[Git][security-tracker-team/security-tracker][master] 2 commits: bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue May 30 12:06:36 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
67c2f495 by Moritz Muehlenhoff at 2023-05-30T13:06:05+02:00
bookworm triage

- - - - -
6d0e779d by Moritz Muehlenhoff at 2023-05-30T13:06:09+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9856,13 +9856,14 @@ CVE-2023-28709 (The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0
 CVE-2023-28708 (When using the RemoteIpFilter with requests received from a    reverse ...)
 	{DSA-5381-1 DLA-3384-1}
 	- tomcat10 10.1.6-1
-	- tomcat9 <unfixed> (bug #1033475)
+	- tomcat9 9.0.70-2
 	- tomcat8 <removed>
 	NOTE: https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
 	NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
 	NOTE: https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b (10.1.6)
 	NOTE: https://github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab (9.0.72)
 	NOTE: https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510 (8.5.86)
+	NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version
 CVE-2023-28707 (Improper Input Validation vulnerability in Apache Software Foundation  ...)
 	NOT-FOR-US: Apache Airflow Drill Provider
 CVE-2023-28706 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
@@ -17275,6 +17276,7 @@ CVE-2023-0927 (Use after free in Web Payments API in Google Chrome on Android pr
 	[buster] - chromium <end-of-life> (see DSA 5046)
 CVE-2022-48340 (In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-com ...)
 	- glusterfs <unfixed> (bug #1031796)
+	[bookworm] - glusterfs <no-dsa> (Minor issue)
 	[bullseye] - glusterfs <no-dsa> (Minor issue)
 	[buster] - glusterfs <no-dsa> (Minor issue)
 	NOTE: https://github.com/gluster/glusterfs/issues/3732
@@ -20983,7 +20985,7 @@ CVE-2023-24999 (HashiCorp Vault and Vault Enterprise\u2019s approle auth method
 	NOT-FOR-US: Vault
 CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number of requ ...)
 	- tomcat10 10.1.5-1
-	- tomcat9 <unfixed>
+	- tomcat9 9.0.70-2
 	- libcommons-fileupload-java 1.4-2 (bug #1031733)
 	[bullseye] - libcommons-fileupload-java <no-dsa> (Minor issue)
 	[buster] - libcommons-fileupload-java <no-dsa> (Minor issue)
@@ -20993,6 +20995,7 @@ CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number o
 	NOTE: https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce (10.1.5)
 	NOTE: https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74 (9.0.71)
 	NOTE: When fixing the issue make sure to apply complete fixes to not open  CVE-2023-28709
+	NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version
 CVE-2023-24996 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...)
 	NOT-FOR-US: Siemens
 CVE-2023-24995 (A vulnerability has been identified in Tecnomatix Plant Simulation (Al ...)
@@ -39015,6 +39018,7 @@ CVE-2022-4056
 	RESERVED
 CVE-2022-4055 (When xdg-mail is configured to use thunderbird for mailto URLs, improp ...)
 	- xdg-utils <unfixed> (bug #1027160)
+	[bookworm] - xdg-utils <no-dsa> (Minor issue)
 	[bullseye] - xdg-utils <no-dsa> (Minor issue)
 	[buster] - xdg-utils <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267
@@ -58844,6 +58848,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
 	[buster] - python-cmarkgfm <no-dsa> (Minor issue)
 	- ghostwriter 2.1.6+ds-1 (unimportant)
 	- ruby-commonmarker <unfixed> (bug #1034888)
+	[bookworm] - ruby-commonmarker <no-dsa> (Minor issue)
 	[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
 	[buster] - ruby-commonmarker <no-dsa> (Minor issue)
 	- r-cran-commonmark 1.8.1-1
@@ -61291,6 +61296,8 @@ CVE-2022-37343
 	RESERVED
 CVE-2022-36788 (A heap-based buffer overflow vulnerability exists in the TriangleMesh  ...)
 	- slic3r <unfixed> (bug #1034848)
+	[bookworm] - slic3r <no-dsa> (Minor issue)
+	[bullseye] - slic3r <no-dsa> (Minor issue)
 	[buster] - slic3r <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1593
 CVE-2022-36420
@@ -193965,6 +193972,7 @@ CVE-2020-27749 (A flaw was found in grub2 in versions prior to 2.06. Variable na
 	[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
 CVE-2020-27748 (A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and ...)
 	- xdg-utils <unfixed> (bug #975370)
+	[bookworm] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
 	[bullseye] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
 	[buster] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
 	[stretch] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb34a539ec2aaf81c68269fe48c6f28b0bc4fbec...6d0e779d8440edfb1a65e478363571b20ea0366f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb34a539ec2aaf81c68269fe48c6f28b0bc4fbec...6d0e779d8440edfb1a65e478363571b20ea0366f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230530/f0338231/attachment.htm>

More information about the debian-security-tracker-commits mailing list