[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Feb 9 12:51:42 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
50881314 by Moritz Muehlenhoff at 2024-02-09T13:51:00+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -588,6 +588,8 @@ CVE-2024-1283 (Heap buffer overflow in Skia in Google Chrome prior to 121.0.6167
 	[buster] - chromium <end-of-life> (see DSA 5046)
 CVE-2024-24680 (An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10 ...)
 	- python-django 3:4.2.10-1
+	[bookworm] - python-django <postponed> (Minor issue, fix along in future update)
+	[bullseye] - python-django <postponed> (Minor issue, fix along in future update)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/02/06/2
 	NOTE: https://www.djangoproject.com/weblog/2024/feb/06/security-releases/
 	NOTE: https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9 (main)
@@ -937,11 +939,13 @@ CVE-2024-24262 (media-server v1.0.0 was discovered to contain a Use-After-Free (
 CVE-2024-24260 (media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) v ...)
 	NOT-FOR-US: media-server
 CVE-2024-24259 (mupdf v1.23.9 was discovered to contain a memory leak via the menuEntr ...)
-	- mupdf <unfixed>
+	- mupdf <unfixed> (unimportant)
+	NOTE: Memory leak in CLI tool, no security impact
 	NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_2.md
 	TODO: check report upstream
 CVE-2024-24258 (mupdf v1.23.9 was discovered to contain a memory leak via the menuEntr ...)
-	- mupdf <unfixed>
+	- mupdf <unfixed> (unimportant)
+	NOTE: Memory leak in CLI tool, no security impact
 	NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_1.md
 	TODO: check report upstream
 CVE-2024-23109 (An improper neutralization of special elements used in an os command ( ...)
@@ -1028,6 +1032,8 @@ CVE-2024-23196 (A race condition was found in the Linux kernel's sound/hda  devi
 	NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8148
 CVE-2024-22667 (Vim before 9.0.2142 has a stack-based buffer overflow because did_set_ ...)
 	- vim 2:9.0.2189-1
+	[bookworm] - vim <no-dsa> (Minor issue)
+	[bullseye] - vim <no-dsa> (Minor issue)
 	NOTE: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47 (v9.0.2142)
 	NOTE: https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt
 CVE-2024-22386 (A race condition was found in the Linux kernel's drm/exynos device dri ...)
@@ -1496,6 +1502,8 @@ CVE-2024-24561 (Vyper is a pythonic Smart Contract Language for the ethereum vir
 	NOT-FOR-US: Vyper
 CVE-2024-24557 (Moby is an open-source project created by Docker to enable software co ...)
 	- docker.io <unfixed>
+	[bookworm] - docker.io <no-dsa> (Minor issue)
+	[bullseye] - docker.io <no-dsa> (Minor issue)
 	NOTE: https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae
 	NOTE: https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc
 CVE-2024-24062 (springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) vi ...)
@@ -1845,6 +1853,8 @@ CVE-2023-2439 (The UserPro plugin for WordPress is vulnerable to Stored Cross-Si
 	NOT-FOR-US: WordPress plugin
 CVE-2024-1062 [a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)]
 	- 389-ds-base <unfixed>
+	[bookworm] - 389-ds-base <no-dsa> (Minor issue)
+	[bullseye] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2261879
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256711
 	NOTE: https://github.com/389ds/389-ds-base/issues/5647
@@ -4085,6 +4095,7 @@ CVE-2023-48339 (In jpg driver, there is a possible missing permission check. Thi
 	NOT-FOR-US: Unisoc
 CVE-2021-4435 (An untrusted search path vulnerability was found in Yarn. When a victi ...)
 	- node-yarnpkg 1.22.19+~cs24.27.18-1
+	[bullseye] - node-yarnpkg <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2262284
 	NOTE: Fixed by: https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1 (v1.22.12)
 	TODO: check, too few details in RHBZ#2262284
@@ -18468,10 +18479,8 @@ CVE-2023-42323 (Cross Site Request Forgery (CSRF) vulnerability in DouHaocms v.3
 CVE-2023-36263 (Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL In ...)
 	NOT-FOR-US: PrestaShop module
 CVE-2023-31794 (MuPDF v1.21.1 was discovered to contain an infinite recursion in the c ...)
-	- mupdf 1.22.1+ds1-1
-	[bookworm] - mupdf <no-dsa> (Minor issue)
-	[bullseye] - mupdf <no-dsa> (Minor issue)
-	[buster] - mupdf <no-dsa> (Minor issue)
+	- mupdf 1.22.1+ds1-1 (unimportant)
+	NOTE: Hang in enduser tool, no security impact
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706506
 	NOTE: Fixed by: https://git.ghostscript.com/?p=mupdf.git;a=commit;h=c0015401693b58e2deb5d75c39f27bc1216e47c6 (1.22.0-rc1)
 CVE-2019-25155 (DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-targe ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa
 --
 cacti
 --
+composer
+--
 cryptojs
 --
 dnsdist (jmm)
@@ -26,6 +28,8 @@ gtkwave
 --
 h2o (jmm)
 --
+libgit2 (jmm)
+--
 libreswan (jmm)
   Maintainer prepared bookworm-security update, but needs work on bullseye-security backports
 --
@@ -38,6 +42,8 @@ nbconvert/oldstable
 --
 opennds/stable
 --
+openvswitch
+--
 php-cas/oldstable
 --
 php-dompdf-svg-lib/stable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5088131400fb7dbfd9fa202f3ea3d6b0838be9a2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5088131400fb7dbfd9fa202f3ea3d6b0838be9a2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240209/d62a0759/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list