[Git][security-tracker-team/security-tracker][master] bookworm / bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Feb 12 20:12:28 GMT 2024



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b7fdf3ec by Moritz Muehlenhoff at 2024-02-12T21:11:24+01:00
bookworm / bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -177,6 +177,8 @@ CVE-2023-45696 (Sametime is impacted by sensitive fields with autocomplete enabl
 	NOT-FOR-US: HCL / Sametime application
 CVE-2024-25711 (diffoscope before 256 allows directory traversal via an embedded filen ...)
 	- diffoscope 256
+	[bookworm] - diffoscope <no-dsa> (Minor issue)
+	[bullseye] - diffoscope <no-dsa> (Minor issue)
 	[buster] - diffoscope <no-dsa> (Minor issue; fix it along the next DLA)
 	NOTE: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361
 	NOTE: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476 (256)
@@ -205,16 +207,20 @@ CVE-2024-25448 (An issue in the imlib_free_image_and_decache function of imlib2
 CVE-2024-25447 (An issue in the imlib_load_image_with_error_return function of imlib2  ...)
 	TODO: check
 CVE-2024-25446 (An issue in the HuginBase::PTools::setDestImage function of Hugin v202 ...)
-	- hugin 2023.0~beta1+dfsg-1
+	- hugin 2023.0~beta1+dfsg-1 (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://bugs.launchpad.net/hugin/+bug/2025037
 CVE-2024-25445 (Improper handling of values in HuginBase::PTools::Transform::transform ...)
-	- hugin 2023.0~beta1+dfsg-1
+	- hugin 2023.0~beta1+dfsg-1 (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://bugs.launchpad.net/hugin/+bug/2025038
 CVE-2024-25443 (An issue in the HuginBase::ImageVariable<double>::linkWith function of ...)
-	- hugin 2023.0~beta1+dfsg-1
+	- hugin 2023.0~beta1+dfsg-1 (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://bugs.launchpad.net/hugin/+bug/2025035
 CVE-2024-25442 (An issue in the HuginBase::PanoramaMemento::loadPTScript function of H ...)
-	- hugin 2023.0~beta1+dfsg-1
+	- hugin 2023.0~beta1+dfsg-1 (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://bugs.launchpad.net/hugin/+bug/2025032
 CVE-2024-25318 (Code-projects Hotel Managment System 1.0 allows SQL Injection via the  ...)
 	NOT-FOR-US: Code-projects Hotel Managment System
@@ -272,25 +278,25 @@ CVE-2023-6716
 CVE-2023-6677 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
 	NOT-FOR-US: Oduyo Financial Technology Online Collection
 CVE-2023-50386 (Improper Control of Dynamically-Managed Code Resources, Unrestricted U ...)
-	- lucene-solr <unfixed>
+	- lucene-solr 3.6.2+dfsg-23
 	NOTE: https://solr.apache.org/security.html#cve-2023-50386-apache-solr-backuprestore-apis-allow-for-deployment-of-executables-in-malicious-configsets
 	NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/1
-	TODO: check for older/ancient versions
+	NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version
 CVE-2023-50298 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
-	- lucene-solr <unfixed>
+	- lucene-solr 3.6.2+dfsg-23
 	NOTE: https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions
 	NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/2
-	TODO: check for older/ancient versions
+	NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version
 CVE-2023-50292 (Incorrect Permission Assignment for Critical Resource, Improper Contro ...)
-	- lucene-solr <unfixed>
+	- lucene-solr 3.6.2+dfsg-23
 	NOTE: https://solr.apache.org/security.html#cve-2023-50292-apache-solr-schema-designer-blindly-trusts-all-configsets-possibly-leading-to-rce-by-unauthenticated-users
 	NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/3
-	TODO: check for older/ancient versions
+	NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version
 CVE-2023-50291 (Insufficiently Protected Credentials vulnerability in Apache Solr.  Th ...)
-	- lucene-solr <unfixed>
+	- lucene-solr 3.6.2+dfsg-23
 	NOTE: https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies
 	NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/4
-	TODO: check for older/ancient versions
+	NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version
 CVE-2024-25107 (WikiDiscover is an extension designed for use with a CreateWiki manage ...)
 	NOT-FOR-US: MediaWiki extension
 CVE-2024-25106 (OpenObserve is a observability platform built specifically for logs, m ...)
@@ -486,6 +492,8 @@ CVE-2023-47020 (Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Termi
 	NOT-FOR-US: NCR Terminal Handler
 CVE-2023-42282 (An issue in NPM IP Package v.1.1.8 and before allows an attacker to ex ...)
 	- node-ip <unfixed> (bug #1063535)
+	[bookworm] - node-ip <no-dsa> (Minor issue)
+	[bullseye] - node-ip <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/
 	NOTE: https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
 	NOTE: https://github.com/indutny/node-ip/issues/136
@@ -592,13 +600,21 @@ CVE-2024-24822 (Pimcore's Admin Classic Bundle provides a backend user interface
 	NOT-FOR-US: Pimcore's Admin Classic Bundle
 CVE-2024-24816 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.  ...)
 	- ckeditor <unfixed> (bug #1063536)
+	[bookworm] - ckeditor <no-dsa> (Minor issue)
+	[bullseye] - ckeditor <no-dsa> (Minor issue)
 	- ckeditor3 <unfixed> (bug #1063537)
+	[bookworm] - ckeditor3 <no-dsa> (Minor issue)
+	[bullseye] - ckeditor3 <no-dsa> (Minor issue)
 	[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
 	NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76
 	NOTE: https://github.com/ckeditor/ckeditor4/commit/7518202f0f228ee5549a36ecb7cb880b06ea5add (4.24.0-lts)
 CVE-2024-24815 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.  ...)
 	- ckeditor <unfixed> (bug #1063536)
+	[bookworm] - ckeditor <no-dsa> (Minor issue)
+	[bullseye] - ckeditor <no-dsa> (Minor issue)
 	- ckeditor3 <unfixed> (bug #1063537)
+	[bookworm] - ckeditor3 <no-dsa> (Minor issue)
+	[bullseye] - ckeditor3 <no-dsa> (Minor issue)
 	[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
 	NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm
 	NOTE: https://github.com/ckeditor/ckeditor4/commit/889315aa89de1d08f320990367ef4559551fdf9f (4.24.0-lts)


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ cryptojs
 --
 dnsdist (jmm)
 --
+engrampa
+--
 frr
 --
 gpac/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7fdf3ec3c5e0c2939b8fe1a13c19ec758e6a92a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7fdf3ec3c5e0c2939b8fe1a13c19ec758e6a92a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240212/34aa94c9/attachment.htm>


More information about the debian-security-tracker-commits mailing list