[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Apr 5 14:59:52 BST 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a4f5e667 by Moritz Muehlenhoff at 2024-04-05T15:59:05+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -88,12 +88,14 @@ CVE-2024-30263 (macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pd
NOT-FOR-US: PDF Viewer Macro for XWiki
CVE-2024-30261 (Undici is an HTTP/1.1 client, written from scratch for Node.js. An att ...)
- node-undici 5.28.4+dfsg1+~cs23.12.11-1
+ [bookworm] - node-undici <no-dsa> (Minor issue)
NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
NOTE: https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055 (v5.28.4)
NOTE: https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3 (v6.11.1)
NOTE: https://hackerone.com/reports/2377760
CVE-2024-30260 (Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ...)
- node-undici 5.28.4+dfsg1+~cs23.12.11-1
+ [bookworm] - node-undici <no-dsa> (Minor issue)
NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
NOTE: https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f (v5.28.4)
NOTE: https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75 (v6.11.1)
@@ -446,7 +448,9 @@ CVE-2023-45288 (An attacker may cause an HTTP/2 endpoint to read arbitrary amoun
- golang-1.22 1.22.2-1
- golang-1.21 1.21.9-1
- golang-1.19 <removed>
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <no-dsa> (Minor issue)
- golang-1.11 <removed>
- golang-golang-x-net 1:0.23.0+dfsg-1
NOTE: https://github.com/golang/go/issues/65051
@@ -1920,6 +1924,7 @@ CVE-2024-XXXX [mediawiki: XSS in edit summary parser]
CVE-2024-XXXX [mediawiki: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages]
- mediawiki 1:1.39.7-1
[bookworm] - mediawiki 1:1.39.7-1~deb12u1
+ [bullseye] - mediawiki 1:1.35.13-1+deb11u2
NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/
NOTE: https://phabricator.wikimedia.org/T357760
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1015423
@@ -3269,11 +3274,12 @@ CVE-2023-46046 (An issue in MiniZinc before 2.8.0 allows a NULL pointer derefere
NOTE: https://github.com/MiniZinc/libminizinc/commit/afe67acc20898e4308044b54c4acf7a08df544f0 (2.8.0)
NOTE: Negligible security impact, crash in CLI tool
CVE-2023-45935 (Qt 6 through 6.6 was discovered to contain a NULL pointer dereference ...)
- - qt6-base <unfixed>
- - qtbase-opensource-src <unfixed>
- - qtbase-opensource-src-gles <unfixed>
+ - qt6-base <unfixed> (unimportant)
+ - qtbase-opensource-src <unfixed> (unimportant)
+ - qtbase-opensource-src-gles <unfixed> (unimportant)
NOTE: https://bugreports.qt.io/browse/QTBUG-115599
NOTE: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=df77d8939d1c04aa18833fe1e141bb71af1f8e04 (v6.5.3)
+ NOTE: No security impact
CVE-2023-45931 (Mesa 23.0.4 was discovered to contain a NULL pointer dereference in ch ...)
- mesa <unfixed> (unimportant)
NOTE: https://gitlab.freedesktop.org/mesa/mesa/-/issues/9859
@@ -4056,6 +4062,8 @@ CVE-2024-30161 (In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component ma
TODO: check details
CVE-2024-30156 (Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 L ...)
- varnish <unfixed>
+ [bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
+ [bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
NOTE: https://varnish-cache.org/security/VSV00014.html
NOTE: https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2024-30156
NOTE: https://github.com/varnishcache/varnish-cache/commit/c0201724f0280894ec714fe76fc26ba9831f0551 (varnish-7.5.0)
@@ -5198,6 +5206,7 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c
- python3.11 3.11.8-1
- python3.10 <unfixed>
- python3.9 <removed>
+ [bullseye] - python3.9 <no-dsa> (Minor issue)
- python3.7 <removed>
- python2.7 <not-affected> (tempfile.TemporaryDirectory added in 3.2)
NOTE: https://github.com/python/cpython/pull/99930
@@ -7324,6 +7333,7 @@ CVE-2023-28746 (Information exposure through microarchitectural state after tran
[buster] - intel-microcode <postponed> (Decide after exposure on unstable for update)
- linux 6.7.9-2
- xen <unfixed>
+ [bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html
@@ -37802,6 +37812,8 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource
- dnsdist 1.8.2-2
[buster] - dnsdist <not-affected> (HTTP/2 support was added later)
- varnish <unfixed> (bug #1056156)
+ [bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
+ [bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
NOTE: Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14)
NOTE: Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81)
NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version
=====================================
data/dsa-needed.txt
=====================================
@@ -88,8 +88,6 @@ salt/oldstable
--
squid
--
-varnish
---
webkit2gtk (berto)
--
wpa
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4f5e6679564093912e4b6505c181a4c5aa6b261
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4f5e6679564093912e4b6505c181a4c5aa6b261
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240405/d48af6a3/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list