[Git][security-tracker-team/security-tracker][master] 8 commits: data/dla-needed.txt: Triage iwd for buster LTS (CVE-2023-52161)

Sun Feb 18 17:40:44 GMT 2024


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5297b690 by Chris Lamb at 2024-02-18T17:31:01+00:00
data/dla-needed.txt: Triage iwd for buster LTS (CVE-2023-52161)

- - - - -
9572bb5b by Chris Lamb at 2024-02-18T17:31:25+00:00
Triage CVE-2023-29483 in dnspython for buster LTS.

- - - - -
ee62ef4e by Chris Lamb at 2024-02-18T17:35:17+00:00
Triage CVE-2023-25951, CVE-2023-26586, CVE-2023-28374, CVE-2023-28720, CVE-2023-32642, CVE-2023-32644, CVE-2023-32651, CVE-2023-33875, CVE-2023-34983 & CVE-2023-35061 in firmware-nonfree for buster LTS.

- - - - -
8d0b627f by Chris Lamb at 2024-02-18T17:35:53+00:00
Triage CVE-2024-1019 in modsecurity for buster LTS.

- - - - -
707ac7bd by Chris Lamb at 2024-02-18T17:36:16+00:00
Triage CVE-2024-1454 in opensc for buster LTS.

- - - - -
c43fecd6 by Chris Lamb at 2024-02-18T17:37:41+00:00
Triage CVE-2024-25447, CVE-2024-25448 & CVE-2024-25450 in imlib2 for buster LTS.

- - - - -
59aa8e74 by Chris Lamb at 2024-02-18T17:38:13+00:00
Triage CVE-2024-23635 in libowasp-antisamy-java for buster LTS.

- - - - -
8e06b533 by Chris Lamb at 2024-02-18T17:38:51+00:00
Triage CVE-2023-1932 in libhibernate-validator-java for buster LTS.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -565,6 +565,7 @@ CVE-2023-35061 (Improper initialization for some Intel(R) PROSet/Wireless and In
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-35060 (Uncontrolled search path in some Intel(R) Battery Life Diagnostic Tool ...)
@@ -575,6 +576,7 @@ CVE-2023-34983 (Improper input validation for some Intel(R) PROSet/Wireless and
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-34351 (Buffer underflow in some Intel(R) PCM software before version 202307 m ...)
@@ -585,6 +587,7 @@ CVE-2023-33875 (Improper access control for some Intel(R) PROSet/Wireless and In
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-33870 (Insecure inherited permissions in some Intel(R) Ethernet tools and dri ...)
@@ -593,6 +596,7 @@ CVE-2023-32651 (Improper validation of specified type of input for some Intel(R)
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-32647 (Improper access control in some Intel(R) XTU software before version 7 ...)
@@ -603,12 +607,14 @@ CVE-2023-32644 (Protection mechanism failure for some Intel(R) PROSet/Wireless a
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-32642 (Insufficient adherence to expected conventions for some Intel(R) PROSe ...)
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-32618 (Uncontrolled search path in some Intel(R) oneAPI Toolkit and component ...)
@@ -627,12 +633,14 @@ CVE-2023-28720 (Improper initialization for some Intel(R) PROSet/Wireless and In
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-28374 (Improper input validation for some Intel(R) PROSet/Wireless and Intel( ...)
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-49721 (An insecure default to allow UEFI Shell in EDK2 was left enabled in LX ...)
@@ -1207,6 +1215,7 @@ CVE-2024-1454 (The use-after-free vulnerability was found in the AuthentIC drive
 	- opensc <unfixed>
 	[bookworm] - opensc <no-dsa> (Minor issue)
 	[bullseye] - opensc <no-dsa> (Minor issue)
+	[buster] - opensc <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2263929
 	NOTE: Fixed by: https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9
 CVE-2023-6681 (A vulnerability was found in JWCrypto. This flaw allows an attacker to ...)
@@ -1432,18 +1441,21 @@ CVE-2024-25451 (Bento4 v1.6.0-640 was discovered to contain an out-of-memory bug
 CVE-2024-25450 (imlib2 v1.9.1 was discovered to mishandle memory allocation in the fun ...)
 	- imlib2 1.10.0-2
 	[bullseye] - imlib2 <no-dsa> (Minor issue)
+	[buster] - imlib2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/derf/feh/issues/712
 	NOTE: https://git.enlightenment.org/old/legacy-imlib2/issues/20
 	NOTE: Fixed by: https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6 (v1.10.0)
 CVE-2024-25448 (An issue in the imlib_free_image_and_decache function of imlib2 v1.9.1 ...)
 	- imlib2 1.10.0-2
 	[bullseye] - imlib2 <no-dsa> (Minor issue)
+	[buster] - imlib2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/derf/feh/issues/711
 	NOTE: https://git.enlightenment.org/old/legacy-imlib2/issues/20
 	NOTE: Fixed by: https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6 (v1.10.0)
 CVE-2024-25447 (An issue in the imlib_load_image_with_error_return function of imlib2  ...)
 	- imlib2 1.10.0-2
 	[bullseye] - imlib2 <no-dsa> (Minor issue)
+	[buster] - imlib2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/derf/feh/issues/709
 	NOTE: https://git.enlightenment.org/old/legacy-imlib2/issues/20
 	NOTE: Fixed by: https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6 (v1.10.0)
@@ -2781,6 +2793,7 @@ CVE-2024-23635 (AntiSamy is a library for performing fast, configurable cleansin
 	- libowasp-antisamy-java <unfixed> (bug #1062846)
 	[bookworm] - libowasp-antisamy-java <no-dsa> (Minor issue)
 	[bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
+	[buster] - libowasp-antisamy-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq
 CVE-2024-22851 (Directory Traversal Vulnerability in LiveConfig before v.2.5.2 allows  ...)
 	NOT-FOR-US: LiveConfig
@@ -3555,6 +3568,7 @@ CVE-2024-1019 (ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF
 	- modsecurity 3.0.12-1
 	[bookworm] - modsecurity <no-dsa> (Minor issue)
 	[bullseye] - modsecurity <no-dsa> (Minor issue)
+	[buster] - modsecurity <no-dsa> (Minor issue)
 	NOTE: https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30
 CVE-2024-0676 (Weak password requirement vulnerability   in Lamassu Bitcoin ATM Douro ...)
 	NOT-FOR-US: Lamassu Bitcoin ATM Douro machines
@@ -49449,6 +49463,7 @@ CVE-2023-29483
 	- dnspython 2.6.0-1
 	[bookworm] - dnspython <ignored> (Minor issue)
 	[bullseye] - dnspython <ignored> (Minor issue)
+	[buster] - dnspython <ignored> (Minor issue)
 	NOTE: https://www.dnspython.org/news/2.6.0rc1/
 	NOTE: https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3 (v2.6.0rc1)
 	NOTE: https://github.com/rthalley/dnspython/commit/e093299a49967696b1c58b68e4767de5031a3e46 (v2.6.0)
@@ -49535,6 +49550,7 @@ CVE-2023-1932 [rendering of invalid html with SafeHTML leads to HTML injection a
 	- libhibernate-validator-java <unfixed> (bug #1063540)
 	[bookworm] - libhibernate-validator-java <no-dsa> (Minor issue)
 	[bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
+	[buster] - libhibernate-validator-java <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1809444
 CVE-2023-1931 (The WP Fastest Cache plugin for WordPress is vulnerable to unauthorize ...)
 	NOT-FOR-US: WP Fastest Cache plugin for WordPress
@@ -56275,12 +56291,14 @@ CVE-2023-26586 (Uncaught exception for some Intel(R) PROSet/Wireless and Intel(R
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-25951 (Improper input validation for some Intel(R) PROSet/Wireless and Intel( ...)
 	- firmware-nonfree <unfixed>
 	[bookworm] - firmware-nonfree <no-dsa> (Non-free not supported)
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (non-free not supported)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
 	NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-25757 (Improper access control in some Intel(R) Unison(TM) software before ve ...)


=====================================
data/dla-needed.txt
=====================================
@@ -122,6 +122,9 @@ imagemagick
   NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk)
   NOTE: 20231014: Some work under git branch debian/buster but unease
 --
+iwd
+  NOTE: 20240218: Added by Front-Desk (lamby)
+--
 jenkins-htmlunit-core-js
   NOTE: 20231231: Added by Front-Desk (lamby)
   NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6608ae8e8e4d17d842cd4f40112877cef78885cb...8e06b533b9b4a55b960b2c548ba9a4618d787ad9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6608ae8e8e4d17d842cd4f40112877cef78885cb...8e06b533b9b4a55b960b2c548ba9a4618d787ad9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240218/7cc1c37b/attachment-0001.htm>
