[Git][security-tracker-team/security-tracker][master] new ruby-rack-cors issue

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Feb 26 12:52:15 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
99f819b7 by Moritz Muehlenhoff at 2024-02-26T13:51:28+01:00
new ruby-rack-cors issue
resolve a few TODOs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,5 +1,6 @@
 CVE-2024-27456 (rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for th ...)
-	TODO: check
+	- ruby-rack-cors <unfixed>
+	NOTE: https://github.com/cyu/rack-cors/issues/274
 CVE-2024-27455 (In the Bentley ALIM Web application, certain configuration settings ca ...)
 	NOT-FOR-US: Bentley
 CVE-2024-27454 (orjson.loads in orjson before 3.9.15 does not limit recursion for deep ...)
@@ -4390,7 +4391,7 @@ CVE-2024-0323 (Use of a Broken or Risky Cryptographic Algorithm vulnerability in
 CVE-2023-7216 (A path traversal vulnerability was found in the CPIO utility. This iss ...)
 	- cpio <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2249901
-	TODO: check upstream reporting
+	NOTE: https://lists.gnu.org/archive/html/bug-cpio/2024-02/msg00000.html
 CVE-2023-6874 (Prior to v7.4.0, Ember ZNet is vulnerable to a denial of service attac ...)
 	NOT-FOR-US: Ember ZNet
 CVE-2023-6028 (A reflected cross-site scripting (XSS) vulnerability exists in the SVG ...)
@@ -5296,7 +5297,6 @@ CVE-2024-1062 (A heap overflow flaw was found in 389-ds-base. This issue leads t
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2261879
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256711
 	NOTE: https://github.com/389ds/389-ds-base/issues/5647
-	TODO: check details
 CVE-2023-5992 (A vulnerability was found in OpenSC where PKCS#1 encryption padding re ...)
 	- opensc 0.25.0~rc1-1 (bug #1064189)
 	[bookworm] - opensc <no-dsa> (Minor issue)
@@ -7543,7 +7543,6 @@ CVE-2021-4435 (An untrusted search path vulnerability was found in Yarn. When a
 	[buster] - node-yarnpkg <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2262284
 	NOTE: Fixed by: https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1 (v1.22.12)
-	TODO: check, too few details in RHBZ#2262284
 CVE-2021-4433 (A vulnerability was found in Karjasoft Sami HTTP Server 2.0. It has be ...)
 	NOT-FOR-US: Karjasoft Sami HTTP Server
 CVE-2024-22365 (linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a den ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f819b7d3826cde5588de7fa246d9d3814ca9b9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f819b7d3826cde5588de7fa246d9d3814ca9b9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240226/2ffadbc9/attachment.htm>

More information about the debian-security-tracker-commits mailing list