[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Apr 22 10:10:39 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cb445d82 by Moritz Muehlenhoff at 2024-04-22T11:02:14+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -54,12 +54,15 @@ CVE-2024-32460 [Low] OutOfBound Read in interleaved_decompress]
 	NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release
 CVE-2024-32493 [SQL injection issue regarding Form IDs when cleaning up drafts]
 	- znuny 6.5.8-1
+	[bookworm] - znuny <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/advisories/zsa-2024-03
 CVE-2024-32492 [Cross Site Scripting (XSS) in the Customer Portal Ticket View]
 	- znuny <not-affected> (Only affects Znuny from 7.0.1 up to including 7.0.16)
+	[bookworm] - znuny <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/advisories/zsa-2024-02
 CVE-2024-32491 [Directory Traversal via File Upload]
 	- znuny 6.5.8-1
+	[bookworm] - znuny <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/advisories/zsa-2024-01
 CVE-2024-4020 (A vulnerability was found in Tenda FH1206 1.2.0.8(8155) and classified ...)
 	NOT-FOR-US: Tenda
@@ -3676,9 +3679,13 @@ CVE-2024-3210 (The Paid Membership Plugin, Ecommerce, User Registration Form, Lo
 	NOT-FOR-US: WordPress plugin
 CVE-2024-3120 (A stack-buffer overflow vulnerability exists in all versions of sngrep ...)
 	- sngrep 1.8.1-1 (bug #1068818)
+	[bookworm] - sngrep <no-dsa> (Minor issue)
+	[bullseye] - sngrep <no-dsa> (Minor issue)
 	NOTE: https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1)
 CVE-2024-3119 (A buffer overflow vulnerability exists in all versions of sngrep since ...)
 	- sngrep 1.8.1-1 (bug #1068818)
+	[bookworm] - sngrep <no-dsa> (Minor issue)
+	[bullseye] - sngrep <no-dsa> (Minor issue)
 	NOTE: https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1)
 CVE-2024-3020 (The plugin is vulnerable to PHP Object Injection in versions up to and ...)
 	NOT-FOR-US: WordPress plugin
@@ -4530,6 +4537,7 @@ CVE-2024-2201 [Native Branch History Injection]
 	NOTE: https://xenbits.xen.org/xsa/advisory-456.html
 CVE-2024-31142 [x86: Incorrect logic for BTC/SRSO mitigations]
 	- xen <unfixed>
+	[bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
 	[bullseye] - xen <end-of-life> (EOLed in Bullseye)
 	[buster] - xen <end-of-life> (DSA 4677-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-455.html
@@ -5055,6 +5063,7 @@ CVE-2024-22328 (IBM Maximo Application Suite 8.10 and 8.11 could allow a remote
 	NOT-FOR-US: IBM
 CVE-2024-XXXX [RUSTSEC-2024-0332: Degradation of service in h2 servers with CONTINUATION Flood]
 	- rust-h2 0.4.4-1
+	[bookworm] - rust-h2 <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0332.html
 	NOTE: https://github.com/advisories/GHSA-q6cp-qfwq-4gcv
 CVE-2024-3362 (A vulnerability was found in SourceCodester Online Library System 1.0  ...)
@@ -24250,6 +24259,7 @@ CVE-2020-36771 (CloudLinux CageFS 7.1.1-1 or below passes the authentication tok
 	NOT-FOR-US: CloudLinux CageFS
 CVE-2023-46842 [x86 HVM hypercalls may trigger Xen bug check]
 	- xen <unfixed>
+	[bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
 	[bullseye] - xen <end-of-life> (EOLed in Bullseye)
 	[buster] - xen <not-affected> (Vulnerable code not present)
 	NOTE: https://xenbits.xen.org/xsa/advisory-454.html
@@ -39975,6 +39985,8 @@ CVE-2023-46345 (Catdoc v0.95 was discovered to contain a NULL pointer dereferenc
 CVE-2023-46233 (crypto-js is a JavaScript library of crypto standards. Prior to versio ...)
 	{DLA-3669-1}
 	- cryptojs 3.1.2+dfsg-4 (bug #1055525)
+	[bookworm] - cryptojs <no-dsa> (Minor issue)
+	[bullseye] - cryptojs <no-dsa> (Minor issue)
 	NOTE: https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
 	NOTE: https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a (4.2.0)
 CVE-2023-46232 (era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa
 --
 atril
 --
-cryptojs
---
 dav1d
 --
 dnsdist (jmm)
@@ -71,7 +69,7 @@ python-asyncssh
 --
 redmine/stable
 --
-ring
+ring/oldstable
   might make sense to rebase to current version
 --
 ruby2.7/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb445d829db44c592501aed8473cc3b35d1e76b7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb445d829db44c592501aed8473cc3b35d1e76b7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240422/a430b34c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list