[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Aug 20 14:49:11 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0e273eca by Moritz Muehlenhoff at 2024-08-20T15:39:51+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -67,19 +67,21 @@ CVE-2024-5763 (The The Plus Addons for Elementor \u2013 Elementor Addons, Page T
 CVE-2024-5576 (The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to S ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-4785 (BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division ...)
-	TODO: check
+	NOT-FOR-US: Zephyr, different from src:zephyr
 CVE-2024-43688 (cron/entry.c in vixie cron before 9cc8ab1, as used in OpenBSD 7.4 and  ...)
 	- cron <not-affected> (Debian package of not does not contain the vulnerable code)
 CVE-2024-43202 (Exposure of Remote Code Execution in Apache Dolphinscheduler.  This is ...)
-	TODO: check
+	NOT-FOR-US: Apache Dolphinscheduler
 CVE-2024-38810 (Missing Authorization When Using @AuthorizeReturnObject in Spring Secu ...)
-	TODO: check
+	- libspring-security-2.0-java <removed>
 CVE-2024-38808 (In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported vers ...)
-	TODO: check
+	- libspring-java <unfixed> (unimportant)
+	NOTE: https://spring.io/security/cve-2024-38808
+	NOTE: Only supported for building applications shipped in Debian, see README.Debian.security
 CVE-2024-35539 (Typecho v1.3.0 was discovered to contain a race condition vulnerabilit ...)
-	TODO: check
+	NOT-FOR-US: Typecho
 CVE-2024-35538 (Typecho v1.3.0 was discovered to contain a Client IP Spoofing vulnerab ...)
-	TODO: check
+	NOT-FOR-US: Typecho
 CVE-2024-6508
 	NOT-FOR-US: OpenShift
 CVE-2024-7958
@@ -110,7 +112,7 @@ CVE-2024-43401 (XWiki Platform is a generic wiki platform offering runtime servi
 CVE-2024-43400 (XWiki Platform is a generic wiki platform offering runtime services fo ...)
 	NOT-FOR-US: XWiki
 CVE-2024-43399 (Mobile Security Framework (MobSF) is a pen-testing, malware analysis a ...)
-	TODO: check
+	NOT-FOR-US: Mobile Security Framework (MobSF)
 CVE-2024-43380 (fugit contains time tools for flor and the floraison group. The fugit  ...)
 	TODO: check
 CVE-2024-43379 (TruffleHog is a secrets scanning tool. Prior to v3.81.9, this vulnerab ...)
@@ -182,7 +184,7 @@ CVE-2024-39306
 CVE-2024-37099 (Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP a ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-32928 (The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of  ...)
-	TODO: check
+	NOT-FOR-US: Nest
 CVE-2024-32927 (In sendDeviceState_1_6 of RadioExt.cpp, there is a possible use after  ...)
 	NOT-FOR-US: Android
 CVE-2024-23729 (The ColorOS Internet Browser com.heytap.browser application 45.10.3.4. ...)
@@ -222,7 +224,7 @@ CVE-2024-44070 (An issue was discovered in FRRouting (FRR) through 10.1. bgp_att
 CVE-2024-44069 (Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= cal ...)
 	NOT-FOR-US: Pi-hole
 CVE-2024-44067 (The T-Head XuanTie C910 CPU in the TH1520 SoC and the T-Head XuanTie C ...)
-	TODO: check
+	NOT-FOR-US: XuanTie
 CVE-2024-43350 (Authorization Bypass Through User-Controlled Key vulnerability in Prop ...)
 	NOT-FOR-US: Propovoice Propovoice CRM
 CVE-2024-43322 (Authorization Bypass Through User-Controlled Key vulnerability in Dyla ...)
@@ -936,7 +938,7 @@ CVE-2024-6460 (The Grow by Tradedoubler  WordPress plugin through 2.0.21 is vuln
 CVE-2024-6456 (AVEVA Historian Server has a vulnerability, if exploited, could allow  ...)
 	NOT-FOR-US: AVEVA Historian Server
 CVE-2024-43378 (calamares-nixos-extensions provides Calamares branding and modules for ...)
-	TODO: check
+	NOT-FOR-US: calamares-nixos-extensions
 CVE-2024-43370 (gettext.js is a GNU gettext port for node and the browser. There is a  ...)
 	- gettext.js 0.7.0-4 (bug #1078880)
 	[bookworm] - gettext.js <no-dsa> (Minor issue)
@@ -945,7 +947,7 @@ CVE-2024-43370 (gettext.js is a GNU gettext port for node and the browser. There
 CVE-2024-43369 (Ibexa RichText Field Type is a Field Type for supporting rich formatte ...)
 	NOT-FOR-US: Ibexa RichText Field Type
 CVE-2024-43367 (Boa is an embeddable and experimental Javascript engine written in Rus ...)
-	TODO: check
+	NOT-FOR-US: Boa JavaScript engine
 CVE-2024-43366 (zkvyper is a Vyper compiler. Starting in version 1.3.12 and prior to v ...)
 	NOT-FOR-US: zkvyper Vyper compiler
 CVE-2024-42488 (Cilium is a networking, observability, and security solution with an e ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e273eca08e09de7d2fb351c3606d27da1dc50a4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e273eca08e09de7d2fb351c3606d27da1dc50a4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240820/5a15f05e/attachment.htm>

More information about the debian-security-tracker-commits mailing list