[Git][security-tracker-team/security-tracker][master] bookworm / bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Feb 12 20:12:28 GMT 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b7fdf3ec by Moritz Muehlenhoff at 2024-02-12T21:11:24+01:00
bookworm / bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -177,6 +177,8 @@ CVE-2023-45696 (Sametime is impacted by sensitive fields with autocomplete enabl
NOT-FOR-US: HCL / Sametime application
CVE-2024-25711 (diffoscope before 256 allows directory traversal via an embedded filen ...)
- diffoscope 256
+ [bookworm] - diffoscope <no-dsa> (Minor issue)
+ [bullseye] - diffoscope <no-dsa> (Minor issue)
[buster] - diffoscope <no-dsa> (Minor issue; fix it along the next DLA)
NOTE: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361
NOTE: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476 (256)
@@ -205,16 +207,20 @@ CVE-2024-25448 (An issue in the imlib_free_image_and_decache function of imlib2
CVE-2024-25447 (An issue in the imlib_load_image_with_error_return function of imlib2 ...)
TODO: check
CVE-2024-25446 (An issue in the HuginBase::PTools::setDestImage function of Hugin v202 ...)
- - hugin 2023.0~beta1+dfsg-1
+ - hugin 2023.0~beta1+dfsg-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://bugs.launchpad.net/hugin/+bug/2025037
CVE-2024-25445 (Improper handling of values in HuginBase::PTools::Transform::transform ...)
- - hugin 2023.0~beta1+dfsg-1
+ - hugin 2023.0~beta1+dfsg-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://bugs.launchpad.net/hugin/+bug/2025038
CVE-2024-25443 (An issue in the HuginBase::ImageVariable<double>::linkWith function of ...)
- - hugin 2023.0~beta1+dfsg-1
+ - hugin 2023.0~beta1+dfsg-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://bugs.launchpad.net/hugin/+bug/2025035
CVE-2024-25442 (An issue in the HuginBase::PanoramaMemento::loadPTScript function of H ...)
- - hugin 2023.0~beta1+dfsg-1
+ - hugin 2023.0~beta1+dfsg-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://bugs.launchpad.net/hugin/+bug/2025032
CVE-2024-25318 (Code-projects Hotel Managment System 1.0 allows SQL Injection via the ...)
NOT-FOR-US: Code-projects Hotel Managment System
@@ -272,25 +278,25 @@ CVE-2023-6716
CVE-2023-6677 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
NOT-FOR-US: Oduyo Financial Technology Online Collection
CVE-2023-50386 (Improper Control of Dynamically-Managed Code Resources, Unrestricted U ...)
- - lucene-solr <unfixed>
+ - lucene-solr 3.6.2+dfsg-23
NOTE: https://solr.apache.org/security.html#cve-2023-50386-apache-solr-backuprestore-apis-allow-for-deployment-of-executables-in-malicious-configsets
NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/1
- TODO: check for older/ancient versions
+ NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version
CVE-2023-50298 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
- - lucene-solr <unfixed>
+ - lucene-solr 3.6.2+dfsg-23
NOTE: https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions
NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/2
- TODO: check for older/ancient versions
+ NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version
CVE-2023-50292 (Incorrect Permission Assignment for Critical Resource, Improper Contro ...)
- - lucene-solr <unfixed>
+ - lucene-solr 3.6.2+dfsg-23
NOTE: https://solr.apache.org/security.html#cve-2023-50292-apache-solr-schema-designer-blindly-trusts-all-configsets-possibly-leading-to-rce-by-unauthenticated-users
NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/3
- TODO: check for older/ancient versions
+ NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version
CVE-2023-50291 (Insufficiently Protected Credentials vulnerability in Apache Solr. Th ...)
- - lucene-solr <unfixed>
+ - lucene-solr 3.6.2+dfsg-23
NOTE: https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies
NOTE: https://www.openwall.com/lists/oss-security/2024/02/09/4
- TODO: check for older/ancient versions
+ NOTE: Server components disabled in 3.6.2+dfsg-23, using that as the fixed version
CVE-2024-25107 (WikiDiscover is an extension designed for use with a CreateWiki manage ...)
NOT-FOR-US: MediaWiki extension
CVE-2024-25106 (OpenObserve is a observability platform built specifically for logs, m ...)
@@ -486,6 +492,8 @@ CVE-2023-47020 (Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Termi
NOT-FOR-US: NCR Terminal Handler
CVE-2023-42282 (An issue in NPM IP Package v.1.1.8 and before allows an attacker to ex ...)
- node-ip <unfixed> (bug #1063535)
+ [bookworm] - node-ip <no-dsa> (Minor issue)
+ [bullseye] - node-ip <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/
NOTE: https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
NOTE: https://github.com/indutny/node-ip/issues/136
@@ -592,13 +600,21 @@ CVE-2024-24822 (Pimcore's Admin Classic Bundle provides a backend user interface
NOT-FOR-US: Pimcore's Admin Classic Bundle
CVE-2024-24816 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...)
- ckeditor <unfixed> (bug #1063536)
+ [bookworm] - ckeditor <no-dsa> (Minor issue)
+ [bullseye] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed> (bug #1063537)
+ [bookworm] - ckeditor3 <no-dsa> (Minor issue)
+ [bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76
NOTE: https://github.com/ckeditor/ckeditor4/commit/7518202f0f228ee5549a36ecb7cb880b06ea5add (4.24.0-lts)
CVE-2024-24815 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...)
- ckeditor <unfixed> (bug #1063536)
+ [bookworm] - ckeditor <no-dsa> (Minor issue)
+ [bullseye] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed> (bug #1063537)
+ [bookworm] - ckeditor3 <no-dsa> (Minor issue)
+ [bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm
NOTE: https://github.com/ckeditor/ckeditor4/commit/889315aa89de1d08f320990367ef4559551fdf9f (4.24.0-lts)
=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ cryptojs
--
dnsdist (jmm)
--
+engrampa
+--
frr
--
gpac/oldstable
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7fdf3ec3c5e0c2939b8fe1a13c19ec758e6a92a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7fdf3ec3c5e0c2939b8fe1a13c19ec758e6a92a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240212/34aa94c9/attachment.htm>
More information about the debian-security-tracker-commits
mailing list