[Git][security-tracker-team/security-tracker][master] bookworm triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
008559c0 by Moritz Muehlenhoff at 2024-12-04T10:07:26+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -423,6 +423,7 @@ CVE-2024-53364 (A SQL injection vulnerability was found in PHPGURUKUL Vehicle Pa
 	NOT-FOR-US: PHPGURUKUL Vehicle Parking Management System
 CVE-2024-53259 (quic-go is an implementation of the QUIC protocol in Go. An off-path a ...)
 	- golang-github-lucas-clemente-quic-go <unfixed>
+	[bookworm] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue)
 	NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr
 	NOTE: https://github.com/quic-go/quic-go/pull/4729
 	NOTE: https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50 (master)
@@ -874,18 +875,24 @@ CVE-2024-36620 (moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference
 	NOTE: Introduced in https://github.com/moby/moby/commit/2a6ff3c24fd790e5d42d2eabaf6acf06edfe6975 (v25.0.0-beta.1)
 CVE-2024-36619 (FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavco ...)
 	- ffmpeg 7:7.1-3
+	[bookworm] - ffmpeg <not-affected> (Vulnerable decoder added in 6.0)
+	[bullseye] - ffmpeg <not-affected> (Vulnerable decoder added in 6.0)
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/28c7094b25b689185155a6833caf2747b94774a4 (n7.1)
 CVE-2024-36618 (FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavforma ...)
 	- ffmpeg 7:7.0.1-3
+	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857 (n7.0)
 CVE-2024-36617 (FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF  ...)
 	- ffmpeg 7:7.0.1-3
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7 (n7.0)
+	NOTE: https://github.com/ffmpeg/ffmpeg/commit/f0e780370cc1c437d64f10d326b1d656ef490b5f (n5.1.5)
 CVE-2024-36616 (An integer overflow in the component /libavformat/westwood_vqa.c of FF ...)
 	- ffmpeg 7:7.0.1-3
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/86f73277bf014e2ce36dd2594f1e0fb8b3bd6661 (n7.0)
+	NOTE: https://github.com/ffmpeg/ffmpeg/commit/a8beef67993aa267de87599007143d9f0ba67c23 (n5.1.5)
 CVE-2024-36615 (FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. Thi ...)
 	- ffmpeg 7:7.1-3
+	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61 (n7.1)
 CVE-2024-36612 (Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the hand ...)
 	NOT-FOR-US: Zulip
@@ -900,16 +907,20 @@ CVE-2024-35371 (Ant-Media-Serverv2.8.2 is affected by Improper Output Neutraliza
 	NOT-FOR-US: Ant-Media-Server
 CVE-2024-35369 (In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c m ...)
 	- ffmpeg 7:7.0.1-3
+	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c (n7.0)
 CVE-2024-35368 (FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame  ...)
 	- ffmpeg 7:7.1-3
+	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c (n7.1)
 CVE-2024-35367 (FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_alti ...)
 	- ffmpeg 7:7.0.1-3
+	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 (n7.0)
 CVE-2024-35366 (FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the par ...)
 	- ffmpeg 7:7.0.1-3
 	NOTE: https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6 (n7.0)
+	NOTE: https://github.com/ffmpeg/ffmpeg/commit/4db0eb4653efad967ddcf71f564fd2f1169bafcb (n5.1.5)
 CVE-2024-11992 (Absolute path traversal vulnerability in Quick.CMS, version 6.7, the e ...)
 	NOT-FOR-US: Quick.CMS
 CVE-2024-11990 (A Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2 could al ...)


=====================================
data/DSA/list
=====================================
@@ -362,7 +362,7 @@
 	[bullseye] - libndp 1.6-1+deb11u1
 	[bookworm] - libndp 1.8-1+deb12u1
 [15 Jun 2024] DSA-5712-1 ffmpeg - security update
-	{CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51798 CVE-2024-31585 CVE-2024-32230}
+	{CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51798 CVE-2024-31585 CVE-2024-32230 CVE-2024-36617 CVE-2024-36616 CVE-2024-35366}
 	[bookworm] - ffmpeg 7:5.1.5-0+deb12u1
 [15 Jun 2024] DSA-5711-1 thunderbird - security update
 	{CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/008559c0f96e249ffd649e2a1f335f889f46f553

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/008559c0f96e249ffd649e2a1f335f889f46f553
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241204/0528ff3d/attachment.htm>