[Git][security-tracker-team/security-tracker][master] 6 commits: Triage CVE-2023-46136 in python-werkzeug for buster LTS.

Chris Lamb (@lamby) lamby at debian.org
Sat Nov 4 09:40:31 GMT 2023 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4fd35094 by Chris Lamb at 2023-11-04T10:37:28+01:00
Triage CVE-2023-46136 in python-werkzeug for buster LTS.

- - - - -
4731c035 by Chris Lamb at 2023-11-04T10:37:52+01:00
Triage CVE-2023-44271 in pillow for buster LTS.

- - - - -
b8fa93ef by Chris Lamb at 2023-11-04T10:38:31+01:00
Triage CVE-2023-42295 & CVE-2023-42299 in openimageio for buster LTS.

- - - - -
ecd6249a by Chris Lamb at 2023-11-04T10:38:47+01:00
Triage CVE-2023-5072 in libjettison-java for buster LTS.

- - - - -
41f0d13b by Chris Lamb at 2023-11-04T10:39:05+01:00
Triage CVE-2023-46303 in calibre for buster LTS.

- - - - -
d82092c7 by Chris Lamb at 2023-11-04T10:39:46+01:00
Triage CVE-2023-31122, CVE-2023-43622 & CVE-2023-45802 in apache2 for buster LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -90,6 +90,7 @@ CVE-2023-44271 (An issue was discovered in Pillow before 10.0.0. It is a Denial
 	- pillow 10.0.0-1
 	[bookworm] - pillow <no-dsa> (Minor issue)
 	[bullseye] - pillow <no-dsa> (Minor issue)
+	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-pillow/Pillow/pull/7244
 	NOTE: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 (10.0.0)
 CVE-2023-43982 (Bon Presta boninstagramcarousel between v5.2.1 to v7.0.0 was discovere ...)
@@ -102,6 +103,7 @@ CVE-2023-42299 (Buffer Overflow vulnerability in OpenImageIO oiio v.2.4.12.0 all
 	- openimageio 2.4.13.0+dfsg-1
 	[bookworm] - openimageio <no-dsa> (Minor issue)
 	[bullseye] - openimageio <no-dsa> (Minor issue)
+	[buster] - openimageio <no-dsa> (Minor issue)
 	NOTE: https://github.com/OpenImageIO/oiio/issues/3840
 	NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/3841
 	NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/5ff2c56dd28e96f67ed8f80d8a3d1235e51f9957 (v2.4.12.0)
@@ -1722,6 +1724,7 @@ CVE-2023-46136 (Werkzeug is a comprehensive WSGI web application library. If an
 	- python-werkzeug <unfixed> (bug #1054553)
 	[bookworm] - python-werkzeug <no-dsa> (Minor issue)
 	[bullseye] - python-werkzeug <no-dsa> (Minor issue)
+	[buster] - python-werkzeug <no-dsa> (Minor issue)
 	NOTE: https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
 	NOTE: https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1 (3.0.1)
 CVE-2023-46135 (rs-stellar-strkey is a Rust lib for encode/decode of Stellar Strkeys.  ...)
@@ -2105,6 +2108,7 @@ CVE-2023-42295 (An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker
 	- openimageio 2.4.16.0+dfsg-1 (bug #1054873)
 	[bookworm] - openimageio <no-dsa> (Minor issue)
 	[bullseye] - openimageio <no-dsa> (Minor issue)
+	[buster] - openimageio <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/3947
 	NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/3948
 	NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/15750af31a5d130ea63ac133453eb5448cefa636 (v2.5.3.0-beta1)
@@ -2184,6 +2188,7 @@ CVE-2023-46303 (link_to_local_path in ebooks/conversion/plugins/html_input.py in
 	- calibre 6.19.1-1
 	[bookworm] - calibre <no-dsa> (Minor issue)
 	[bullseye] - calibre <no-dsa> (Minor issue)
+	[buster] - calibre <no-dsa> (Minor issue)
 	NOTE: https://github.com/0x1717/ssrf-via-img
 	NOTE: https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b (v6.19.0)
 CVE-2021-46898 (views/switch.py in django-grappelli (aka Django Grappelli) before 2.15 ...)
@@ -2705,6 +2710,7 @@ CVE-2023-45802 (When a HTTP/2 stream was reset (RST frame) by a client, there wa
 	- apache2 2.4.58-1
 	[bookworm] - apache2 <no-dsa> (Minor issue)
 	[bullseye] - apache2 <no-dsa> (Minor issue)
+	[buster] - apache2 <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/6
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-45802
 	NOTE: https://github.com/icing/blog/blob/main/h2-rapid-reset.md#cve-2023-45802
@@ -2712,6 +2718,7 @@ CVE-2023-43622 (An attacker, opening a HTTP/2 connection with an initial window
 	- apache2 2.4.58-1
 	[bookworm] - apache2 <no-dsa> (Minor issue)
 	[bullseye] - apache2 <no-dsa> (Minor issue)
+	[buster] - apache2 <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/5
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622
 CVE-2023-5654 (The React Developer Tools extension registers a message listener with  ...)
@@ -3752,6 +3759,7 @@ CVE-2023-5072 (Denial of Service  in JSON-Java versions up to and including 2023
 	- libjettison-java <unfixed> (bug #1053884)
 	[bookworm] - libjettison-java <no-dsa> (Minor issue)
 	[bullseye] - libjettison-java <no-dsa> (Minor issue)
+	[buster] - libjettison-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/stleary/JSON-java/issues/758
 	NOTE: https://github.com/stleary/JSON-java/issues/771
 	NOTE: https://github.com/stleary/JSON-java/pull/772/
@@ -25150,6 +25158,7 @@ CVE-2023-31122 (Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Ser
 	- apache2 2.4.58-1
 	[bookworm] - apache2 <no-dsa> (Minor issue)
 	[bullseye] - apache2 <no-dsa> (Minor issue)
+	[buster] - apache2 <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/19/4
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-31122
 CVE-2023-31121



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0b39be0a65d0e464978c90f2b02c365cf432260...d82092c750a212050856672eeba624d813a4fb6d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b0b39be0a65d0e464978c90f2b02c365cf432260...d82092c750a212050856672eeba624d813a4fb6d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231104/5d5b09d7/attachment.htm>

More information about the debian-security-tracker-commits mailing list