[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Thu Oct 26 13:14:44 BST 2023


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
756240f9 by Moritz Muehlenhoff at 2023-10-26T14:14:21+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -331,6 +331,8 @@ CVE-2023-5758 (When opening a page in reader mode, the redirect URL could have c
 	NOTE: https://www.mozilla.org/security/advisories/mfsa2023-48/
 CVE-2023-5752 (When installing a package from a Mercurial VCS URL  (ie "pip install   ...)
 	- python-pip 23.3+dfsg-1
+	[bookworm] - python-pip <no-dsa> (Minor issue)
+	[bullseye] - python-pip <no-dsa> (Minor issue)
 	NOTE: https://github.com/pypa/pip/pull/12306
 	NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
 CVE-2023-5311 (The WP EXtra plugin for WordPress is vulnerable to unauthorized modifi ...)
@@ -705,8 +707,9 @@ CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in
 	- wabt <unfixed>
 	NOTE: https://github.com/WebAssembly/wabt/issues/2311
 CVE-2023-46331 (WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegm ...)
-	- wabt <unfixed>
+	- wabt <unfixed> (unimportant)
 	NOTE: https://github.com/WebAssembly/wabt/issues/2310
+	NOTE: Crash in CLI tool, no security impact
 CVE-2023-46127 (Frappe is a full-stack web application framework that uses Python and  ...)
 	NOT-FOR-US: Frappe Framework
 CVE-2023-46122 (sbt is a build tool for Scala, Java, and others. Given a specially cra ...)
@@ -895,6 +898,8 @@ CVE-2023-38275 (IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensit
 CVE-2023-5349 [memory leak]
 	{DLA-3625-1}
 	- ruby-rmagick 5.3.0-1
+	[bookworm] - ruby-rmagick <no-dsa> (Minor issue)
+	[bullseye] - ruby-rmagick <no-dsa> (Minor issue)
 	NOTE: https://github.com/rmagick/rmagick/pull/1406
 	NOTE: https://github.com/rmagick/rmagick/commit/fec7a7e639ae565386f7615155dbcf49b957b64a (RMagick_5-3-0)
 CVE-2023-5684 (A vulnerability was found in Beijing Baichuo Smart S85F Management Pla ...)
@@ -1201,6 +1206,8 @@ CVE-2023-4021 (The Modern Events Calendar lite plugin for WordPress is vulnerabl
 	NOT-FOR-US: WordPress plugin
 CVE-2023-46277 (please (aka pleaser) through 0.5.4 allows privilege escalation through ...)
 	- rust-pleaser <unfixed> (bug #1054289)
+	[bookworm] - rust-pleaser <no-dsa> (Minor issue)
+	[bullseye] - rust-pleaser <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/edneville/please/-/issues/13
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0066.html
 CVE-2023-46267
@@ -4780,6 +4787,8 @@ CVE-2023-43739 (The 'bookisbn' parameter of the cart.php resource  does not vali
 	NOT-FOR-US: Online Book Store Project
 CVE-2023-43665 [Denial-of-service possibility in django.utils.text.Truncator]
 	- python-django 3:4.2.6-1 (bug #1053475)
+	[bookworm] - python-django <postponed> (Minor issue, fix along in future update)
+	[bullseye] - python-django <postponed> (Minor issue, fix along in future update)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/10/04/6
 	NOTE: https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
 	NOTE: https://github.com/django/django/commit/17b51094d778b421bb2b3aae0c270894b050455d (main)
@@ -5512,6 +5521,8 @@ CVE-2023-5157 (A vulnerability was found in MariaDB. An OpenVAS port scan on por
 	- galera-4 26.4.13-1
 	[bullseye] - galera-4 <no-dsa> (Minor issue; can be fixed via point release)
 	- galera-3 <unfixed> (bug #1053476)
+	[bookworm] - galera-3 <no-dsa> (Minor issue)
+	[bullseye] - galera-3 <no-dsa> (Minor issue)
 	NOTE: https://jira.mariadb.org/browse/MDEV-25068
 CVE-2023-5115 [malicious role archive can cause ansible-galaxy to overwrite arbitrary files]
 	- ansible-core 2.14.11-1 (bug #1053693)
@@ -28611,12 +28622,16 @@ CVE-2023-29409 (Extremely large RSA keys in certificate chains can cause a clien
 	NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI
 CVE-2023-29408 (The TIFF decoder does not place a limit on the size of compressed tile ...)
 	- golang-golang-x-image <unfixed> (bug #1043159)
+	[bookworm] - golang-golang-x-image <no-dsa> (Minor issue)
+	[bullseye] - golang-golang-x-image <no-dsa> (Minor issue)
 	[buster] - golang-golang-x-image <no-dsa> (Limited support, minor issue, DoS)
 	NOTE: https://go.dev/issue/61582
 	NOTE: https://go.dev/cl/514897
 	NOTE: https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d (v0.10.0)
 CVE-2023-29407 (A maliciously-crafted image can cause excessive CPU consumption in dec ...)
 	- golang-golang-x-image <unfixed> (bug #1043159)
+	[bookworm] - golang-golang-x-image <no-dsa> (Minor issue)
+	[bullseye] - golang-golang-x-image <no-dsa> (Minor issue)
 	[buster] - golang-golang-x-image <no-dsa> (Limited support, minor issue, DoS)
 	NOTE: https://go.dev/issue/61581
 	NOTE: https://go.dev/cl/514897


=====================================
data/dsa-needed.txt
=====================================
@@ -21,6 +21,8 @@ chromium (dilinger, jmm)
 --
 cinder/oldstable
 --
+fastdds
+--
 gpac/oldstable (jmm)
 --
 jetty9
@@ -35,6 +37,8 @@ linux (carnil)
 nbconvert/oldstable
   Guilhem Moulin proposed an update ready for review
 --
+nghttp2
+--
 nodejs
   maintainer proposed to follow the upstream 18.x LTS branch
 --
@@ -87,6 +91,8 @@ salt/oldstable
 --
 samba/oldstable
 --
+squid
+--
 thunderbird (jmm)
 --
 tiff (aron)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/756240f92d28fdc125109985e6e5193aec95aee5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/756240f92d28fdc125109985e6e5193aec95aee5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231026/c5132bad/attachment-0001.htm>
