[Git][security-tracker-team/security-tracker][master] 13 commits: CVE-2023-39663,mathjax: Buster is no-dsa

Sun Sep 24 22:27:58 BST 2023


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
53964b73 by Markus Koschany at 2023-09-24T23:27:33+02:00
CVE-2023-39663,mathjax: Buster is no-dsa

Minor issue

- - - - -
25f4985c by Markus Koschany at 2023-09-24T23:27:33+02:00
Add jetty9 dla-needed.txt and claim it.

- - - - -
206d32b2 by Markus Koschany at 2023-09-24T23:27:34+02:00
CVE-2023-38285,modsecurity: Buster is no-dsa

Minor issue

- - - - -
3706666d by Markus Koschany at 2023-09-24T23:27:36+02:00
CVE-2023-42467,qemu: Buster is no-dsa

Minor issue

- - - - -
a6eb22cb by Markus Koschany at 2023-09-24T23:27:37+02:00
Triage ruster-users temp CVE as no-dsa for Buster

Minor issue

- - - - -
2a965da5 by Markus Koschany at 2023-09-24T23:27:37+02:00
Add vim to dla-needed.txt

- - - - -
0808083e by Markus Koschany at 2023-09-24T23:27:37+02:00
Add zabbix to dla-needed.txt

- - - - -
42617eeb by Markus Koschany at 2023-09-24T23:27:37+02:00
Add netatalk to dla-needed.txt and claim it.

- - - - -
7cf8eab5 by Markus Koschany at 2023-09-24T23:27:37+02:00
Add qemu to dla-needed.txt

- - - - -
ab7ffa4d by Markus Koschany at 2023-09-24T23:27:37+02:00
Add mosquitto to dla-needed.txt

- - - - -
2e1ec1a5 by Markus Koschany at 2023-09-24T23:27:37+02:00
Add axis to dla-needed.txt

- - - - -
74659477 by Markus Koschany at 2023-09-24T23:27:37+02:00
Add freerdp2 to dla-needed.txt

- - - - -
5ea70a64 by Markus Koschany at 2023-09-24T23:27:39+02:00
CVE-2023-4759,jgit: Buster is no-dsa

Minor issue, only case-insensitive filesystems are affected.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1109,6 +1109,7 @@ CVE-2023-4913 (Cross-site Scripting (XSS) - Reflected in GitHub repository cecil
 	NOT-FOR-US: cecil.app
 CVE-2023-4759 (Arbitrary File Overwrite in Eclipse JGit <= 6.6.0  In Eclipse JGit, al ...)
 	- jgit <unfixed>
+	[buster] - jgit <no-dsa> (Minor issue. Only case-insensitive filesystems are affected)
 	NOTE: https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1 (v6.6.1.202309021850-r)
 	NOTE: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
 CVE-2023-4501 (User authentication with username and password credentials is ineffect ...)
@@ -1326,6 +1327,7 @@ CVE-2023-XXXX [RUSTSEC-2023-0059: Unaligned read of *const *const c_char pointer
 	- rust-users <unfixed> (bug #1051808)
 	[bookworm] - rust-users <no-dsa> (Minor issue)
 	[bullseye] - rust-users <no-dsa> (Minor issue)
+	[buster] - rust-users <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0059.html
 	NOTE: https://github.com/ogham/rust-users/issues/55
 	NOTE: Proposed patch: https://github.com/dhruvkb/rust-users/commit/e6ba8a88e0127f0d17ddd99f80f85d2c1722b227
@@ -1585,6 +1587,7 @@ CVE-2023-42467 (QEMU through 8.0.0 could trigger a division by zero in scsi_disk
 	- qemu <unfixed> (bug #1051899)
 	[bookworm] - qemu <no-dsa> (Minor issue)
 	[bullseye] - qemu <no-dsa> (Minor issue)
+	[buster] - qemu <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1813
 CVE-2023-40040 (An issue was discovered in the MyCrops HiGrade "THC Testing & Cannabi" ...)
 	NOT-FOR-US: MyCrops HiGrade "THC Testing & Cannabi" application
@@ -3242,6 +3245,7 @@ CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular expre
 	- mathjax <unfixed>
 	[bookworm] - mathjax <no-dsa> (Minor issue)
 	[bullseye] - mathjax <no-dsa> (Minor issue)
+	[buster] - mathjax <no-dsa> (Minor issue)
 	NOTE: https://github.com/mathjax/MathJax/issues/3074
 CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read mem ...)
 	[experimental] - aom 3.7.0-1~exp1
@@ -7727,6 +7731,7 @@ CVE-2023-38285 (Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorith
 	- modsecurity 3.0.10-1 (bug #1042475)
 	[bookworm] - modsecurity <no-dsa> (Minor issue)
 	[bullseye] - modsecurity <no-dsa> (Minor issue)
+	[buster] - modsecurity <no-dsa> (Minor issue)
 	NOTE: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
 CVE-2023-38261 (The issue was addressed with improved memory handling. This issue is f ...)
 	NOT-FOR-US: Apple


=====================================
data/dla-needed.txt
=====================================
@@ -29,6 +29,9 @@ audiofile
   NOTE: 20230918: Added by Front-Desk (apo)
   NOTE: 20230919: unfixed upstream (apo)
 --
+axis
+  NOTE: 20230924: Added by Front-Desk (apo)
+--
 bind9 (Thorsten Alteholz)
   NOTE: 20230921: Added by Front-Desk (apo)
 --
@@ -79,6 +82,10 @@ freeimage (gladk)
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll
   NOTE: 20230826: out the DLA/ELA now. (utkarsh)
 --
+freerdp2
+  NOTE: 20230924: Added by Front-Desk (apo)
+  NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo)
+--
 gerbv (Adrian Bunk)
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230918: DLA coming soon. (bunk)
@@ -101,6 +108,9 @@ imagemagick
   NOTE: 20230622: Added by Front-Desk (Beuc)
   NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk)
 --
+jetty9 (Markus Koschany)
+  NOTE: 20230924: Added by Front-Desk (apo)
+--
 libreswan
   NOTE: 20230817: Added by Front-Desk (ta)
   NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
@@ -112,6 +122,9 @@ libreswan
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
+mosquitto (Markus Koschany)
+  NOTE: 20230924: Added by Front-Desk (apo)
+--
 nasm (tobi)
   NOTE: 20230907: Added by Front-Desk (lamby)
   NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686,
@@ -120,6 +133,9 @@ nasm (tobi)
 ncurses
   NOTE: 20230921: Added by Front-Desk (apo)
 --
+netatalk (Markus Koschany)
+  NOTE: 20230924: Added by Front-Desk (apo)
+--
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
@@ -164,6 +180,10 @@ python-os-brick
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
 --
+qemu
+  NOTE: 20230924: Added by Front-Desk (apo)
+  NOTE: 20230924: Consider fixing postponed issues as well. (apo)
+--
 qt4-x11
   NOTE: 20230822: Re-added for one remaining open CVE (roberto)
   NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto)
@@ -221,3 +241,9 @@ trafficserver (Adrian Bunk)
   NOTE: 20230826: I have the answer here. (utkarsh)
   NOTE: 20230918: Needs first fixing in bullseye. (bunk)
 --
+vim
+  NOTE: 20230924: Added by Front-Desk (apo)
+--
+zabbix
+  NOTE: 20230924: Added by Front-Desk (apo)
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5b18520bbb8df59044db4eb682f1b301268c75...5ea70a64a6a25a3cd1abe61b6894f25c018f10d9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5b18520bbb8df59044db4eb682f1b301268c75...5ea70a64a6a25a3cd1abe61b6894f25c018f10d9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230924/2f8adb5e/attachment-0001.htm>
