[Git][security-tracker-team/security-tracker][master] 9 commits: CVE-2024-31497,filezilla: buster is no-dsa

Sun Apr 21 22:12:28 BST 2024


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
74696943 by Markus Koschany at 2024-04-21T23:11:59+02:00
CVE-2024-31497,filezilla: buster is no-dsa

Minor issue.

- - - - -
8bc9a7e7 by Markus Koschany at 2024-04-21T23:11:59+02:00
Add nghttp2 to dla-needed.txt

- - - - -
efec8650 by Markus Koschany at 2024-04-21T23:11:59+02:00
Add python-idna to dla-needed.txt

- - - - -
51771358 by Markus Koschany at 2024-04-21T23:12:01+02:00
CVE-2024-3446,CVE-2024-3447,CVE-2024-3567,qemu: buster is no-dsa

Minor issues. It is good practice not to run qemu directly as a privileged
user.

- - - - -
0e9b47d2 by Markus Koschany at 2024-04-21T23:12:01+02:00
Add tryton-server to dla-needed.txt and claim it

- - - - -
7a3f0d28 by Markus Koschany at 2024-04-21T23:12:02+02:00
CVE-2024-31047,openexr: buster is no-dsa

Minor issue

- - - - -
76475ee7 by Markus Koschany at 2024-04-21T23:12:03+02:00
CVE-2024-32462,flatpak: buster is ignored

We have previously marked sandbox escape issues as ignored because they were
either intrusive to backport or could be easily mitigated. Although the fix
for CVE-2024-32462 seems straightforward, the whole application should be
upgraded to the version in Bullseye in my opinion. Since we approach the end
of the Buster LTS cycle I am going to mark CVE-2024-32462 as ignored too.

- - - - -
76d860ac by Markus Koschany at 2024-04-21T23:12:03+02:00
Add astropy to dla-needed.txt

- - - - -
d913e443 by Markus Koschany at 2024-04-21T23:12:03+02:00
Add php7.3 to dla-needed.txt and claim it

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -428,6 +428,7 @@ CVE-2024-32466 (Tolgee is an open-source localization platform. For the `/v2/pro
 CVE-2024-32462 (Flatpak is a system for building, distributing, and running sandboxed  ...)
 	{DSA-5666-1}
 	- flatpak 1.14.6-1
+	[buster] - flatpak <ignored> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5
 	NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj
 	NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 (1.15.8)
@@ -2113,6 +2114,7 @@ CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce gener
 	- filezilla 3.67.0-1
 	[bookworm] - filezilla <no-dsa> (Minor issue)
 	[bullseye] - filezilla <no-dsa> (Minor issue)
+	[buster] - filezilla <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/04/15/6
 	NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
 CVE-2024-3804 (A vulnerability, which was classified as critical, has been found in V ...)
@@ -3149,6 +3151,7 @@ CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the
 	- qemu <unfixed> (bug #1068822)
 	[bookworm] - qemu <no-dsa> (Minor issue)
 	[bullseye] - qemu <no-dsa> (Minor issue)
+	[buster] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339
 	NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273
 CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...)
@@ -3572,6 +3575,7 @@ CVE-2024-3447
 	- qemu <unfixed> (bug #1068821)
 	[bookworm] - qemu <no-dsa> (Minor issue)
 	[bullseye] - qemu <no-dsa> (Minor issue)
+	[buster] - qemu <no-dsa> (Minor issue)
 	NOTE: https://patchew.org/QEMU/20240404085549.16987-1-philmd@linaro.org/
 	NOTE: https://patchew.org/QEMU/20240409145524.27913-1-philmd@linaro.org/
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813
@@ -3735,6 +3739,7 @@ CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (vir
 	- qemu <unfixed> (bug #1068820)
 	[bookworm] - qemu <no-dsa> (Minor issue)
 	[bullseye] - qemu <no-dsa> (Minor issue)
+	[buster] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211
 	NOTE: https://patchew.org/QEMU/20240409105537.18308-1-philmd@linaro.org/
 CVE-2024-3281 (A vulnerability was discovered in the firmware builds after 8.0.2.3267 ...)
@@ -4499,6 +4504,7 @@ CVE-2024-31047 (An issue in Academy Software Foundation openexr v.3.2.3 and befo
 	- openexr <unfixed> (bug #1068939)
 	[bookworm] - openexr <no-dsa> (Minor issue)
 	[bullseye] - openexr <no-dsa> (Minor issue)
+	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1680
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1681
 	NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/7aa89e1d09b09d9f5dbb96976ee083a331ab9d71


=====================================
data/dla-needed.txt
=====================================
@@ -33,6 +33,9 @@ ansible (debian)
 apache2
   NOTE: 20240418: Added by Front-Desk (apo)
 --
+astropy
+  NOTE: 20240421: Added by Front-Desk (apo)
+--
 atril
   NOTE: 20240121: Added by Front-Desk (apo)
   NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead.
@@ -178,6 +181,9 @@ mediawiki (guilhem)
 netty
   NOTE: 20240419: Added by Front-Desk (apo)
 --
+nghttp2
+  NOTE: 20240421: Added by Front-Desk (apo)
+--
 nodejs (guilhem)
   NOTE: 20240406: Added by Front-Desk (lamby)
 --
@@ -226,6 +232,9 @@ pdns-recursor
   NOTE: 20240306: Added by Front-Desk (opal)
   NOTE: 20240319: Upload postponed due to #1067124 (dleidert)
 --
+php7.3 (Markus Koschany)
+  NOTE: 20240421: Added by Front-Desk (apo)
+--
 putty (rouca)
   NOTE: 20231224: Added by Front-Desk (ta)
   NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca)
@@ -240,6 +249,9 @@ python-asyncssh
   NOTE: 20240116: Added by Front-Desk (lamby)
   NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert)
 --
+python-idna
+  NOTE: 20240421: Added by Front-Desk (apo)
+--
 rails
   NOTE: 20220909: Re-added due to regression (abhijith)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
@@ -315,6 +327,11 @@ tinymce
 trafficserver
   NOTE: 20240421: Added by Front-Desk (apo)
 --
+tryton-server (Markus Koschany)
+  NOTE: 20240421: Added by Front-Desk (apo)
+  NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that
+  NOTE: 20240421: being resolved upstream.
+--
 varnish
   NOTE: 20231117: Added by Front-Desk (apo)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6e1b35d1311021d380f3eefbf2371b353cc12e9...d913e443f2cc5a6dc94abb9a1d99a773d90951d5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6e1b35d1311021d380f3eefbf2371b353cc12e9...d913e443f2cc5a6dc94abb9a1d99a773d90951d5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240421/a33fc79a/attachment-0001.htm>
