[Git][security-tracker-team/security-tracker][master] 6 commits: Triage CVE-2024-30187 in anope for buster LTS.

Chris Lamb (@lamby) lamby at debian.org
Thu Apr 4 17:27:13 BST 2024 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f10bd73a by Chris Lamb at 2024-04-04T17:12:21+01:00
Triage CVE-2024-30187 in anope for buster LTS.

- - - - -
c85ae800 by Chris Lamb at 2024-04-04T17:13:59+01:00
Triage CVE-2024-21503 in black for buster LTS.

- - - - -
5a1c1635 by Chris Lamb at 2024-04-04T17:18:24+01:00
Triage CVE-2024-2398 in curl for buster LTS.

- - - - -
56b46114 by Chris Lamb at 2024-04-04T17:25:07+01:00
Triage CVE-2024-29489 in iotjs for buster LTS.

- - - - -
5b5b5c3c by Chris Lamb at 2024-04-04T17:25:52+01:00
Triage CVE-2024-29041 in node-express for buster LTS.

- - - - -
cef45552 by Chris Lamb at 2024-04-04T17:26:19+01:00
Triage CVE-2024-2955 in wireshark for buster LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1887,6 +1887,7 @@ CVE-2024-29640 (An issue in aliyundrive-webdav v.2.3.3 and before allows a remot
 CVE-2024-29489 (Jerryscript 2.4.0 has SEGV at ./jerry-core/ecma/base/ecma-helpers.c:23 ...)
 	- iotjs <removed>
 	[bullseye] - iotjs <ignored> (Minor issue)
+	[buster] - iotjs <ignored> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/5101
 	NOTE: https://github.com/jerryscript-project/jerryscript/pull/5129
 	NOTE: https://github.com/jerryscript-project/jerryscript/commit/cefd391772529c8a9531d7b3c244d78d38be47c6
@@ -2658,6 +2659,7 @@ CVE-2024-2398 (When an application tells libcurl it wants to allow HTTP/2 server
 	- curl 8.7.1-1
 	[bookworm] - curl <no-dsa> (Minor issue)
 	[bullseye] - curl <no-dsa> (Minor issue)
+	[buster] - curl <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://curl.se/docs/CVE-2024-2398.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/ea7134ac874a66107e54ff93657ac565cf2ec4aa (curl-7_44_0)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764 (curl-8_7_0)
@@ -2997,6 +2999,7 @@ CVE-2024-2955 (T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0
 	- wireshark <unfixed> (bug #1068111)
 	[bookworm] - wireshark <no-dsa> (Minor issue)
 	[bullseye] - wireshark <no-dsa> (Minor issue)
+	[buster] - wireshark <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2024-06.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19695
 CVE-2024-2951 (Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Registrat ...)
@@ -3285,6 +3288,7 @@ CVE-2024-29041 (Express.js minimalist web framework for node. Versions of Expres
 	- node-express <unfixed> (bug #1068346)
 	[bookworm] - node-express <no-dsa> (Minor issue)
 	[bullseye] - node-express <no-dsa> (Minor issue)
+	[buster] - node-express <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc
 	NOTE: https://github.com/koajs/koa/issues/1800
 	NOTE: https://github.com/expressjs/express/pull/5539
@@ -3724,6 +3728,7 @@ CVE-2024-30187 (Anope before 2.0.15 does not prevent resetting the password of a
 	- anope 2.0.15-1
 	[bookworm] - anope <no-dsa> (Minor issue; due to apparmor bug not affecting default configurations)
 	[bullseye] - anope <no-dsa> (Minor issue)
+	[buster] - anope <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/anope/anope/issues/351
 	NOTE: https://github.com/anope/anope/commit/2b7872139c40ea5b0ca96c1d6595b7d5f9fa60a5 (2.0.15)
 CVE-2024-2849 (A vulnerability classified as critical was found in SourceCodester Sim ...)
@@ -4990,6 +4995,7 @@ CVE-2024-21503 (Versions of the package black before 24.3.0 are vulnerable to Re
 	- black <unfixed> (bug #1067177)
 	[bookworm] - black <no-dsa> (Minor issue)
 	[bullseye] - black <no-dsa> (Minor issue)
+	[buster] - black <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273
 	NOTE: https://github.com/psf/black/releases/tag/24.3.0
 	NOTE: https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8 (24.3.0)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5e16f1bbc9dd7898cd74dfebfd9787ec6e893646...cef45552d2d78037ec65c5a351ab5c29547e1f11

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5e16f1bbc9dd7898cd74dfebfd9787ec6e893646...cef45552d2d78037ec65c5a351ab5c29547e1f11
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240404/87d02490/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list