[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
03f7fdcc by Moritz Muehlenhoff at 2024-04-23T13:37:56+02:00
bookworm/bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -279,6 +279,7 @@ CVE-2024-32652 (The adapter @hono/node-server allows you to run your Hono applic
 	NOT-FOR-US: @hono/node-server
 CVE-2024-32650 (Rustls is a modern TLS library written in Rust. `rustls::ConnectionCom ...)
 	- rust-rustls <unfixed> (bug #1069677)
+	[bookworm] - rust-rustls <no-dsa> (Minor issue)
 	NOTE: github.com: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
 	NOTE: github.com: https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5)
 	NOTE: github.com: https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5)
@@ -4770,6 +4771,7 @@ CVE-2024-2201 [Native Branch History Injection]
 	{DSA-5658-1}
 	- linux <unfixed>
 	- xen <unfixed>
+	[bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
 	[bullseye] - xen <end-of-life> (EOLed in Bullseye)
 	[buster] - xen <end-of-life> (DSA 4677-1)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/04/09/15
@@ -8603,6 +8605,7 @@ CVE-2024-28247 (The Pi-hole is a DNS sinkhole that protects your devices from un
 	NOT-FOR-US: Pi-Hole
 CVE-2024-28233 (JupyterHub is an open source multi-user server for Jupyter notebooks.  ...)
 	- jupyterhub <unfixed>
+	[bookworm] - jupyterhub <no-dsa> (Minor issue)
 	NOTE: https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g
 	NOTE: https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f
 CVE-2024-27270 (IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is  ...)
@@ -11732,6 +11735,7 @@ CVE-2024-23298 (A logic issue was addressed with improved state management.)
 	NOT-FOR-US: Apple
 CVE-2024-22513 (djangorestframework-simplejwt version 5.3.1 and before is vulnerable t ...)
 	- python-djangorestframework-simplejwt <unfixed> (bug #1067641)
+	[bookworm] - python-djangorestframework-simplejwt <no-dsa> (Minor issue)
 	NOTE: https://github.com/dmdhrumilmistry/CVEs/tree/main/CVE-2024-22513
 CVE-2024-22259 (Applications that use UriComponentsBuilder in Spring Frameworkto parse ...)
 	- libspring-java <unfixed> (unimportant)
@@ -50465,11 +50469,10 @@ CVE-2023-40579 (OpenFGA is an authorization/permission engine built for develope
 	NOT-FOR-US: OpenFGA
 CVE-2023-40577 (Alertmanager handles alerts sent by client applications such as the Pr ...)
 	{DLA-3609-1}
-	- prometheus-alertmanager 0.26.0+ds-1 (bug #1050558)
-	[bookworm] - prometheus-alertmanager <no-dsa> (Minor issue)
-	[bullseye] - prometheus-alertmanager <no-dsa> (Minor issue)
+	- prometheus-alertmanager 0.26.0+ds-1 (unimportant; bug #1050558)
 	NOTE: https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j
 	NOTE: https://github.com/prometheus/alertmanager/commit/8b9f2fd20c25e0d1e76aa0b407f7e354996d8e72 (v0.25.1)
+	NOTE: Debian package doesn't ship the UI
 CVE-2023-40576 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...)
 	- freerdp2 <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x3x5-r7jm-5pq2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03f7fdcca93c5ee671c2241382d8060970e80d55

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03f7fdcca93c5ee671c2241382d8060970e80d55
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240423/b176b26c/attachment-0001.htm>