[Git][security-tracker-team/security-tracker][master] 2 commits: Merge changes for updates with CVEs via bookworm 12.7
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Aug 31 09:33:34 BST 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
da335db3 by Salvatore Bonaccorso at 2024-08-31T10:20:09+02:00
Merge changes for updates with CVEs via bookworm 12.7
- - - - -
c3bfcdf3 by Salvatore Bonaccorso at 2024-08-31T08:32:59+00:00
Merge branch 'bookworm-12.7' into 'master'
Merge changes accepted for bookworm 12.7 release
See merge request security-tracker-team/security-tracker!187
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3575,7 +3575,7 @@ CVE-2024-43378 (calamares-nixos-extensions provides Calamares branding and modul
NOT-FOR-US: calamares-nixos-extensions
CVE-2024-43370 (gettext.js is a GNU gettext port for node and the browser. There is a ...)
- gettext.js 0.7.0-4 (bug #1078880)
- [bookworm] - gettext.js <no-dsa> (Minor issue)
+ [bookworm] - gettext.js 0.7.0-2+deb11u1
[bullseye] - gettext.js <no-dsa> (Minor issue; will be fixed in point release)
NOTE: https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
NOTE: Fixed by: https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c (2.0.3)
@@ -4104,7 +4104,7 @@ CVE-2024-26022 (Improper access control in some Intel(R) UEFI Integrator Tools o
NOT-FOR-US: Intel
CVE-2024-25939 (Mirrored regions with different values in 3rd Generation Intel(R) Xeon ...)
- intel-microcode 3.20240813.1 (bug #1078742)
- [bookworm] - intel-microcode <no-dsa> (Minor issue)
+ [bookworm] - intel-microcode 3.20240813.1~deb12u1
[bullseye] - intel-microcode <no-dsa> (Will be fixed in the upcoming point release)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01118.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
@@ -4122,7 +4122,7 @@ CVE-2024-24983 (Protection mechanism failure in firmware for some Intel(R) Ether
NOT-FOR-US: Intel
CVE-2024-24980 (Protection mechanism failure in some 3rd, 4th, and 5th Generation Inte ...)
- intel-microcode 3.20240813.1 (bug #1078742)
- [bookworm] - intel-microcode <no-dsa> (Minor issue)
+ [bookworm] - intel-microcode 3.20240813.1~deb12u1
[bullseye] - intel-microcode <no-dsa> (Will be fixed in the upcoming point release)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01100.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
@@ -4132,7 +4132,7 @@ CVE-2024-24973 (Improper input validation for some Intel(R) Distribution for GDB
NOT-FOR-US: Intel
CVE-2024-24853 (Incorrect behavior order in transition between executive monitor and S ...)
- intel-microcode 3.20240813.1 (bug #1078742)
- [bookworm] - intel-microcode <no-dsa> (Minor issue)
+ [bookworm] - intel-microcode 3.20240813.1~deb12u1
[bullseye] - intel-microcode <no-dsa> (Will be fixed in the upcoming point release)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01083.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
@@ -4212,7 +4212,7 @@ CVE-2023-43489 (Improper access control for some Intel(R) CIP software before ve
NOT-FOR-US: Intel
CVE-2023-42667 (Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cac ...)
- intel-microcode 3.20240813.1 (bug #1078742)
- [bookworm] - intel-microcode <no-dsa> (Minor issue)
+ [bookworm] - intel-microcode 3.20240813.1~deb12u1
[bullseye] - intel-microcode <no-dsa> (Will be fixed in the upcoming point release)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01038.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
@@ -4591,7 +4591,7 @@ CVE-2023-31366 (Improper input validation in AMD \u03bcProf could allow an attac
NOT-FOR-US: AMD
CVE-2023-31356 (Incomplete system memory cleanup in SEV firmware could allow a privile ...)
- amd64-microcode 3.20240820.1
- [bookworm] - amd64-microcode <no-dsa> (Minor issue)
+ [bookworm] - amd64-microcode 3.20240820.1~deb12u1
[bullseye] - amd64-microcode <no-dsa> (Minor issue)
NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html
NOTE: https://lore.kernel.org/all/20240820182655.42311-1-john.allen@amd.com/
@@ -5149,7 +5149,7 @@ CVE-2023-38018 (IBM Aspera Shares 1.10.0 PL2 does not invalidate session after a
NOT-FOR-US: IBM
CVE-2023-31315 (Improper validation in a model specific register (MSR) could allow a m ...)
- amd64-microcode 3.20240710.1
- [bookworm] - amd64-microcode <no-dsa> (Will be updated in the point release)
+ [bookworm] - amd64-microcode 3.20240710.2~deb12u1
[bullseye] - amd64-microcode <no-dsa> (Will be updated in the point release)
NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html
CVE-2024-41890 (Missing Release of Resource after Effective Lifetime vulnerability in ...)
@@ -6094,13 +6094,13 @@ CVE-2024-7055 (A vulnerability was found in FFmpeg up to 7.0.1. It has been clas
NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5372bfe01e4a04357ab4465c1426cf8c6412dfd5 (n5.1.6)
CVE-2024-7009 (Unsanitized user-input in Calibre <= 7.15.0 allow users with permissio ...)
- calibre 7.16.0+ds-1
- [bookworm] - calibre <no-dsa> (Minor issue)
+ [bookworm] - calibre 6.13.0+repack-2+deb12u4
[bullseye] - calibre <no-dsa> (Minor issue)
NOTE: https://starlabs.sg/advisories/24/24-7009/
NOTE: https://github.com/kovidgoyal/calibre/commit/d56574285e8859d3d715eb7829784ee74337b7d7 (v7.16.0)
CVE-2024-7008 (Unsanitized user-input in Calibre <= 7.15.0 allow attackers to perform ...)
- calibre 7.16.0+ds-1
- [bookworm] - calibre <no-dsa> (Minor issue)
+ [bookworm] - calibre 6.13.0+repack-2+deb12u4
[bullseye] - calibre <no-dsa> (Minor issue)
NOTE: https://starlabs.sg/advisories/24/24-7008/
NOTE: https://github.com/kovidgoyal/calibre/commit/863abac24e7bc3e5ca0b3307362ff1953ba53fe0 (v7.16.0)
@@ -6108,7 +6108,7 @@ CVE-2024-6886 (Improper Neutralization of Input During Web Page Generation (XSS
- gitea <removed>
CVE-2024-6782 (Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticate ...)
- calibre 7.16.0+ds-1
- [bookworm] - calibre <no-dsa> (Minor issue)
+ [bookworm] - calibre 6.13.0+repack-2+deb12u4
[bullseye] - calibre <not-affected> (Vulnerable code not present)
NOTE: https://starlabs.sg/advisories/24/24-6782/
NOTE: https://bugs.launchpad.net/calibre/+bug/2075128
@@ -7152,7 +7152,7 @@ CVE-2024-37281 (An issue was discovered in Kibana where a user with Viewer role
- kibana <itp> (bug #700337)
CVE-2024-7264 (libcurl's ASN1 parser code has the `GTime2str()` function, used for pa ...)
- curl 8.9.1-1 (bug #1077656)
- [bookworm] - curl <no-dsa> (Minor issue)
+ [bookworm] - curl 7.88.1-10+deb12u7
[bullseye] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2024-7264.html
NOTE: Introduced by: https://github.com/curl/curl/commit/3a24cb7bc456366cbc3a03f7ab6d2576105a1f2d (curl-7_32_0)
@@ -12183,10 +12183,10 @@ CVE-2024-6666 (The WP ERP plugin for WordPress is vulnerable to SQL Injection vi
NOT-FOR-US: WordPress plugin
CVE-2024-6655 (A flaw was found in the GTK library. Under certain conditions, it is p ...)
- gtk+3.0 3.24.43-1
- [bookworm] - gtk+3.0 <no-dsa> (Minor issue)
+ [bookworm] - gtk+3.0 3.24.38-2~deb12u2
[bullseye] - gtk+3.0 <no-dsa> (Minor issue)
- gtk+2.0 2.24.33-5
- [bookworm] - gtk+2.0 <no-dsa> (Minor issue)
+ [bookworm] - gtk+2.0 2.24.33-2+deb12u1
[bullseye] - gtk+2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
CVE-2024-6664
@@ -14069,7 +14069,7 @@ CVE-2024-6426 (Information exposure vulnerability in MESbook 20221021.03 version
NOT-FOR-US: MESbook
CVE-2024-6126 (A flaw was found in the cockpit package. This flaw allows an authentic ...)
- cockpit 320-1
- [bookworm] - cockpit <no-dsa> (Minor issue)
+ [bookworm] - cockpit 287.1-0+deb12u3
[bullseye] - cockpit <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/cockpit-project/cockpit/commit/08965365ac311f906a520cbf65427742d5f84ba4 (320)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2292897
@@ -14287,7 +14287,7 @@ CVE-2024-4836 (Web services managed by Edito CMS (Content Management System) in
NOT-FOR-US: Edito CMS
CVE-2024-4467 (A flaw was found in the QEMU disk image utility (qemu-img) 'info' comm ...)
- qemu 1:9.0.1+ds-1 (bug #1075824)
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u7
[bullseye] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2278875
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/bd385a5298d7062668e804d73944d52aec9549f1
@@ -14759,7 +14759,7 @@ CVE-2024-40898 (SSRF in Apache HTTP Server on Windows with mod_rewrite in server
NOTE: Fixed by https://github.com/apache/httpd/commit/9967bf49599f9be6eaaf9c5de5c84f15bb07df9f
CVE-2024-40725 (A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4 ...)
- apache2 2.4.62-1
- [bookworm] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [bookworm] - apache2 2.4.62-1~deb12u1
[bullseye] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-40725
NOTE: Introduced due to fix for CVE-2024-39884 (this CVE was fixed in 2.4.60)
@@ -15059,7 +15059,7 @@ CVE-2024-31912 (IBM MQ 9.3 LTS and 9.3 CD could allow an authenticated user to e
NOT-FOR-US: IBM
CVE-2024-27629 (An issue in dc2niix before v.1.0.20240202 allows a local attacker to e ...)
- dcm2niix 1.0.20240202-1 (bug #1074534)
- [bookworm] - dcm2niix <no-dsa> (Minor issue; will be fixed via point release)
+ [bookworm] - dcm2niix 1.0.20220720-1+deb12u1
[bullseye] - dcm2niix <ignored> (Minor issue; intrusive to backport)
NOTE: https://github.com/rordenlab/dcm2niix/pull/789
CVE-2024-27628 (Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to e ...)
@@ -20281,7 +20281,7 @@ CVE-2024-5687 (If a specific sequence of actions is performed when opening a new
CVE-2024-35235 (OpenPrinting CUPS is an open source printing system for Linux and othe ...)
{DLA-3826-1}
- cups 2.4.7-2 (bug #1073002)
- [bookworm] - cups <no-dsa> (Minor issue)
+ [bookworm] - cups 2.4.2-3+deb12u6
[bullseye] - cups <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/06/11/1
NOTE: Fixed by: https://github.com/OpenPrinting/cups/commit/a436956f374b0fd7f5da9df482e4f5840fa1c0d2
@@ -23835,7 +23835,7 @@ CVE-2023-35949 (Multiple stack-based buffer overflow vulnerabilities exist in th
NOTE: https://github.com/libigl/libigl/issues/2387
CVE-2024-4741 [Use After Free with SSL_free_buffers]
- openssl 3.2.2-1 (bug #1072113)
- [bookworm] - openssl <postponed> (Minor issue, fix along with next update round)
+ [bookworm] - openssl 3.0.14-1~deb12u1
[bullseye] - openssl <postponed> (Minor issue, fix along with next update round)
[buster] - openssl <postponed> (Minor issue, fix along with next update round)
NOTE: https://www.openssl.org/news/secadv/20240528.txt
@@ -24995,7 +24995,7 @@ CVE-2024-2036 (The ApplyOnline \u2013 Application Form Builder and Manager plugi
NOT-FOR-US: WordPress plugin
CVE-2024-29421 (xmedcon 0.23.0 and fixed in v.0.24.0 is vulnerable to Buffer Overflow ...)
- xmedcon 0.24.0-gtk3+dfsg-1 (bug #1077369)
- [bookworm] - xmedcon <no-dsa> (Minor issue)
+ [bookworm] - xmedcon 0.23.0-gtk3+dfsg-1+deb12u1
[bullseye] - xmedcon <no-dsa> (Minor issue)
NOTE: https://github.com/SpikeReply/advisories/blob/530dbd7ce68600a22c47dd1bcbe360220feda1d9/cve/xmedcon/cve-2024-29421.md
CVE-2024-29392 (Silverpeas Core 6.3 is vulnerable to Cross Site Scripting (XSS) via Cl ...)
@@ -31085,7 +31085,7 @@ CVE-2024-34353 (The matrix-sdk-crypto crate, part of the Matrix Rust SDK project
NOT-FOR-US: matrix-sdk-crypto Rust crate
CVE-2024-34340 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.27+ds1-1
- [bookworm] - cacti <no-dsa> (Will be fixed via point release)
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u3
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-37x7-mfjv-mm7m
NOTE: Included in commit: https://github.com/Cacti/cacti/commit/6183961089980322dfd9fd8011ade0f41703eaea
CVE-2024-34231 (A cross-site scripting (XSS) vulnerability in Sourcecodester Laborator ...)
@@ -31124,32 +31124,32 @@ CVE-2024-31771 (Insecure Permission vulnerability in TotalAV v.6.0.740 allows a
NOT-FOR-US: TotalAV
CVE-2024-31460 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.27+ds1-1
- [bookworm] - cacti <no-dsa> (Will be fixed via point release)
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u3
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r
NOTE: https://github.com/Cacti/cacti/commit/8b516cb9a73322ad532231e74000c2ee097b495e
CVE-2024-31459 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.27+ds1-1
- [bookworm] - cacti <no-dsa> (Will be fixed via point release)
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u3
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv
NOTE: https://github.com/Cacti/cacti/commit/96d9a4c60693d87ba0e347f1c7d33047b4effc61
CVE-2024-31458 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.27+ds1-1
- [bookworm] - cacti <no-dsa> (Will be fixed via point release)
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u3
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-jrxg-8wh8-943x
NOTE: https://github.com/Cacti/cacti/commit/9e87882007b6091171d1a4786f0de4ae20efef7b
CVE-2024-31445 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.27+ds1-1
- [bookworm] - cacti <no-dsa> (Will be fixed via point release)
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u3
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc
NOTE: https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886
CVE-2024-31444 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.27+ds1-1
- [bookworm] - cacti <no-dsa> (Will be fixed via point release)
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u3
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-p4ch-7hjw-6m87
NOTE: https://github.com/Cacti/cacti/commit/86d614c38c54e0ce58774d86617ecfbb853fb57b
CVE-2024-31443 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.27+ds1-1
- [bookworm] - cacti <no-dsa> (Will be fixed via point release)
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u3
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-rqc8-78cm-85j3
NOTE: https://github.com/Cacti/cacti/commit/f946fa537d19678f938ddbd784a10e3290d275cf
CVE-2024-31377 (Unrestricted Upload of File with Dangerous Type vulnerability in J.N. ...)
@@ -31176,7 +31176,7 @@ CVE-2024-29895 (Cacti provides an operational monitoring and fault management fr
NOTE: But fix reverted again: https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc
CVE-2024-29894 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.27+ds1-1
- [bookworm] - cacti <no-dsa> (Will be fixed via point release)
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u3
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh
NOTE: Fixed by: https://github.com/Cacti/cacti/commit/9c75f8da5b609d17c8c031fd46362f730358b792 (1.2.27)
NOTE: Follow-up fix: https://github.com/Cacti/cacti/commit/6a82fa1abe81d96238a87727087572ff749d0a8d (1.2.x)
@@ -31213,7 +31213,7 @@ CVE-2024-25662 (Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusio
NOT-FOR-US: Oxygen XML Web Author and Oxygen Content Fusion
CVE-2024-25641 (Cacti provides an operational monitoring and fault management framewor ...)
- cacti 1.2.27+ds1-1
- [bookworm] - cacti <no-dsa> (Will be fixed via point release)
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u3
NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
NOTE: https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210
NOTE: https://github.com/Cacti/cacti/commit/624673fd417a920adbbfb4b6d6eb7ddb35a9f891 (release/1.2.27)
@@ -31646,7 +31646,7 @@ CVE-2024-4605 (The Breakdance plugin for WordPress is vulnerable to Remote Code
NOT-FOR-US: WordPress plugin
CVE-2024-4603 (Issue summary: Checking excessively long DSA keys or parameters may be ...)
- openssl 3.2.2-1 (bug #1071972)
- [bookworm] - openssl <postponed> (Minor issue, fix along with next update round)
+ [bookworm] - openssl 3.0.14-1~deb12u1
[bullseye] - openssl <not-affected> (Vulnerable code not present)
[buster] - openssl <not-affected> (Vulnerable code not present)
NOTE: https://www.openssl.org/news/secadv/20240516.txt
@@ -36673,7 +36673,7 @@ CVE-2024-33350 (Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a rem
NOT-FOR-US: TaoCMS
CVE-2024-31837 (DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string ...)
- dmitry 1.3a-5 (bug #1070370)
- [bookworm] - dmitry <no-dsa> (Minor issue)
+ [bookworm] - dmitry 1.3a-1.2+deb12u1
[bullseye] - dmitry <no-dsa> (Minor issue)
[buster] - dmitry <postponed> (Minor issue, crash in CLI tool, requires malicious parameter)
NOTE: https://github.com/jaygreig86/dmitry/pull/12
@@ -40721,7 +40721,7 @@ CVE-2023-3597 (A flaw was found in Keycloak, where it does not correctly validat
CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation ...)
{DLA-3839-1}
- putty 0.81-1
- [bookworm] - putty <no-dsa> (Minor issue)
+ [bookworm] - putty 0.78-2+deb12u2
[bullseye] - putty <no-dsa> (Minor issue)
- filezilla 3.67.0-1
[bookworm] - filezilla <no-dsa> (Minor issue)
@@ -43454,7 +43454,7 @@ CVE-2024-26811 (In the Linux kernel, the following vulnerability has been resolv
CVE-2024-2511 (Issue summary: Some non-default TLS server configurations can cause un ...)
[experimental] - openssl 3.3.0-1
- openssl 3.2.2-1 (bug #1068658)
- [bookworm] - openssl <postponed> (Minor issue, fix along with next update round)
+ [bookworm] - openssl 3.0.14-1~deb12u1
[bullseye] - openssl <postponed> (Minor issue, fix along with next update round)
[buster] - openssl <postponed> (Minor issue, fix along with next update round)
NOTE: https://www.openssl.org/news/secadv/20240408.txt
@@ -48610,7 +48610,7 @@ CVE-2024-2578 (Improper Neutralization of Input During Web Page Generation ('Cro
CVE-2024-2494 (A flaw was found in the RPC library APIs of libvirt. The RPC server de ...)
{DLA-3778-1}
- libvirt 10.2.0-1 (bug #1067461)
- [bookworm] - libvirt <no-dsa> (Minor issue)
+ [bookworm] - libvirt 9.0.0-4+deb12u1
[bullseye] - libvirt <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2270115
NOTE: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/BKRQXPLPC6B7FLHJXSBQYW7HNDEBW6RJ/
@@ -51866,13 +51866,13 @@ CVE-2024-1487 (The Photos and Files Contest Gallery WordPress plugin before 21.3
CVE-2024-2496 (A NULL pointer dereference flaw was found in the udevConnectListAllInt ...)
{DLA-3778-1}
- libvirt 9.8.0-1
- [bookworm] - libvirt <no-dsa> (Minor issue)
+ [bookworm] - libvirt 9.0.0-4+deb12u1
[bullseye] - libvirt <no-dsa> (Minor issue)
NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/2ca94317ac642a70921947150ced8acc674ccdc8 (v9.8.0-rc1)
CVE-2024-1441 (An off-by-one error flaw was found in the udevListInterfacesByStatus() ...)
{DLA-3778-1}
- libvirt 10.1.0-1 (bug #1066058)
- [bookworm] - libvirt <no-dsa> (Minor issue)
+ [bookworm] - libvirt 9.0.0-4+deb12u1
[bullseye] - libvirt <no-dsa> (Minor issue)
NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/5a33366f5c0b18c93d161bd144f9f079de4ac8ca (v1.0.0-rc1)
NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/d6064e2759a24e0802f363e3a810dc5a7d7ebb15 (v5.10.0-rc1)
@@ -62477,14 +62477,14 @@ CVE-2023-52355 (An out-of-memory flaw was found in libtiff that could be trigger
CVE-2023-40551 (A flaw was found in the MZ binary format in Shim. An out-of-bounds rea ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
- [bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bookworm] - shim 15.8-1~deb12u1
[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259918
NOTE: https://github.com/rhboot/shim/commit/5a5147d1e19cf90ec280990c84061ac3f67ea1ab (15.8)
CVE-2023-40550 (An out-of-bounds read flaw was found in Shim when it tried to validate ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
- [bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bookworm] - shim 15.8-1~deb12u1
[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259915
NOTE: https://github.com/rhboot/shim/commit/93ce2552f3e9f71f888a672913bfc0eef255c56d (15.8)
@@ -62492,28 +62492,28 @@ CVE-2023-40550 (An out-of-bounds read flaw was found in Shim when it tried to va
CVE-2023-40549 (An out-of-bounds read flaw was found in Shim due to the lack of proper ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
- [bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bookworm] - shim 15.8-1~deb12u1
[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241797
NOTE: https://github.com/rhboot/shim/commit/afdc5039de0a4a3a40162a32daa070f94a883f09 (15.8)
CVE-2023-40548 (A buffer overflow was found in Shim in the 32-bit system. The overflow ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
- [bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bookworm] - shim 15.8-1~deb12u1
[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241782
NOTE: https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8 (15.8)
CVE-2023-40547 (A remote code execution vulnerability was found in Shim. The Shim boot ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
- [bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bookworm] - shim 15.8-1~deb12u1
[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2234589
NOTE: https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d (15.8)
CVE-2023-40546 (A flaw was found in Shim when an error happened while creating a new E ...)
{DLA-3813-1}
- shim 15.8-1 (bug #1061519)
- [bookworm] - shim <no-dsa> (Minor issue, fix with a point release)
+ [bookworm] - shim 15.8-1~deb12u1
[bullseye] - shim <no-dsa> (Minor issue, fix with a point release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241796
NOTE: https://github.com/rhboot/shim/commit/66e6579dbf921152f647a0c16da1d3b2f40861ca (15.8)
@@ -63646,7 +63646,7 @@ CVE-2023-32337 (IBM Maximo Spatial Asset Management 8.10 is vulnerable to server
NOT-FOR-US: IBM
CVE-2024-0690 (An information disclosure flaw was found in ansible-core due to a fail ...)
- ansible-core 2.16.5-1 (bug #1061156)
- [bookworm] - ansible-core <no-dsa> (Minor issue)
+ [bookworm] - ansible-core 2.14.16-0+deb12u1
- ansible 5.4.0-1
[bullseye] - ansible <no-dsa> (Minor issue)
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
@@ -74908,7 +74908,7 @@ CVE-2023-6134 (A flaw was found in Keycloak that prevents certain schemes in red
NOT-FOR-US: Keycloak
CVE-2023-5764 (A template injection flaw was found in Ansible where a user's controll ...)
- ansible-core 2.14.13-1 (bug #1057427)
- [bookworm] - ansible-core <no-dsa> (Minor issue)
+ [bookworm] - ansible-core 2.14.16-0+deb12u1
- ansible 5.4.0-1
[bullseye] - ansible <no-dsa> (Minor issue)
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
@@ -84866,7 +84866,7 @@ CVE-2023-5157 (A vulnerability was found in MariaDB. An OpenVAS port scan on por
CVE-2023-5115 (An absolute path traversal attack exists in the Ansible automation pla ...)
{DLA-3695-1}
- ansible-core 2.14.11-1 (bug #1053693)
- [bookworm] - ansible-core <no-dsa> (Minor issue)
+ [bookworm] - ansible-core 2.14.16-0+deb12u1
[bullseye] - ansible-core <no-dsa> (Minor issue)
- ansible 5.4.0-1
[bullseye] - ansible <no-dsa> (Minor issue)
@@ -85773,7 +85773,7 @@ CVE-2023-37611 (Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allow
NOT-FOR-US: Neos CMS
CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creating a n ...)
- ansible 9.4.0+dfsg-1 (bug #1055300)
- [bookworm] - ansible <no-dsa> (Minor issue)
+ [bookworm] - ansible 7.7.0+dfsg-3+deb12u1
[bullseye] - ansible <no-dsa> (Minor issue)
[buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229979
@@ -94100,7 +94100,7 @@ CVE-2023-34966 (An infinite loop vulnerability was found in Samba's mdssvc RPC s
NOTE: severity:unimportant for buster backwards, but we don't have suite-specific severity annotations
CVE-2023-3750 (A flaw was found in libvirt. The virStoragePoolObjListSearch function ...)
- libvirt 9.6.0-1 (bug #1041811)
- [bookworm] - libvirt <no-dsa> (Minor issue)
+ [bookworm] - libvirt 9.0.0-4+deb12u1
[bullseye] - libvirt <not-affected> (Vulnerable code not present)
[buster] - libvirt <not-affected> (Vulnerable code not present)
NOTE: https://listman.redhat.com/archives/libvir-list/2023-July/240776.html
@@ -146696,7 +146696,7 @@ CVE-2023-20585
RESERVED
CVE-2023-20584 (IOMMU improperly handles certain special address ranges with invalid d ...)
- amd64-microcode 3.20240820.1
- [bookworm] - amd64-microcode <no-dsa> (Minor issue)
+ [bookworm] - amd64-microcode 3.20240820.1~deb12u1
[bullseye] - amd64-microcode <no-dsa> (Minor issue)
NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html
NOTE: https://lore.kernel.org/all/20240820182655.42311-1-john.allen@amd.com/
@@ -264547,7 +264547,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an
CVE-2021-3420 (A flaw was found in newlib in versions prior to 4.0.0. Improper overfl ...)
[experimental] - newlib 4.4.0.20231231-1
- newlib 4.4.0.20231231-2 (bug #984446)
- [bookworm] - newlib <no-dsa> (Minor issue)
+ [bookworm] - newlib 3.3.0-1.3+deb12u1
[bullseye] - newlib <no-dsa> (Minor issue)
[buster] - newlib <no-dsa> (Minor issue)
[stretch] - newlib <no-dsa> (Minor issue)
@@ -326241,7 +326241,7 @@ CVE-2020-14932 (compose.php in SquirrelMail 1.4.22 calls unserialize for the $ma
NOTE: https://www.openwall.com/lists/oss-security/2020/06/20/1
CVE-2020-14931 (A stack-based buffer overflow in DMitry (Deepmagic Information Gatheri ...)
- dmitry 1.3a-5 (bug #1070370)
- [bookworm] - dmitry <no-dsa> (Minor issue)
+ [bookworm] - dmitry 1.3a-1.2+deb12u1
[bullseye] - dmitry <no-dsa> (Minor issue)
[buster] - dmitry <postponed> (Minor issue, requires hostile whois server)
NOTE: https://github.com/jaygreig86/dmitry/issues/4
@@ -506390,7 +506390,7 @@ CVE-2017-7939 (The read_next_pam_token function in imagew-pnm.c in libimageworse
NOT-FOR-US: ImageWorsener
CVE-2017-7938 (Stack-based buffer overflow in DMitry (Deepmagic Information Gathering ...)
- dmitry 1.3a-5 (bug #1070370)
- [bookworm] - dmitry <no-dsa> (Minor issue)
+ [bookworm] - dmitry 1.3a-1.2+deb12u1
[bullseye] - dmitry <no-dsa> (Minor issue)
[buster] - dmitry <postponed> (Minor issue, crash in CLI tool, requires malicious parameter)
NOTE: https://packetstormsecurity.com/files/142210/Dmitry-1.3a-Local-Stack-Buffer-Overflow.html
=====================================
data/next-point-update.txt
=====================================
@@ -1,101 +1,3 @@
-CVE-2021-3420
- [bookworm] - newlib 3.3.0-1.3+deb12u1
-CVE-2024-0690
- [bookworm] - ansible-core 2.14.16-0+deb12u1
-CVE-2023-5764
- [bookworm] - ansible-core 2.14.16-0+deb12u1
-CVE-2023-5115
- [bookworm] - ansible-core 2.14.16-0+deb12u1
-CVE-2023-4237
- [bookworm] - ansible 7.7.0+dfsg-3+deb12u1
-CVE-2023-40546
- [bookworm] - shim 15.8-1~deb12u1
-CVE-2023-40547
- [bookworm] - shim 15.8-1~deb12u1
-CVE-2023-40548
- [bookworm] - shim 15.8-1~deb12u1
-CVE-2023-40549
- [bookworm] - shim 15.8-1~deb12u1
-CVE-2023-40550
- [bookworm] - shim 15.8-1~deb12u1
-CVE-2023-40551
- [bookworm] - shim 15.8-1~deb12u1
-CVE-2024-35235
- [bookworm] - cups 2.4.2-3+deb12u6
-CVE-2024-6126
- [bookworm] - cockpit 287.1-0+deb12u3
-CVE-2024-31837
- [bookworm] - dmitry 1.3a-1.2+deb12u1
-CVE-2020-14931
- [bookworm] - dmitry 1.3a-1.2+deb12u1
-CVE-2017-7938
- [bookworm] - dmitry 1.3a-1.2+deb12u1
-CVE-2024-1441
- [bookworm] - libvirt 9.0.0-4+deb12u1
-CVE-2024-2496
- [bookworm] - libvirt 9.0.0-4+deb12u1
-CVE-2024-2494
- [bookworm] - libvirt 9.0.0-4+deb12u1
-CVE-2023-3750
- [bookworm] - libvirt 9.0.0-4+deb12u1
-CVE-2024-40725
- [bookworm] - apache2 2.4.62-1~deb12u1
-CVE-2024-4467
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u7
-CVE-2024-6655
- [bookworm] - gtk+2.0 2.24.33-2+deb12u1
-CVE-2024-6655
- [bookworm] - gtk+3.0 3.24.38-2~deb12u2
-CVE-2024-29421
- [bookworm] - xmedcon 0.23.0-gtk3+dfsg-1+deb12u1
-CVE-2024-31497
- [bookworm] - putty 0.78-2+deb12u2
-CVE-2024-27629
- [bookworm] - dcm2niix 1.0.20220720-1+deb12u1
-CVE-2023-31315
- [bookworm] - amd64-microcode 3.20240710.2~deb12u1
-CVE-2024-4741
- [bookworm] - openssl 3.0.14-1~deb12u1
-CVE-2024-4603
- [bookworm] - openssl 3.0.14-1~deb12u1
-CVE-2024-2511
- [bookworm] - openssl 3.0.14-1~deb12u1
-CVE-2024-24853
- [bookworm] - intel-microcode 3.20240813.1~deb12u1
-CVE-2024-25939
- [bookworm] - intel-microcode 3.20240813.1~deb12u1
-CVE-2024-24980
- [bookworm] - intel-microcode 3.20240813.1~deb12u1
-CVE-2023-42667
- [bookworm] - intel-microcode 3.20240813.1~deb12u1
-CVE-2024-43370
- [bookworm] - gettext.js 0.7.0-2+deb11u1
-CVE-2024-7009
- [bookworm] - calibre 6.13.0+repack-2+deb12u4
-CVE-2024-7008
- [bookworm] - calibre 6.13.0+repack-2+deb12u4
-CVE-2024-6782
- [bookworm] - calibre 6.13.0+repack-2+deb12u4
-CVE-2024-7264
- [bookworm] - curl 7.88.1-10+deb12u7
-CVE-2024-25641
- [bookworm] - cacti 1.2.24+ds1-1+deb12u3
-CVE-2024-29894
- [bookworm] - cacti 1.2.24+ds1-1+deb12u3
-CVE-2024-31443
- [bookworm] - cacti 1.2.24+ds1-1+deb12u3
-CVE-2024-31444
- [bookworm] - cacti 1.2.24+ds1-1+deb12u3
-CVE-2024-31445
- [bookworm] - cacti 1.2.24+ds1-1+deb12u3
-CVE-2024-31458
- [bookworm] - cacti 1.2.24+ds1-1+deb12u3
-CVE-2024-31459
- [bookworm] - cacti 1.2.24+ds1-1+deb12u3
-CVE-2024-31460
- [bookworm] - cacti 1.2.24+ds1-1+deb12u3
-CVE-2024-34340
- [bookworm] - cacti 1.2.24+ds1-1+deb12u3
CVE-2024-39329
[bookworm] - python-django 3:3.2.19-1+deb12u2
CVE-2024-39330
@@ -108,10 +10,6 @@ CVE-2024-41991
[bookworm] - python-django 3:3.2.19-1+deb12u2
CVE-2024-42005
[bookworm] - python-django 3:3.2.19-1+deb12u2
-CVE-2023-31356
- [bookworm] - amd64-microcode 3.20240820.1~deb12u1
-CVE-2023-20584
- [bookworm] - amd64-microcode 3.20240820.1~deb12u1
CVE-2023-28746
[bookworm] - xen 4.17.5-1~deb12u1
CVE-2023-46841
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dbf29daa4350f64e2d8eefa7ca339127ea8cefd6...c3bfcdf36fe9613c59a78bee149f7954f914135f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dbf29daa4350f64e2d8eefa7ca339127ea8cefd6...c3bfcdf36fe9613c59a78bee149f7954f914135f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240831/05f15eec/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list