[Git][security-tracker-team/security-tracker][master] Track specifically CVE-2024-48910 and CVE-2024-47875 for cacti

Sat Dec 28 20:14:55 GMT 2024


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
17c65d8a by Salvatore Bonaccorso at 2024-12-28T21:14:42+01:00
Track specifically CVE-2024-48910 and CVE-2024-47875 for cacti

This happens as to support the LTS team to address the embeded copy
issue of node-dompurify in cacti.

Note that CVE-2024-45801 is explicitly not listed. The CVE assignment is
veriy specific assigned for the bypass of the depth checking added to
DOMPurify and happens if CVE-2024-47875 is incompletely fixed. If the
patching is done correct, then CVE-2024-47875 is addressed without
opening up CVE-2024-45801.

The tracking is more a workaround. The embeded versions are not
necessarily fixed but the binary packages start to depend on
node-dompurify and link to purify.js in cacti/1.2.26+ds1-1 (in a
unstable upload) and cacti/1.2.24+ds1-1+deb12u2 in bookworm. This allows
though to get the CVE on the radar for cacti in bullseye and fixed
there.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -16321,10 +16321,14 @@ CVE-2024-49685 (Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon
 CVE-2024-49674 (Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tou ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-48910 (DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for H ...)
+	- cacti 1.2.26+ds1-1
+	[bookworm] - cacti 1.2.24+ds1-1+deb12u2
 	- node-dompurify 3.0.9+dfsg+~3.0.5-1
 	[bookworm] - node-dompurify 2.4.1+dfsg+~2.4.0-2+deb12u1
 	NOTE: https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr
 	NOTE: https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc (2.4.2)
+	NOTE: Mark cacti/1.2.26+ds1-1 which is the version starting to depend on node-dompurify
+	NOTE: and link purify.js instead of using the upstream version.
 CVE-2024-48360 (Qualitor v8.24 was discovered to contain a Server-Side Request Forgery ...)
 	NOT-FOR-US: Qualitor
 CVE-2024-48359 (Qualitor v8.24 was discovered to contain a remote code execution (RCE) ...)
@@ -22394,6 +22398,8 @@ CVE-2024-47877 (Extract is aA Go library to extract archives in zip, tar.gz or t
 	NOT-FOR-US: codeclysm/extract Go library
 CVE-2024-47875 (DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for H ...)
 	{DSA-5790-1}
+	- cacti 1.2.26+ds1-1
+	[bookworm] - cacti 1.2.24+ds1-1+deb12u2
 	- node-dompurify 3.1.6+dfsg+~3.0.5-1 (bug #1084983)
 	NOTE: https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf
 	NOTE: https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f (2.5.1)
@@ -22401,6 +22407,8 @@ CVE-2024-47875 (DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer
 	NOTE: https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a (3.1.1)
 	NOTE: When fixing the issue be aware that the fixing commit would introduce CVE-2024-45801
 	NOTE: when only cherry-picking commits.
+	NOTE: Mark cacti/1.2.26+ds1-1 which is the version starting to depend on node-dompurify
+	NOTE: and link purify.js instead of using the upstream version.
 CVE-2024-47830 (Plane is an open-source project management tool. Plane uses the ** wil ...)
 	NOT-FOR-US: Plane
 CVE-2024-47509 (An Allocation of Resources Without Limits or Throttlingvulnerability i ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17c65d8aae1b7358a4d9ff313782a8cbfe532844

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17c65d8aae1b7358a4d9ff313782a8cbfe532844
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241228/5d269d94/attachment.htm>
