[Git][security-tracker-team/security-tracker][master] 21 commits: Triage gpac CVE as EOL in Buster.
Markus Koschany (@apo)
apo at debian.org
Sun Nov 19 20:32:52 GMT 2023
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
18991d08 by Markus Koschany at 2023-11-19T21:31:58+01:00
Triage gpac CVE as EOL in Buster.
- - - - -
33ed2691 by Markus Koschany at 2023-11-19T21:31:58+01:00
Add cryptojs to dla-needed.txt
- - - - -
ae4fc0d3 by Markus Koschany at 2023-11-19T21:32:00+01:00
CVE-2023-44487,dnsdist: Buster is not affected
HTTP/2 support was added later
- - - - -
f09992c3 by Markus Koschany at 2023-11-19T21:32:00+01:00
Add frr to dla-needed.txt
- - - - -
a33aa9f5 by Markus Koschany at 2023-11-19T21:32:00+01:00
Add tor to dla-needed.txt
- - - - -
36100bc5 by Markus Koschany at 2023-11-19T21:32:00+01:00
Add zbar to dla-needed.txt
- - - - -
1e224dc2 by Markus Koschany at 2023-11-19T21:32:01+01:00
CVE-2023-47164,hoteldruid: Buster is no dsa
Minor issue
- - - - -
19fdd608 by Markus Koschany at 2023-11-19T21:32:02+01:00
CVE-2023-23583,intel-microcode: Buster is postponed
Wait for exposure in unstable
- - - - -
78ae04f9 by Markus Koschany at 2023-11-19T21:32:02+01:00
Add libde265 to dla-needed.txt
- - - - -
20c8bb06 by Markus Koschany at 2023-11-19T21:32:02+01:00
Add netatalk to dla-needed.txt
- - - - -
1ac3a678 by Markus Koschany at 2023-11-19T21:32:04+01:00
CVE-2023-45857,node-axios: Buster is no-dsa
Minor issue
- - - - -
7e1dad55 by Markus Koschany at 2023-11-19T21:32:04+01:00
Add opensc to dla-needed.txt
- - - - -
f1be6221 by Markus Koschany at 2023-11-19T21:32:05+01:00
CVE-2023-5366,openvswitch: Buster is no-dsa
Minor issue
- - - - -
1d0121ab by Markus Koschany at 2023-11-19T21:32:06+01:00
Triage python-aiohttp CVE as no-dsa for Buster
Minor issues
- - - - -
189d3acd by Markus Koschany at 2023-11-19T21:32:07+01:00
CVE-2023-5088,qemu: Buster is no-dsa
Minor issue
- - - - -
7af6fedd by Markus Koschany at 2023-11-19T21:32:09+01:00
CVE-2023-46332,wabt: Buster is no-dsa
Minor issue
- - - - -
9fd1b351 by Markus Koschany at 2023-11-19T21:32:09+01:00
Add rabbitmq-server to dla-needed.txt
- - - - -
82beef05 by Markus Koschany at 2023-11-19T21:32:09+01:00
Add activemq to dla-needed.txt and claim it.
- - - - -
8474ecc6 by Markus Koschany at 2023-11-19T21:32:09+01:00
Add wordpress to dla-needed.txt
- - - - -
79fcb1fa by Markus Koschany at 2023-11-19T21:32:10+01:00
CVE-2023-5072,libjson-java: Buster is no-dsa
This is not the same json-java library project from
github.com/stleary/JSON-java but a very old implementation. The JSONObject
class of the Debian version does not look vulnerable to me at a first glance but I'm
not totally sure. It is a good idea to keep this issue open in sid. Perhaps we
should switch to the stleary implementation, if this is feasible. For older
distributions like Buster this is a minor issue because libjson-java is a leaf
package and apparently only referenced in libcommons-collections3-java in a
Breaks paragraph.
- - - - -
30e3b3d4 by Markus Koschany at 2023-11-19T21:32:10+01:00
Reserve DLA-3656-1 for netty
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -548,16 +548,19 @@ CVE-2023-48087 (xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /x
NOT-FOR-US: XXL-Job
CVE-2023-48014 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a sta ...)
- gpac <unfixed> (bug #1056282)
+ [buster] - gpac <end-of-life> (EOL in Buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2613
NOTE: https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b
CVE-2023-48013 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a dou ...)
- gpac <unfixed> (bug #1056282)
+ [buster] - gpac <end-of-life> (EOL in Buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2612
NOTE: https://github.com/gpac/gpac/commit/cd8a95c1efb8f5bfc950b86c2ef77b4c76f6b893
CVE-2023-48011 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a hea ...)
- gpac <unfixed> (bug #1056282)
- NOTE: https://github.com/gpac/gpac/issues/2611
- NOTE: https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea
+ [buster] - gpac <end-of-life> (EOL in Buster LTS)
+ NOTE: https://github.com/gpac/gpac/issues/2613
+ NOTE: https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b
CVE-2023-47637 (Pimcore is an Open Source Data & Experience Management Platform. In af ...)
NOT-FOR-US: Pimcore
CVE-2023-47636 (The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Fu ...)
@@ -599,6 +602,7 @@ CVE-2023-47678 (An improper access control vulnerability exists in RT-AC87U all
CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
- python-aiohttp 3.8.1-1
[bullseye] - python-aiohttp <no-dsa> (Minor issue)
+ [buster] - python-aiohttp <no-dsa> (Minor issue)
NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j
NOTE: https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 (v3.8.0b0)
CVE-2023-47640 (DataHub is an open-source metadata platform. The HMAC signature for Da ...)
@@ -611,6 +615,7 @@ CVE-2023-47627 (aiohttp is an asynchronous HTTP client/server framework for asyn
- python-aiohttp 3.8.6-1
[bookworm] - python-aiohttp <no-dsa> (Minor issue)
[bullseye] - python-aiohttp <no-dsa> (Minor issue)
+ [buster] - python-aiohttp <no-dsa> (Minor issue)
NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
NOTE: https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d (v3.8.6)
CVE-2023-47586 (Multiple heap-based buffer overflow vulnerabilities exist in V-Server ...)
@@ -861,6 +866,7 @@ CVE-2023-47550 (Cross-Site Request Forgery (CSRF) vulnerability in RedNao Donati
CVE-2023-47384 (MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contai ...)
- gpac <unfixed> (bug #1056282)
[bullseye] - gpac <ignored> (Minor issue)
+ [buster] - gpac <end-of-life> (EOL in Buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2672
CVE-2023-47262 (In Abbott ID NOW before 7.1, settings can be modified via physical acc ...)
NOT-FOR-US: Abbott ID NOW
@@ -1119,6 +1125,7 @@ CVE-2023-23583 (Sequence of processor instructions leads to unexpected behavior
- intel-microcode 3.20231114.1 (bug #1055962)
[bookworm] - intel-microcode <postponed> (Wait for exposure in unstable)
[bullseye] - intel-microcode <postponed> (Wait for exposure in unstable)
+ [buster] - intel-microcode <postponed> (Wait for exposure in unstable)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114
NOTE: https://lock.cmpxchg8b.com/reptar.html
@@ -1423,6 +1430,7 @@ CVE-2023-47164 (Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earli
- hoteldruid <unfixed> (bug #1055772)
[bookworm] - hoteldruid <no-dsa> (Minor issue)
[bullseye] - hoteldruid <no-dsa> (Minor issue)
+ [buster] - hoteldruid <no-dsa> (Minor issue)
CVE-2023-47129 (Statmic is a core Laravel content management system Composer package. ...)
NOT-FOR-US: Statmic
CVE-2023-47128 (Piccolo is an object-relational mapping and query builder which suppor ...)
@@ -1707,6 +1715,7 @@ CVE-2023-45857 (An issue discovered in Axios 1.5.1 inadvertently reveals the con
- node-axios <unfixed> (bug #1056099)
[bookworm] - node-axios <no-dsa> (Minor issue)
[bullseye] - node-axios <no-dsa> (Minor issue)
+ [buster] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/issues/6006
NOTE: https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0 (v1.6.0)
CVE-2023-45225 (Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, ...)
@@ -2471,6 +2480,7 @@ CVE-2023-5088 (A bug in QEMU could cause a guest I/O operation otherwise address
- qemu 1:8.1.1+ds-2
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2247283
NOTE: https://lore.kernel.org/all/20230921160712.99521-1-simon.rowe@nutanix.com/T/
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-09/msg01011.html
@@ -4566,6 +4576,7 @@ CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in
- wabt <unfixed> (bug #1055299)
[bookworm] - wabt <no-dsa> (Minor issue)
[bullseye] - wabt <no-dsa> (Minor issue)
+ [buster] - wabt <no-dsa> (Minor issue)
NOTE: https://github.com/WebAssembly/wabt/issues/2311
CVE-2023-46331 (WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegm ...)
- wabt <unfixed> (unimportant)
@@ -6245,6 +6256,7 @@ CVE-2023-5554 (Lack of TLS certificate verification in log transmission of a fin
NOT-FOR-US: LINE
CVE-2023-5072 (Denial of Service in JSON-Java versions up to and including 20230618. ...)
- libjson-java <unfixed> (bug #1053882)
+ [buster] - libjson-java <no-dsa> (Minor issue)
- jenkins-json <unfixed> (bug #1053883)
[bookworm] - jenkins-json <no-dsa> (Minor issue)
[bullseye] - jenkins-json <no-dsa> (Minor issue)
@@ -7148,6 +7160,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource
- jetty9 9.4.53-1
- netty 1:4.1.48-8 (bug #1054234)
- dnsdist 1.8.2-2
+ [buster] - dnsdist <not-affected> (HTTP/2 support was added later)
- varnish <unfixed> (bug #1056156)
NOTE: Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14)
NOTE: Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81)
@@ -8013,6 +8026,7 @@ CVE-2023-5366 (A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Adve
- openvswitch 3.1.2-1
[bookworm] - openvswitch <no-dsa> (Minor issue)
[bullseye] - openvswitch <no-dsa> (Minor issue)
+ [buster] - openvswitch <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2006347
NOTE: https://github.com/openvswitch/ovs/commit/694c7b4e097c4d89e23ea9b3c7b677b4fcbe0459 (v3.1.2)
NOTE: https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c (v3.2.0)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[19 Nov 2023] DLA-3656-1 netty - security update
+ {CVE-2023-44487}
+ [buster] - netty 1:4.1.33-1+deb10u4
[18 Nov 2023] DLA-3655-1 lwip - security update
{CVE-2020-22283}
[buster] - lwip 2.0.3-3+deb10u2
=====================================
data/dla-needed.txt
=====================================
@@ -20,6 +20,9 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
+--
+activemq (Markus Koschany)
+ NOTE: 20231119: Added by Front-Desk (apo)
--
amanda (tobi)
NOTE: 20230730: Added by Front-Desk (apo)
@@ -40,6 +43,9 @@ cinder
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
+cryptojs
+ NOTE: 20231119: Added by Front-Desk (apo)
+--
curl
NOTE: 20231103: Added by Front-Desk (lamby)
NOTE: 20231103: Sync with stable. (lamby)
@@ -68,6 +74,9 @@ freeimage (gladk)
NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll
NOTE: 20230826: out the DLA/ELA now. (utkarsh)
--
+frr
+ NOTE: 20231119: Added by Front-Desk (apo)
+--
galera-3 (Adrian Bunk)
NOTE: 20231028: Added by Front-Desk (gladk)
NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk)
@@ -102,6 +111,10 @@ keystone
knot-resolver
NOTE: 20231029: Added by Front-Desk (gladk)
--
+libde265
+ NOTE: 20231119: Added by Front-Desk (apo)
+ NOTE: 20231119: Fix along with postponed issues.
+--
libreswan
NOTE: 20230817: Added by Front-Desk (ta)
NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
@@ -127,9 +140,8 @@ mediawiki (guilhem)
minizip (Thorsten Alteholz)
NOTE: 20231117: Added by Front-Desk (apo)
--
-netty (Markus Koschany)
- NOTE: 20231104: Added by Front-Desk (lamby)
- NOTE: 20231104: For, at least, CVE-2023-44487. (lamby)
+netatalk
+ NOTE: 20231119: Added by Front-Desk (apo)
--
node-json5 (rouca)
NOTE: 20231105: Added by Front-Desk (lamby)
@@ -162,6 +174,9 @@ opendkim
NOTE: 20230821: Added by Front-Desk (ta)
NOTE: 20231006: Unfixed upstream as of today. (spwhitton)
--
+opensc
+ NOTE: 20231119: Added by Front-Desk (apo)
+--
osslsigncode
NOTE: 20230925: Added by Front-Desk (apo)
NOTE: 20230925: Maybe a new upstream release should just do the trick here.
@@ -190,6 +205,9 @@ python-requestbuilder
NOTE: 20231108: Added by Front-Desk (santiago)
NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70
--
+rabbitmq-server
+ NOTE: 20231119: Added by Front-Desk (apo)
+--
rails
NOTE: 20220909: Re-added due to regression (abhijith)
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
@@ -246,6 +264,9 @@ suricata (Adrian Bunk)
symfony
NOTE: 20231118: Added by Front-Desk (apo)
--
+tor
+ NOTE: 20231119: Added by Front-Desk (apo)
+--
varnish (Abhijith PA)
NOTE: 20231117: Added by Front-Desk (apo)
--
@@ -256,9 +277,15 @@ vlc
wireshark (Adrian Bunk)
NOTE: 20231118: Added by Front-Desk (apo)
--
+wordpress
+ NOTE: 20231119: Added by Front-Desk (apo)
+--
zabbix
NOTE: 20231015: Added by Front-Desk (ta)
--
+zbar
+ NOTE: 20231119: Added by Front-Desk (apo)
+--
zlib (Thorsten Alteholz)
NOTE: 20231117: Added by Front-Desk (apo)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/280b5aa1a1b376c096fc1767240ce1be0259ec5c...30e3b3d4b805656e4211eb455adf07d37c678e86
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/280b5aa1a1b376c096fc1767240ce1be0259ec5c...30e3b3d4b805656e4211eb455adf07d37c678e86
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231119/388689e7/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list