[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Apr 21 19:00:33 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
23a75858 by Moritz Muehlenhoff at 2024-04-21T19:59:55+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3098,6 +3098,8 @@ CVE-2024-3568 (The huggingface/transformers library is vulnerable to arbitrary c
 	NOT-FOR-US: huggingface/transformers
 CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the upda ...)
 	- qemu <unfixed> (bug #1068822)
+	[bookworm] - qemu <no-dsa> (Minor issue)
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339
 	NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273
 CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...)
@@ -3519,6 +3521,8 @@ CVE-2024-26815 (In the Linux kernel, the following vulnerability has been resolv
 	NOTE: https://git.kernel.org/linus/343041b59b7810f9cdca371f445dd43b35c740b1 (6.9-rc1)
 CVE-2024-3447
 	- qemu <unfixed> (bug #1068821)
+	[bookworm] - qemu <no-dsa> (Minor issue)
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	NOTE: https://patchew.org/QEMU/20240404085549.16987-1-philmd@linaro.org/
 	NOTE: https://patchew.org/QEMU/20240409145524.27913-1-philmd@linaro.org/
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813
@@ -3680,6 +3684,8 @@ CVE-2024-3512 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for Wo
 	NOT-FOR-US: WordPress plugin
 CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (virtio-g ...)
 	- qemu <unfixed> (bug #1068820)
+	[bookworm] - qemu <no-dsa> (Minor issue)
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211
 	NOTE: https://patchew.org/QEMU/20240409105537.18308-1-philmd@linaro.org/
 CVE-2024-3281 (A vulnerability was discovered in the firmware builds after 8.0.2.3267 ...)
@@ -4442,6 +4448,8 @@ CVE-2024-31365 (Improper Neutralization of Input During Web Page Generation ('Cr
 	NOT-FOR-US: WordPress plugin
 CVE-2024-31047 (An issue in Academy Software Foundation openexr v.3.2.3 and before all ...)
 	- openexr <unfixed> (bug #1068939)
+	[bookworm] - openexr <no-dsa> (Minor issue)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1680
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1681
 	NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/7aa89e1d09b09d9f5dbb96976ee083a331ab9d71
@@ -23398,27 +23406,39 @@ CVE-2023-52355 (An out-of-memory flaw was found in libtiff that could be trigger
 	NOTE: Issue fixed by providing a documentation update
 CVE-2023-40551 (A flaw was found in the MZ binary format in Shim. An out-of-bounds rea ...)
 	- shim <unfixed> (bug #1061519)
+	[bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+	[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259918
 	NOTE: https://github.com/rhboot/shim/commit/5a5147d1e19cf90ec280990c84061ac3f67ea1ab (15.8)
 CVE-2023-40550 (An out-of-bounds read flaw was found in Shim when it tried to validate ...)
 	- shim <unfixed> (bug #1061519)
+	[bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+	[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259915
 	NOTE: https://github.com/rhboot/shim/commit/93ce2552f3e9f71f888a672913bfc0eef255c56d (15.8)
 	NOTE: Followup: https://github.com/rhboot/shim/commit/e7f5fdf53ee68025f3ef2688e2f27ccb0082db83 (15.8)
 CVE-2023-40549 (An out-of-bounds read flaw was found in Shim due to the lack of proper ...)
 	- shim <unfixed> (bug #1061519)
+	[bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+	[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241797
 	NOTE: https://github.com/rhboot/shim/commit/afdc5039de0a4a3a40162a32daa070f94a883f09 (15.8)
 CVE-2023-40548 (A buffer overflow was found in Shim in the 32-bit system. The overflow ...)
 	- shim <unfixed> (bug #1061519)
+	[bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+	[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241782
 	NOTE: https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8 (15.8)
 CVE-2023-40547 (A remote code execution vulnerability was found in Shim. The Shim boot ...)
 	- shim <unfixed> (bug #1061519)
+	[bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+	[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2234589
 	NOTE: https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d (15.8)
 CVE-2023-40546 (A flaw was found in Shim when an error happened while creating a new E ...)
 	- shim <unfixed> (bug #1061519)
+	[bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+	[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241796
 	NOTE: https://github.com/rhboot/shim/commit/66e6579dbf921152f647a0c16da1d3b2f40861ca (15.8)
 	NOTE: https://github.com/rhboot/shim/commit/dae82f6bd72cf600e5d48046ec674a441d0f49d7 (15.8)
@@ -40754,8 +40774,11 @@ CVE-2023-46847 (Squid is vulnerable to a Denial of Service,  where a remote atta
 	NOTE: https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
 CVE-2023-5824 (Squid is vulnerable to Denial of Service attack against HTTP and HTTPS ...)
 	- squid 6.5-1 (bug #1055249)
+	[bookworm] - squid <ignored> (Minor impact, too intrusive to backport to 5.x)
+	[bullseye] - squid <ignored> (Minor impact, too intrusive to backport to 5.x)
 	- squid3 <removed>
 	NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255
+	NOTE: https://megamansec.github.io/Squid-Security-Audit/cache-headers.html
 CVE-2023-46846 (SQUID is vulnerable to HTTP request smuggling, caused by chunked decod ...)
 	{DSA-5637-1 DLA-3709-1}
 	- squid 6.5-1 (bug #1054537)
@@ -163039,6 +163062,7 @@ CVE-2022-24793 (PJSIP is a free and open source multimedia communication library
 	[stretch] - asterisk <not-affected> (Vulnerable code not present)
 	- pjproject <removed>
 	- ring 20230206.0~ds1-1 (bug #1014998)
+	[bookworm] - ring <no-dsa> (Minor issue)
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
 	NOTE: https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a
 CVE-2022-24792 (PJSIP is a free and open source multimedia communication library writt ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
+--
+atril
 --
 cryptojs
 --
@@ -50,6 +52,10 @@ nbconvert/oldstable
 --
 nodejs
 --
+openjdk-11 (jmm)
+--
+openjdk-17 (jmm)
+--
 opennds/stable
 --
 org-mode



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23a758581b4a027f39193302381dc081b1ceb588

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23a758581b4a027f39193302381dc081b1ceb588
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240421/252d8385/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list