[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Aug 2 19:35:42 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
07affbb7 by Moritz Muehlenhoff at 2024-08-02T20:35:05+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2115,12 +2115,15 @@ CVE-2024-24621 (Softaculous Webuzo contains an authentication bypass vulnerabili
 CVE-2024-35296 (Invalid Accept-Encoding header can cause Apache Traffic Server to fail ...)
 	- trafficserver <unfixed> (bug #1077141)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/07/25/1
+	NOTE: https://github.com/apache/trafficserver/commit/4122abd9272d49cb4ed87d479e1febb0f1c7c1da
 CVE-2024-35161 (Apache Traffic Server forwards malformed HTTP chunked trailer section  ...)
 	- trafficserver <unfixed> (bug #1077141)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/07/25/1
+	NOTE: https://github.com/apache/trafficserver/commit/3ba1e2685f89bcd631b66748f70f69a5eecf741b
 CVE-2023-38522 (Apache Traffic Server accepts characters that are not allowed for HTTP ...)
 	- trafficserver <unfixed> (bug #1077141)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/07/25/1
+	NOTE: https://github.com/apache/trafficserver/commit/b104992e2315969688a697cbf7d5007a7dca396f
 CVE-2024-7101 (A vulnerability, which was classified as critical, has been found in F ...)
 	NOT-FOR-US: ForIP Tecnologia Administracao PABX
 CVE-2024-7007 (Positron Broadcast Signal Processor TRA7005 v1.20 is vulnerable to an  ...)
@@ -3267,6 +3270,8 @@ CVE-2024-40648 (matrix-rust-sdk is an implementation of a Matrix client-server l
 	NOT-FOR-US: matrix-rust-sdk
 CVE-2024-40647 (sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry's ...)
 	- sentry-python <unfixed>
+	[bookworm] - sentry-python <no-dsa> (Minor issue)
+	[bullseye] - sentry-python <no-dsa> (Minor issue)
 	NOTE: https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2
 	NOTE: https://github.com/getsentry/sentry-python/pull/3251
 	NOTE: https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff (2.8.0)
@@ -5367,11 +5372,15 @@ CVE-2024-39317 (Wagtail is an open source content management system built on Dja
 	NOT-FOR-US: Wagtail
 CVE-2024-38536 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
 	- suricata 1:7.0.6-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
+	[bullseye] - suricata <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-j32j-4w6g-94hh
 	NOTE: https://redmine.openinfosecfoundation.org/issues/7029
 	NOTE: https://redmine.openinfosecfoundation.org/issues/7033
 CVE-2024-38535 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
 	- suricata 1:7.0.6-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
+	[bullseye] - suricata <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-cg8j-7mwm-v563
 	NOTE: https://github.com/OISF/suricata/commit/62d5cac1b8483d5f9d2b79833a4e59f5d80129b7 (suricata-6.0.20)
 	NOTE: https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2 (suricata-7.0.6)
@@ -5379,12 +5388,16 @@ CVE-2024-38535 (Suricata is a network Intrusion Detection System, Intrusion Prev
 	NOTE: https://redmine.openinfosecfoundation.org/issues/7112
 CVE-2024-38534 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
 	- suricata 1:7.0.6-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
+	[bullseye] - suricata <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-59qg-h357-69fq
 	NOTE: https://github.com/OISF/suricata/commit/a753cdbe84caee3b66d0bf49b2712d29a50d67ae (suricata-7.0.6)
 	NOTE: https://redmine.openinfosecfoundation.org/issues/6987
 	NOTE: https://redmine.openinfosecfoundation.org/issues/6988
 CVE-2024-37151 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
 	- suricata 1:7.0.6-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
+	[bullseye] - suricata <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24
 	NOTE: https://github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0 (suricata-6.0.20)
 	NOTE: https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b (suricata-7.0.6)
@@ -8226,6 +8239,7 @@ CVE-2024-27629 (An issue in dc2niix before v.1.0.20240202 allows a local attacke
 	NOTE: https://github.com/rordenlab/dcm2niix/pull/789
 CVE-2024-27628 (Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to e ...)
 	- dcmtk 3.6.8-6 (bug #1074483)
+	[bookworm] - dcmtk <no-dsa> (Minor issue)
 	[bullseye] - dcmtk <not-affected> (Vulnerable code introduced later)
 	[buster] - dcmtk <not-affected> (Vulnerable code introduced later)
 	NOTE: https://support.dcmtk.org/redmine/issues/1108
@@ -21458,6 +21472,8 @@ CVE-2024-5095 (A vulnerability classified as problematic has been found in Victo
 	NOT-FOR-US: Victor Zsviot Camera
 CVE-2024-36050 (Nix through 2.22.1 mishandles certain usage of hash caches, which make ...)
 	- nix <unfixed> (bug #1072706)
+	[bookworm] - nix <no-dsa> (Minor issue)
+	[bullseye] - nix <no-dsa> (Minor issue)
 	NOTE: https://github.com/NixOS/nix/issues/969
 	NOTE: https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441
 	TODO: check details and verify if same code (and only then) is present in guix
@@ -26306,11 +26322,15 @@ CVE-2024-34510 (Gradio before 4.20 allows credential leakage on Windows.)
 CVE-2024-34509 (dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid  ...)
 	{DLA-3847-1}
 	- dcmtk 3.6.7-14
+	[bookworm] - dcmtk <no-dsa> (Minor issue)
+	[bullseye] - dcmtk <no-dsa> (Minor issue)
 	NOTE: https://support.dcmtk.org/redmine/issues/1114
 	NOTE: https://github.com/DCMTK/dcmtk/commit/c78e434c0c5f9d932874f0b17a8b4ce305ca01f5
 CVE-2024-34508 (dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid D ...)
 	{DLA-3847-1}
 	- dcmtk 3.6.7-14
+	[bookworm] - dcmtk <no-dsa> (Minor issue)
+	[bullseye] - dcmtk <no-dsa> (Minor issue)
 	NOTE: https://support.dcmtk.org/redmine/issues/1114
 	NOTE: https://github.com/DCMTK/dcmtk/commit/c78e434c0c5f9d932874f0b17a8b4ce305ca01f5
 CVE-2024-34507 (An issue was discovered in includes/CommentFormatter/CommentParser.php ...)
@@ -285194,17 +285214,25 @@ CVE-2020-28599 (A stack-based buffer overflow vulnerability exists in the import
 	NOTE: https://github.com/openscad/openscad/commit/07ea60f82e94a155f4926f17fad8e8366bc74874
 CVE-2020-28598 (An out-of-bounds write vulnerability exists in the Admesh stl_fix_norm ...)
 	- slic3r-prusa <unfixed> (bug #1074415)
+	[bookworm] - slic3r-prusa <no-dsa> (Minor issue)
+	[bullseye] - slic3r-prusa <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1222
 CVE-2020-28597 (A predictable seed vulnerability exists in the password reset function ...)
 	NOT-FOR-US: Epignosis EfrontPro
 CVE-2020-28596 (A stack-based buffer overflow vulnerability exists in the Objparser::o ...)
 	- slic3r-prusa <unfixed> (bug #1074415)
+	[bookworm] - slic3r-prusa <no-dsa> (Minor issue)
+	[bullseye] - slic3r-prusa <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1220
 CVE-2020-28595 (An out-of-bounds write vulnerability exists in the Obj.cpp load_obj()  ...)
 	- slic3r-prusa <unfixed> (bug #1074415)
+	[bookworm] - slic3r-prusa <no-dsa> (Minor issue)
+	[bullseye] - slic3r-prusa <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1219
 CVE-2020-28594 (A use-after-free vulnerability exists in the _3MF_Importer::_handle_en ...)
 	- slic3r-prusa <unfixed> (bug #1074415)
+	[bookworm] - slic3r-prusa <no-dsa> (Minor issue)
+	[bullseye] - slic3r-prusa <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1218
 CVE-2020-28593 (A unauthenticated backdoor exists in the configuration server function ...)
 	NOT-FOR-US: Cosori Smart 5.8-Quart Air Fryer CS158-AF


=====================================
data/dsa-needed.txt
=====================================
@@ -93,5 +93,7 @@ squid
 --
 tinyproxy/oldstable
 --
+trafficserver
+--
 zabbix
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07affbb7a0c6a1a65980653dd2cdf4e549a630eb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07affbb7a0c6a1a65980653dd2cdf4e549a630eb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240802/8d274008/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list