[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Feb 5 12:07:22 GMT 2024



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4b642eea by Moritz Muehlenhoff at 2024-02-05T13:06:37+01:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -82,6 +82,8 @@ CVE-2021-46902 (An issue was discovered in LTOS-Web-Interface in Meinberg LANTIM
 	NOT-FOR-US: Meinberg
 CVE-2024-25062 (An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 ...)
 	- libxml2 <unfixed>
+	[bookworm] - libxml2 <no-dsa> (Minor issue)
+	[bullseye] - libxml2 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7 (v2.11.7)
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970884fcc13305cb8e23cdc5f0dd7667c2c (v2.12.5)
@@ -179,6 +181,8 @@ CVE-2024-23895 (A vulnerability has been reported in Cups Easy (Purchase & Inven
 	NOT-FOR-US: Cups Easy (Purchase & Inventory)
 CVE-2024-23831 (LedgerSMB is a free web-based double-entry accounting system. When a L ...)
 	- ledgersmb <unfixed> (bug #1062845)
+	[bookworm] - ledgersmb <no-dsa> (Minor issue)
+	[bullseye] - ledgersmb <no-dsa> (Minor issue)
 	[buster] - ledgersmb <no-dsa> (Minor issue)
 	NOTE: https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm
 	NOTE: https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c0127bf30ef4165
@@ -535,6 +539,8 @@ CVE-2024-1167 (When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML informati
 	NOT-FOR-US: SEW-EURODRIVE MOVITOOLS MotionStudio
 CVE-2024-1141 (A vulnerability was found in python-glance-store. The issue occurs whe ...)
 	- python-glance-store <unfixed>
+	[bookworm] - python-glance-store <no-dsa> (Minor issue)
+	[bullseye] - python-glance-store <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2258836
 	TODO: check, missing details in RHBZ#2258836
 CVE-2024-0935 (An insertion of Sensitive Information into Log File vulnerability is a ...)
@@ -545,8 +551,13 @@ CVE-2023-6078 (An OS Command Injection vulnerability exists in BIOVIA Materials
 	NOT-FOR-US: BIOVIA Materials Studio products
 CVE-2023-5841 (Due to a failure in validating the number of scanline samples of a Ope ...)
 	- openexr <unfixed>
+	[bookworm] - openexr <no-dsa> (Minor issue)
+	[bullseye] - openexr <not-affected> (Only affects 3.x)
+	[buster] - openexr <not-affected> (Only affects 3.x)
 	NOTE: https://takeonme.org/cves/CVE-2023-5841.html
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1625
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/46944c3a87ebc6c5d9a9a4962a94569ba1082bc3
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1627
 CVE-2023-52195 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2023-52194 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -1003,12 +1014,16 @@ CVE-2023-6780 (An integer overflow was found in the __vsyslog_internal function
 	NOTE: https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2024-0003
 CVE-2024-23829 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp <unfixed> (bug #1062708)
+	[bookworm] - python-aiohttp <no-dsa> (Minor issue)
+	[bullseye] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
 	NOTE: https://github.com/aio-libs/aiohttp/pull/8074
 	NOTE: https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827 (master)
 	NOTE: https://github.com/aio-libs/aiohttp/commit/d33bc21414e283c9e6fe7f6caf69e2ed60d66c82 (v3.9.2)
 CVE-2024-23334 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp <unfixed> (bug #1062709)
+	[bookworm] - python-aiohttp <no-dsa> (Minor issue)
+	[bullseye] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
 	NOTE: https://github.com/aio-libs/aiohttp/pull/8079
 	NOTE: https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b (master)
@@ -2815,6 +2830,7 @@ CVE-2023-28743 (Improper input validation for some Intel NUC BIOS firmware befor
 	NOT-FOR-US: Intel
 CVE-2024-21733 (Generation of Error Message Containing Sensitive Information vulnerabi ...)
 	- tomcat9 9.0.53-1
+	[bullseye] - tomcat9 <postponed> (Minor issue, fix along in next update)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/19/2
 	NOTE: https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a (9.0.44)
 CVE-2024-23387 (FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability ...)
@@ -4114,6 +4130,8 @@ CVE-2024-0459 (A vulnerability has been found in Blood Bank & Donor Management 5
 	NOT-FOR-US: Blood Bank & Donor Management
 CVE-2023-6683 (A flaw was found in the QEMU built-in VNC server while processing Clie ...)
 	- qemu 1:8.2.0+ds-5 (bug #1060749)
+	[bookworm] - qemu <no-dsa> (Minor issue)
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2254825
 	NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg02382.html
 CVE-2023-52026 (TOTOlink EX1800T V9.1.0cu.2112_B20220316 was discovered to contain a r ...)
@@ -14310,8 +14328,9 @@ CVE-2023-38324 (An issue was discovered in OpenNDS before 10.1.2. It allows user
 	NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
 	NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
 CVE-2023-38323 (An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize ...)
-	- opennds <unfixed>
+	- opennds 10.2.0+dfsg-1
 	NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
+	NOTE: From v10 onwards, statuspath configuration value is urlencoded, marking first 10.x upload as fixed for sid
 CVE-2023-38322 (An issue was discovered in OpenNDS Captive Portal before version 10.1. ...)
 	- opennds 10.2.0+dfsg-1 (bug #1059451)
 	NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
@@ -14324,14 +14343,17 @@ CVE-2023-38320 (An issue was discovered in OpenNDS Captive Portal before version
 	NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
 	NOTE: https://github.com/openNDS/openNDS/commit/cd4004fc3cf79c0f2bc0ee98db30d225d0b79bc9 (v10.1.2)
 CVE-2023-38319 (An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize ...)
-	- opennds <unfixed>
+	- opennds 10.2.0+dfsg-1
 	NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
+	NOTE: From v10 onwards, faskey configuration value is urlencoded, marking first 10.x upload as fixed for sid
 CVE-2023-38318 (An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize ...)
-	- opennds <unfixed>
+	- opennds 10.2.0+dfsg-1
 	NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
+	NOTE: From v10 onwards, gatewayfqdn configuration value is urlencoded, marking first 10.x upload as fixed for sid
 CVE-2023-38317 (An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize ...)
-	- opennds <unfixed>
+	- opennds 10.2.0+dfsg-1
 	NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
+	NOTE: From v10 onwards, gateway interface configuration value is urlencoded, marking first 10.x upload as fixed for sid
 CVE-2023-38316 (An issue was discovered in OpenNDS Captive Portal before version 10.1. ...)
 	- opennds 10.2.0+dfsg-1 (bug #1059451)
 	NOTE: https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
@@ -17589,6 +17611,7 @@ CVE-2023-46129 (NATS.io is a high performance open source pub-sub distributed co
 	NOTE: https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9
 CVE-2023-47090 (NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authent ...)
 	- nats-server 2.10.3-1
+	[bookworm] - nats-server <no-dsa> (Minor issue)
 	NOTE: https://advisories.nats.io/CVE/secnote-2023-01.txt
 	NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23
 CVE-2023-5056 (A flaw was found in the Skupper operator, which may permit a certain c ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -36,6 +36,8 @@ linux (carnil)
 nbconvert/oldstable
   Guilhem Moulin proposed an update ready for review
 --
+opennds/stable
+--
 php-cas/oldstable
 --
 php-dompdf-svg-lib/stable
@@ -66,7 +68,7 @@ ruby-nokogiri/oldstable
 --
 ruby-rails-html-sanitizer
 --
-ruby-sanitize
+ruby-sanitize (jmm)
   Abhijith PA proposed an update for review for bookworm-security, asked back for bullseye-security
 --
 ruby-sinatra/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b642eea1f852f1fb007b013441d7a08fd3aa29e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b642eea1f852f1fb007b013441d7a08fd3aa29e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240205/009641e7/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list