[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Apr 25 16:45:21 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2e0bccad by Moritz Muehlenhoff at 2024-04-25T17:44:51+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -130,6 +130,8 @@ CVE-2024-32947 (Cross-Site Request Forgery (CSRF) vulnerability in AlumniOnline
 	NOT-FOR-US: WordPress plugin
 CVE-2024-32879 (Python Social Auth is a social authentication/registration mechanism.  ...)
 	- social-auth-app-django <unfixed>
+	[bookworm] - social-auth-app-django <no-dsa> (Minor issue)
+	[bullseye] - social-auth-app-django <no-dsa> (Minor issue)
 	- python-social-auth <removed>
 	NOTE: https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3
 	NOTE: https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138 (5.4.1)
@@ -331,6 +333,8 @@ CVE-2024-3154
 	- cri-o <itp> (bug #979702)
 CVE-2024-30171
 	- bouncycastle <unfixed>
+	[bookworm] - bouncycastle <no-dsa> (Minor issue)
+	[bullseye] - bouncycastle <no-dsa> (Minor issue)
 	NOTE: https://github.com/bcgit/bc-java/issues/1528
 CVE-2024-4065 (A vulnerability was found in Tenda AC8 16.03.34.09. It has been rated  ...)
 	NOT-FOR-US: Tenda
@@ -7186,7 +7190,8 @@ CVE-2024-3209 (A vulnerability was found in UPX up to 4.2.2. It has been rated a
 CVE-2024-3207 (A vulnerability was found in ermig1979 Simd up to 6.0.134. It has been ...)
 	NOT-FOR-US: ermig1979 Simd
 CVE-2024-3205 (A vulnerability was found in yaml libyaml up to 0.2.5 and classified a ...)
-	- libyaml <unfixed>
+	NOTE: Non issue reported for libyaml:
+	NOTE: https://github.com/yaml/libyaml/issues/258#issuecomment-2058613931
 	NOTE: https://vuldb.com/?submit.304561
 	NOTE: https://github.com/yaml/libyaml/issues/289
 CVE-2024-3204 (A vulnerability has been found in c-blosc2 up to 2.13.2 and classified ...)
@@ -11964,6 +11969,8 @@ CVE-2024-2567 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classi
 	NOT-FOR-US: AndroidWeatherApp
 CVE-2024-29156 (In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, th ...)
 	- murano <removed> (bug #1068459)
+	[bookworm] - murano <ignored> (To be removed in point release)
+	[bullseye] - murano <ignored> (To be removed in point release)
 	NOTE: https://bugs.launchpad.net/murano/+bug/2048114
 	NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0093
 	NOTE: No fix in Murano, but a change in src:yaql renders this unexploitable:
@@ -49444,6 +49451,8 @@ CVE-2023-36382 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i
 	NOT-FOR-US: WordPress plugin
 CVE-2023-36308 (disintegration Imaging 1.6.2 allows attackers to cause a panic (becaus ...)
 	- golang-github-disintegration-imaging <unfixed> (bug #1069062)
+	[bookworm] - golang-github-disintegration-imaging <no-dsa> (Minor issue)
+	[bullseye] - golang-github-disintegration-imaging <no-dsa> (Minor issue)
 	NOTE: https://github.com/disintegration/imaging/issues/165
 CVE-2023-36307 (ZPLGFA 1.1.1 allows attackers to cause a panic (because of an integer  ...)
 	NOT-FOR-US: ZPLGFA


=====================================
data/dsa-needed.txt
=====================================
@@ -12,11 +12,11 @@ To pick an issue, simply add your uid behind it.
 If needed, specify the release by adding a slash after the name of the source package.
 
 --
-atril
+atril (jmm)
 --
 chromium (dilinger)
 --
-dav1d
+dav1d (jmm)
 --
 dnsdist (jmm)
 --
@@ -50,7 +50,7 @@ opennds/stable
 --
 org-mode
 --
-pdns-recursor
+pdns-recursor (jmm)
 --
 php-cas/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e0bccad6269ecf94ccfd67828a9b4372b2acdf4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e0bccad6269ecf94ccfd67828a9b4372b2acdf4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240425/10f274b3/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list