[Git][security-tracker-team/security-tracker][master] bugnums

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sun Dec 1 16:57:42 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
33486817 by Moritz Muehlenhoff at 2024-12-01T17:56:29+01:00
bugnums

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -357,10 +357,10 @@ CVE-2023-52922 (In the Linux kernel, the following vulnerability has been resolv
 CVE-2024-53860 (sp-php-email-handler is a PHP package for handling contact form submis ...)
 	NOT-FOR-US: sp-php-email-handler
 CVE-2024-53859 (go-gh is a Go module for interacting with the `gh` utility and the Git ...)
-	- golang-github-cli-go-gh-v2 <unfixed>
+	- golang-github-cli-go-gh-v2 <unfixed> (bug #1088815)
 	NOTE: https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh
 CVE-2024-53858 (The gh cli is GitHub\u2019s official command line tool. A security vul ...)
-	- gh <unfixed>
+	- gh <unfixed> (bug #1088808)
 	NOTE: https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw
 CVE-2024-53260 (Autolab is a course management service that enables auto-graded progra ...)
 	NOT-FOR-US: Autolab
@@ -603,13 +603,14 @@ CVE-2024-53975 (Accessing a non-secure HTTP site that uses a non-existent port m
 CVE-2024-53844 (E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to connect  ...)
 	NOT-FOR-US: E.D.D.I (Enhanced Dialog Driven Interface)
 CVE-2024-53620 (A cross-site scripting (XSS) vulnerability in the Article module of SP ...)
-	- spip <undetermined>
+	- spip <unfixed> (bug #1088801)
+	[bookworm] - spip <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://grimthereaperteam.medium.com/ec1e8714c02e
 	TODO: check, maybe fixed in 4.3.4, if so identify fix
 CVE-2024-53619 (An authenticated arbitrary file upload vulnerability in the Documents  ...)
-	- spip <undetermined>
+	- spip <unfixed> (bug #1088800)
+	[bookworm] - spip <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://grimthereaperteam.medium.com/spip-4-3-3-malicious-file-upload-xss-in-pdf-526c03bb1776
-	TODO: check
 CVE-2024-53555 (A CSV injection vulnerability in Taiga v6.8.1 allows attackers to exec ...)
 	NOT-FOR-US: Taiga
 CVE-2024-53365 (A stored cross-site scripting (XSS) vulnerability was identified in PH ...)
@@ -716,7 +717,7 @@ CVE-2024-11669 (An issue was discovered in GitLab CE/EE affecting all versions f
 CVE-2024-11668 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...)
 	- gitlab <not-affected> (Vulnerable code introduced later)
 CVE-2024-11407 (There exists a denial of service through Data corruption in gRPC-C++ - ...)
-	- grpc <unfixed>
+	- grpc <unfixed> (bug #1088806)
 	NOTE: https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 (v1.68.0-pre1)
 CVE-2024-11192 (The Spotify Play Button for WordPress plugin for WordPress is vulnerab ...)
 	NOT-FOR-US: WordPress plugin
@@ -983,7 +984,7 @@ CVE-2024-6393 (The Photo Gallery, Sliders, Proofing and   WordPress plugin befor
 CVE-2024-53930 (WikiDocs before 1.0.65 allows stored XSS by authenticated users via da ...)
 	NOT-FOR-US: WikiDocs
 CVE-2024-53916 (In OpenStack Neutron through 25.0.0, neutron/extensions/tagging.py can ...)
-	- neutron <unfixed>
+	- neutron <unfixed> (bug #1088802)
 	[bookworm] - neutron <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - neutron <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://review.opendev.org/c/openstack/neutron/+/935883
@@ -2180,11 +2181,11 @@ CVE-2024-52769 (An arbitrary file upload vulnerability in the component /admin/f
 CVE-2024-52765 (H3C GR-1800AX MiniGRW1B0V100R007 is vulnerable to remote code executio ...)
 	NOT-FOR-US: H3C GR-1800AX MiniGRW1B0V100R007
 CVE-2024-52763 (A cross-site scripting (XSS) vulnerability in the component /graph_all ...)
-	- ganglia-web <unfixed>
+	- ganglia-web <unfixed> (bug #1088799)
 	[bookworm] - ganglia-web <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/ganglia/ganglia-web/issues/382
 CVE-2024-52762 (A cross-site scripting (XSS) vulnerability in the component /master/he ...)
-	- ganglia-web <unfixed>
+	- ganglia-web <unfixed> (bug #1088799)
 	[bookworm] - ganglia-web <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/ganglia/ganglia-web/issues/382
 CVE-2024-52757 (D-LINK DI-8003 v16.07.16A1 was discovered to contain a buffer overflow ...)
@@ -5828,7 +5829,7 @@ CVE-2024-52531 (GNOME libsoup before 3.6.1 allows a buffer overflow in applicati
 CVE-2024-52530 (GNOME libsoup before 3.6.0 allows HTTP request smuggling in some confi ...)
 	- libsoup3 3.5.2-1
 	[bookworm] - libsoup3 <no-dsa> (Minor issue)
-	- libsoup2.4 <unfixed>
+	- libsoup2.4 <unfixed> (bug #1088812)
 	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b (3.5.2)
@@ -5839,10 +5840,10 @@ CVE-2024-52286 (Stirling-PDF is a locally hosted web application that allows you
 CVE-2024-51992 (Orchid is a @laravel package that allows for rapid application develop ...)
 	NOT-FOR-US: Orchid laravel package
 CVE-2024-51748 (Kanboard is project management software that focuses on the Kanban met ...)
-	- kanboard <unfixed>
+	- kanboard <unfixed> (bug #1088798)
 	NOTE: https://github.com/kanboard/kanboard/security/advisories/GHSA-jvff-x577-j95p
 CVE-2024-51747 (Kanboard is project management software that focuses on the Kanban met ...)
-	- kanboard <unfixed>
+	- kanboard <unfixed> (bug #1088798)
 	NOTE: https://github.com/kanboard/kanboard/security/advisories/GHSA-78pf-vg56-5p8v
 CVE-2024-51490 (Ampache is a web based audio/video streaming application and file mana ...)
 	- ampache <removed>
@@ -9667,7 +9668,7 @@ CVE-2024-25566 (An Open-Redirect vulnerability exists in PingAM where well-craft
 CVE-2024-22066 (There is a privilege escalation vulnerability in ZTE ZXR10 ZSR V2 inte ...)
 	NOT-FOR-US: ZTE
 CVE-2024-10491 (A vulnerability has been identified in the Express response.linksfunct ...)
-	- node-express <unfixed>
+	- node-express <unfixed> (bug #1088807)
 	[bookworm] - node-express <no-dsa> (Minor issue)
 	[bullseye] - node-express <postponed> (Minor issue, no public patch)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-10491
@@ -10323,12 +10324,12 @@ CVE-2024-50623 (In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and L
 CVE-2024-50616 (Ironman PowerShell Universal 5.x before 5.0.12 allows an authenticated ...)
 	NOT-FOR-US: Ironman PowerShell Universal
 CVE-2024-50615 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/digit,  ...)
-	- tinyxml2 <unfixed>
+	- tinyxml2 <unfixed> (bug #1088814)
 	[bookworm] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/leethomason/tinyxml2/issues/997
 CVE-2024-50614 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/16, tha ...)
-	- tinyxml2 <unfixed>
+	- tinyxml2 <unfixed> (bug #1088813)
 	[bookworm] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/leethomason/tinyxml2/issues/996
@@ -22278,12 +22279,12 @@ CVE-2024-8604 (A vulnerability classified as problematic has been found in Sourc
 CVE-2024-8601 (This vulnerability exists in TechExcel Back Office Software versions p ...)
 	NOT-FOR-US: TechExcel Back Office Software
 CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in <sourc ...)
-	- angular.js <unfixed>
+	- angular.js <unfixed> (bug #1088805)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <postponed> (Minor issue)
 	NOTE: https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b
 CVE-2024-8372 (Improper sanitization of the value of the '[srcset]' attribute in Angu ...)
-	- angular.js <unfixed>
+	- angular.js <unfixed> (bug #1088804)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <postponed> (Minor issue)
 	NOTE: https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017
@@ -83726,7 +83727,7 @@ CVE-2024-23322 (Envoy is a high-performance edge/middle/service proxy. Envoy wil
 CVE-2024-21624 (nonebot2 is a cross-platform Python asynchronous chatbot framework wri ...)
 	NOT-FOR-US: nonebot2
 CVE-2024-21490 (This affects versions of the package angular from 1.3.0. A regular exp ...)
-	- angular.js <unfixed>
+	- angular.js <unfixed> (bug #1088803)
 	[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <postponed> (Fix along with the next DLA)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3348681786c745c4077de59e4e22e6ef22997b1a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3348681786c745c4077de59e4e22e6ef22997b1a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241201/d8b98076/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list