[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat Feb 17 14:03:42 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
03264623 by Moritz Muehlenhoff at 2024-02-17T15:03:17+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1377,6 +1377,8 @@ CVE-2024-21624 (nonebot2 is a cross-platform Python asynchronous chatbot framewo
 	NOT-FOR-US: nonebot2
 CVE-2024-21490 (This affects versions of the package angular from 1.3.0. A regular exp ...)
 	- angular.js <unfixed>
+	[bookworm] - angular.js <no-dsa> (Minor issue)
+	[bullseye] - angular.js <no-dsa> (Minor issue)
 	[buster] - angular.js <postponed> (Fix along with the next DLA)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
 CVE-2024-1406 (A vulnerability was found in Linksys WRT54GL 4.30.18. It has been decl ...)
@@ -1654,6 +1656,8 @@ CVE-2024-25190 (l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify
 	NOT-FOR-US: l8w8jwt
 CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to verify authe ...)
 	- libjwt <unfixed> (bug #1063534)
+	[bookworm] - libjwt <no-dsa> (Minor issue)
+	[bullseye] - libjwt <no-dsa> (Minor issue)
 	NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md
 	NOTE: https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf (v1.17.0)
 	NOTE: https://github.com/benmcollins/libjwt/commit/a5d61ef4f1b383876e0a78534383f38159471fd6 (v1.17.0)
@@ -2773,6 +2777,8 @@ CVE-2024-23824 (mailcow is a dockerized email package, with multiple containers
 	NOT-FOR-US: mailcow
 CVE-2024-23635 (AntiSamy is a library for performing fast, configurable cleansing of H ...)
 	- libowasp-antisamy-java <unfixed> (bug #1062846)
+	[bookworm] - libowasp-antisamy-java <no-dsa> (Minor issue)
+	[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq
 CVE-2024-22851 (Directory Traversal Vulnerability in LiveConfig before v.2.5.2 allows  ...)
 	NOT-FOR-US: LiveConfig
@@ -3545,6 +3551,8 @@ CVE-2024-1030 (A vulnerability was found in Cogites eReserv 7.7.58. It has been
 	NOT-FOR-US: Cogites eReserv
 CVE-2024-1019 (ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypa ...)
 	- modsecurity 3.0.12-1
+	[bookworm] - modsecurity <no-dsa> (Minor issue)
+	[bullseye] - modsecurity <no-dsa> (Minor issue)
 	NOTE: https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30
 CVE-2024-0676 (Weak password requirement vulnerability   in Lamassu Bitcoin ATM Douro ...)
 	NOT-FOR-US: Lamassu Bitcoin ATM Douro machines
@@ -9947,6 +9955,8 @@ CVE-2023-51775 (The jose4j component before 0.9.4 for Java allows attackers to c
 	NOTE: https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b3
 CVE-2023-51774 (The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypa ...)
 	- ruby-json-jwt <unfixed>
+	[bookworm] - ruby-json-jwt <postponed> (Revisit when addressed upstream)
+	[bullseye] - ruby-json-jwt <postponed> (Revisit when addressed upstream)
 	NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md
 	NOTE: https://github.com/nov/json-jwt/issues/113
 CVE-2023-51773 (BACnet Stack before 1.3.2 has a decode function APDU buffer over-read  ...)
@@ -30375,6 +30385,7 @@ CVE-2023-38802 (FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a
 	NOTE: https://github.com/FRRouting/frr/commit/46817adab03802355c3cce7b753c7a735bdcc5ae
 CVE-2023-38283 (In OpenBGPD before 8.1, incorrect handling of BGP update data (length  ...)
 	- openbgpd 8.1-1
+	[bookworm] - openbgpd <no-dsa> (Minor issue)
 	NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig
 CVE-2023-34039 (Aria Operations for Networks contains an Authentication Bypass vulnera ...)
 	NOT-FOR-US: VMware


=====================================
data/dsa-needed.txt
=====================================
@@ -30,6 +30,8 @@ gtkwave
 --
 h2o (jmm)
 --
+imagemagick (jmm)
+--
 iwd (carnil)
 --
 libreswan (jmm)
@@ -48,7 +50,7 @@ opennds/stable
 --
 openvswitch
 --
-pdns-recursor
+pdns-recursor (jmm)
 --
 php-cas/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03264623db87c09c7203a74eb9b04447ac3a756c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03264623db87c09c7203a74eb9b04447ac3a756c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240217/34db1de9/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list