git 1:2.40.1-1 (bug #1034835)
+	[bookworm] - git <no-dsa> (Minor issue)
 	[bullseye] - git <no-dsa> (Minor issue)
 	[buster] - git <no-dsa> (Minor issue)
 	NOTE: https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
@@ -55077,6 +55090,7 @@ CVE-2022-3214 (Delta Industrial Automation's DIAEnergy, an industrial energy man
 	NOT-FOR-US: Delta
 CVE-2022-3213 (A heap buffer overflow issue was found in ImageMagick. When an applica ...)
 	- imagemagick <unfixed> (bug #1021141)
+	[bookworm] - imagemagick <no-dsa> (Minor issue)
 	[bullseye] - imagemagick <no-dsa> (Minor issue)
 	[buster] - imagemagick <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2126824
@@ -132432,6 +132446,7 @@ CVE-2021-39360 (In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enabl
 	NOTE: https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4
 CVE-2021-39359 (In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS  ...)
 	- libgda5 <unfixed> (bug #993592)
+	[bookworm] - libgda5 <no-dsa> (Minor issue)
 	[bullseye] - libgda5 <no-dsa> (Minor issue)
 	[buster] - libgda5 <no-dsa> (Minor issue)
 	[stretch] - libgda5 <postponed> (Minor issue, revisit when/if fixed upstream)


=====================================
data/dsa-needed.txt
=====================================
@@ -71,6 +71,13 @@ salt
 --
 samba
 --
+webkit2gtk
+--
+wpewebkit
+--
+wireshark
+  bookworm to 4.0.6, bullseye isolated cherrypick
+--
 xrdp
   needs some additional clarification, tentatively DSA worthy
   maybe upgrade to 0.9.21 within bullseye?



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e88c288042a1046ba02778a16cb0829560eaf2d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e88c288042a1046ba02778a16cb0829560eaf2d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230528/4ee945a5/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list