[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Oct 4 13:22:40 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f35d7aa3 by Moritz Muehlenhoff at 2023-10-04T14:21:50+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -248,6 +248,8 @@ CVE-2023-5345 (A use-after-free vulnerability in the Linux kernel's fs/smb/clien
 	NOTE: https://kernel.dance/#e6e43b8aa7cd3c3af686caf0c2e11819a886d705
 CVE-2023-5344 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...)
 	- vim <unfixed>
+	[bookworm] - vim <no-dsa> (Minor issue)
+	[bullseye] - vim <no-dsa> (Minor issue)
 	NOTE: https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04
 	NOTE: https://huntr.dev/bounties/530cb762-899e-48d7-b50e-dad09eb775bf
 CVE-2023-5334 (The WP Responsive header image slider plugin for WordPress is vulnerab ...)
@@ -457,8 +459,9 @@ CVE-2023-5112 (Os Commerce is currently susceptible to a Cross-Site Scripting (X
 CVE-2023-5111 (Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) v ...)
 	NOT-FOR-US: Os Commerce
 CVE-2023-43907 (OptiPNG v0.7.7 was discovered to contain a global buffer overflow via  ...)
-	- optipng <unfixed>
+	- optipng <unfixed> (unimportant)
 	NOTE: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffer-overflow1/optipng-global-buffer-overflow1.md
+	NOTE: Crash in CLI tool, no security impact
 CVE-2023-43735 (Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) v ...)
 	NOT-FOR-US: Os Commerce
 CVE-2023-43734 (Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) v ...)
@@ -561,6 +564,8 @@ CVE-2023-5201 (The OpenHook plugin for WordPress is vulnerable to Remote Code Ex
 	NOT-FOR-US: OpenHook plugin for WordPress
 CVE-2023-44270 (An issue was discovered in PostCSS before 8.4.31. It affects linters u ...)
 	- node-postcss <unfixed> (bug #1053282)
+	[bookworm] - node-postcss <no-dsa> (Minor issue)
+	[bullseye] - node-postcss <no-dsa> (Minor issue)
 	NOTE: https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5 (8.4.31)
 CVE-2023-43711 (Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) v ...)
 	NOT-FOR-US: Os Commerce
@@ -1475,6 +1480,8 @@ CVE-2023-43775 (Denial-of-service vulnerability in the web server of the Eaton S
 	NOT-FOR-US: Eaton
 CVE-2023-43646 (get-func-name is a module to retrieve a function's name securely and c ...)
 	- node-get-func-name <unfixed> (bug #1053262)
+	[bookworm] - node-get-func-name <no-dsa> (Minor issue)
+	[bullseye] - node-get-func-name <no-dsa> (Minor issue)
 	NOTE: https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
 	NOTE: https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69 (v2.0.1)
 CVE-2023-43614 (Cross-site scripting vulnerability in Order Data Edit page of Welcart  ...)
@@ -4042,8 +4049,8 @@ CVE-2023-40743 (** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x
 	NOTE: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
 CVE-2023-34322 [top-level shadow reference dropped too early for 64-bit PV guests]
 	- xen <unfixed>
-	[bookworm] - xen <no-dsa> (Minor issue, fix along in future DSA or point release)
-	[bullseye] - xen <no-dsa> (Minor issue, fix along in future DSA or point release)
+	[bookworm] - xen <postponed> (Minor issue, fix along in future DSA or point release)
+	[bullseye] - xen <postponed> (Minor issue, fix along in future DSA or point release)
 	[buster] - xen <end-of-life> (DSA 4677-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-438.html
 CVE-2023-34321 [arm32: The cache may not be properly cleaned/invalidated]
@@ -24821,6 +24828,8 @@ CVE-2023-29338 (Visual Studio Code Information Disclosure Vulnerability)
 	NOT-FOR-US: Microsoft
 CVE-2023-29337 (NuGet Client Remote Code Execution Vulnerability)
 	- nuget <unfixed> (bug #1050835)
+	[bookworm] - nuget <no-dsa> (Minor issue)
+	[bullseye] - nuget <no-dsa> (Minor issue)
 	[buster] - nuget <postponed> (Can wait for next update)
 	NOTE: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337
 CVE-2023-29336 (Win32k Elevation of Privilege Vulnerability)
@@ -62647,6 +62656,8 @@ CVE-2023-20588 (A division-by-zero error on some AMD processors can potentially
 	{DSA-5492-1 DSA-5480-1}
 	- linux 6.4.13-1
 	- xen <unfixed>
+	[bookworm] - xen <postponed> (Minor issue, fix along in future DSA or point release)
+	[bullseye] - xen <postponed> (Minor issue, fix along in future DSA or point release)
 	[buster] - xen <end-of-life> (DSA 4677-1)
 	NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.html
 	NOTE: https://git.kernel.org/linus/77245f1c3c6495521f6a3af082696ee2f8ce3921


=====================================
data/dsa-needed.txt
=====================================
@@ -17,6 +17,8 @@ audiofile
 --
 cacti
 --
+chromium (jmm)
+--
 cinder/oldstable
 --
 gpac/oldstable (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f35d7aa3d93c21a88de45c605f4456a417d54bd5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f35d7aa3d93c21a88de45c605f4456a417d54bd5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231004/403d34a1/attachment.htm>

More information about the debian-security-tracker-commits mailing list