[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Sep 1 09:01:33 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
36af2a11 by Moritz Muehlenhoff at 2023-09-01T10:01:06+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,5 +1,6 @@
 CVE-2023-4683 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <ignored> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/commit/112767e8b178fc82dec3cf82a1ca14d802cdb8ec
 	NOTE: https://huntr.dev/bounties/7852e4d2-af4e-4421-a39e-db23e0549922
 CVE-2023-4682 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...)
@@ -8,10 +9,12 @@ CVE-2023-4682 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior t
 	NOTE: https://huntr.dev/bounties/15232a74-e3b8-43f0-ae8a-4e89d56c474c
 CVE-2023-4681 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <ignored> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/commit/4bac19ad854159b21ba70d8ab7c4e1cd1db8ea1c
 	NOTE: https://huntr.dev/bounties/d67c5619-ab36-41cc-93b7-04828e25f60e
 CVE-2023-4678 (Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.)
 	- gpac <unfixed>
+	[bullseye] - gpac <ignored> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07
 	NOTE: https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877
 CVE-2023-41748 (Remote command execution due to improper input validation. The followi ...)
@@ -110,6 +113,8 @@ CVE-2023-4649 (Session Fixation in GitHub repository instantsoft/icms2 prior to
 	NOT-FOR-US: icms2
 CVE-2023-4641 [gpasswd(1) password leak]
 	- shadow <unfixed>
+	[bookworm] - shadow <no-dsa> (Minor issue)
+	[bullseye] - shadow <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2215945
 	NOTE: https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904 (4.14.0-rc1)
 CVE-2023-4500 (The Order Tracking Pro plugin for WordPress is vulnerable to Stored Cr ...)
@@ -19504,6 +19509,7 @@ CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Ge
 CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON parser ...)
 	{DLA-3538-1}
 	- zabbix <unfixed>
+	[bookworm] - zabbix <no-dsa> (Minor issue)
 	[bullseye] - zabbix <not-affected> (5.x not affected)
 	NOTE: https://support.zabbix.com/browse/ZBX-22587
 CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain access t ...)
@@ -29999,6 +30005,8 @@ CVE-2023-0923
 	NOT-FOR-US: Red Hat OpenShift Data Science
 CVE-2023-0922 (The Samba AD DC administration tool, when operating against a remote L ...)
 	- samba 2:4.17.7+dfsg-1
+	[bullseye] - samba <ignored> (Domain controller functionality is EOLed, see DSA DSA-5477-1)
+	[buster] - samba <ignored> (Domain controller functionality is EOLed, see DSA-5015-1)
 	NOTE: https://www.samba.org/samba/security/CVE-2023-0922.html
 CVE-2023-0921 (A lack of length validation in GitLab CE/EE affecting all versions fro ...)
 	- gitlab 15.10.8+ds1-2
@@ -117984,15 +117992,18 @@ CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML fragment
 	NOTE: https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979
 CVE-2022-23516 (Loofah is a general library for manipulating and transforming HTML/XML ...)
 	- ruby-loofah 2.19.1-1 (bug #1026083)
+	[bullseye] - ruby-loofah <no-dsa> (Minor issue)
 	[buster] - ruby-loofah <no-dsa> (Minor issue)
 	NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
 	NOTE: https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
 CVE-2022-23515 (Loofah is a general library for manipulating and transforming HTML/XML ...)
 	- ruby-loofah 2.19.1-1 (bug #1026083)
+	[bullseye] - ruby-loofah <no-dsa> (Minor issue)
 	NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
 	NOTE: https://github.com/flavorjones/loofah/commit/415677f3cf7f9254f42f811e784985cd63c7407f
 CVE-2022-23514 (Loofah is a general library for manipulating and transforming HTML/XML ...)
 	- ruby-loofah 2.19.1-1 (bug #1026083)
+	[bullseye] - ruby-loofah <no-dsa> (Minor issue)
 	[buster] - ruby-loofah <no-dsa> (Minor issue)
 	NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
 	NOTE: https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
@@ -150154,7 +150165,7 @@ CVE-2021-3670 (MaxQueryDuration not honoured in Samba AD DC LDAP)
 	[buster] - ldb <no-dsa> (Minor issue)
 	[stretch] - ldb <no-dsa> (Minor issue)
 	- samba 2:4.16.0+dfsg-2
-	[bullseye] - samba <no-dsa> (Minor issue)
+	[bullseye] - samba <ignored> (Domain controller functionality is EOLed, see DSA DSA-5477-1)
 	[buster] - samba <ignored> (Minor issue; affects Samba as AD DC; cf DSA 5015-1)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2077533
 	NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14694


=====================================
data/dsa-needed.txt
=====================================
@@ -69,6 +69,8 @@ ruby-nokogiri/oldstable
 ruby-rack/oldstable (carnil)
   Update shows regressions in ruby-sinatra autopkgtests
 --
+ruby-rails-html-sanitizer
+--
 ruby-sinatra/oldstable
   Maintainer posted packaging repository link with proposed changes for review
 --
@@ -78,6 +80,8 @@ salt/oldstable
 --
 samba/oldstable
 --
+thunderbird (jmm)
+--
 tiff
 --
 trafficserver



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36af2a1169b02de4083f2f48d0d537dbc4b21532

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36af2a1169b02de4083f2f48d0d537dbc4b21532
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230901/d7536862/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list