[Git][security-tracker-team/security-tracker][master] 5 commits: Triage ffmpeg CVE as postponed for Buster.

Markus Koschany (@apo) apo at debian.org
Sat Apr 20 23:13:47 BST 2024 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
910f13ec by Markus Koschany at 2024-04-21T00:04:52+02:00
Triage ffmpeg CVE as postponed for Buster.

We can wait until upstream fixes these issues in earlier releases.

- - - - -
dbf30577 by Markus Koschany at 2024-04-21T00:06:41+02:00
Add gunicorn to dla-needed.txt

- - - - -
6906ca1b by Markus Koschany at 2024-04-21T00:10:16+02:00
Add libmojolicious-perl to dla-needed.txt

- - - - -
c5c88137 by Markus Koschany at 2024-04-21T00:11:28+02:00
CVE-2024-28863,node-tar: buster is no-dsa

Minor issue

- - - - -
305978e5 by Markus Koschany at 2024-04-21T00:13:02+02:00
CVE-2024-3262,node-tar: buster is no-dsa

Minor issue

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -719,12 +719,14 @@ CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer over
 	- ffmpeg <unfixed>
 	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
+	[buster] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2 (n7.0)
 CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper validation o ...)
 	[experimental] - ffmpeg 7:7.0-1
 	- ffmpeg <unfixed>
 	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
+	[buster] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 (n7.0)
 CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...)
 	- pytorch <unfixed>
@@ -734,6 +736,7 @@ CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to contain a heap use-after
 	- ffmpeg <unfixed>
 	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
+	[buster] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7 (n7.0)
 CVE-2024-31463 (Ironic-image is an OpenStack Ironic deployment packaged and configured ...)
 	TODO: check
@@ -5238,6 +5241,7 @@ CVE-2024-3262 (Information exposure vulnerability in RT software affecting versi
 	- request-tracker4 <unfixed> (bug #1068452)
 	[bookworm] - request-tracker4 <no-dsa> (Minor issue)
 	[bullseye] - request-tracker4 <no-dsa> (Minor issue)
+	[buster] - request-tracker4 <no-dsa> (Minor issue)
 	- request-tracker5 <unfixed> (bug #1068453)
 	[bookworm] - request-tracker5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a
@@ -9638,6 +9642,7 @@ CVE-2024-28863 (node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 h
 	- node-tar 6.1.13+~cs7.0.5-2
 	[bookworm] - node-tar <no-dsa> (Minor issue)
 	[bullseye] - node-tar <no-dsa> (Minor issue)
+	[buster] - node-tar <no-dsa> (Minor issue)
 	NOTE: https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
 	NOTE: https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 (v6.2.1)
 CVE-2024-28756 (The SolarEdge mySolarEdge application before 2.20.1 for Android has a  ...)


=====================================
data/dla-needed.txt
=====================================
@@ -101,6 +101,9 @@ frr (tobi)
 glibc (Adrian Bunk)
   NOTE: 20240419: Added by coordinator (santiago)
 --
+gunicorn
+  NOTE: 20240421: Added by Front-Desk (apo)
+--
 h2o
   NOTE: 20231228: Added by Front-Desk (lamby)
 --
@@ -124,6 +127,9 @@ knot-resolver (Markus Koschany)
 less (Abhijith PA)
   NOTE: 20240418: Added by Front-Desk (apo)
 --
+libmojolicious-perl
+  NOTE: 20240421: Added by Front-Desk (apo)
+--
 libpgjava (Markus Koschany)
   NOTE: 20240308: Added by Front-Desk (opal)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb...305978e5b03877349498cdb27f60179f994a9eed

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb...305978e5b03877349498cdb27f60179f994a9eed
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240420/30070f17/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list