[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Jan 4 11:39:54 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
99f1bf0a by Moritz Muehlenhoff at 2024-01-04T12:39:24+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -133,6 +133,7 @@ CVE-2023-50090 (Arbitrary File Write vulnerability in the saveReportFile method
 	NOT-FOR-US: ureport
 CVE-2023-46929 (An issue discovered in GPAC 2.3-DEV-rev605-gfc9e29089-master in MP4Box ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/gpac/gpac/issues/2662
 	NOTE: https://github.com/gpac/gpac/commit/4248def5d24325aeb0e35cacde3d56c9411816a6
 CVE-2023-46742 (CubeFS is an open-source cloud-native file storage system. CubeFS prio ...)
@@ -179,22 +180,34 @@ CVE-2024-21623 (OTCLient is an alternative tibia client for otserv. Prior to com
 	NOT-FOR-US: OTCLient
 CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via ...)
 	- wireshark <unfixed> (bug #1059925)
+	[bookworm] - wireshark <no-dsa> (Minor issue)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2024-05.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19557
 CVE-2024-0210 (Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service ...)
 	- wireshark <unfixed> (bug #1059925)
+	[bookworm] - wireshark <no-dsa> (Minor issue)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2024-04.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19504
 CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3 ...)
 	- wireshark <unfixed> (bug #1059925)
+	[bookworm] - wireshark <no-dsa> (Minor issue)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2024-02.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19501
+	NOTE: The bug references two crashes, this is for the one labelled "BUG log 2",
+	NOTE: the more severe "Bug log 1" only affected unreleased versions
 CVE-2024-0208 (GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to ...)
 	- wireshark <unfixed> (bug #1059925)
+	[bookworm] - wireshark <no-dsa> (Minor issue)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2024-01.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19496
 CVE-2024-0207 (HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via  ...)
 	- wireshark <unfixed> (bug #1059925)
+	[bookworm] - wireshark <no-dsa> (Minor issue)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2024-03.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19502
 CVE-2024-0196 (A vulnerability has been found in Magic-Api up to 2.0.1 and classified ...)
@@ -246,19 +259,24 @@ CVE-2023-50019 (An issue was discovered in open5gs v2.6.6. InitialUEMessage, Reg
 CVE-2023-4164 (There is a possible informationdisclosure due to a missing permission  ...)
 	NOT-FOR-US: Google Pixel Watch
 CVE-2023-49558 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...)
-	- yasm <unfixed>
+	- yasm <unfixed> (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/yasm/yasm/issues/252
 CVE-2023-49557 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...)
-	- yasm <unfixed>
+	- yasm <unfixed> (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/yasm/yasm/issues/253
 CVE-2023-49556 (Buffer Overflow vulnerability in YASM 1.3.0.86.g9def allows a remote a ...)
-	- yasm <unfixed>
+	- yasm <unfixed> (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/yasm/yasm/issues/250
 CVE-2023-49555 (An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a de ...)
-	- yasm <unfixed>
+	- yasm <unfixed> (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/yasm/yasm/issues/248
 CVE-2023-49554 (Use After Free vulnerability in YASM 1.3.0.86.g9def allows a remote at ...)
-	- yasm <unfixed>
+	- yasm <unfixed> (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/yasm/yasm/issues/249
 CVE-2023-49553 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...)
 	NOT-FOR-US: Cesenta MJS
@@ -1246,6 +1264,8 @@ CVE-2023-51363 (VR-S1000 firmware Ver. 2.37 and earlier allows a network-adjacen
 	NOT-FOR-US: VR-S1000 firmware
 CVE-2023-50658 (The jose2go component before 1.6.0 for Go allows attackers to cause a  ...)
 	- golang-github-dvsekhvalnov-jose2go <unfixed> (bug #1059507)
+	[bookworm] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
+	[bullseye] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
 	NOTE: https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d5317 (v1.6.0)
 CVE-2023-50339 (Stored cross-site scripting vulnerability exists in the User Managemen ...)
 	NOT-FOR-US: GROWI
@@ -51199,6 +51219,8 @@ CVE-2023-26160
 	RESERVED
 CVE-2023-26159 (Versions of the package follow-redirects before 1.15.4 are vulnerable  ...)
 	- node-follow-redirects <unfixed> (bug #1059926)
+	[bookworm] - node-follow-redirects <no-dsa> (Minor issue)
+	[bullseye] - node-follow-redirects <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-FOLLOWREDIRECTS-6141137
 	NOTE: https://github.com/follow-redirects/follow-redirects/issues/235
 	NOTE: https://github.com/follow-redirects/follow-redirects/pull/236


=====================================
data/dsa-needed.txt
=====================================
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa
 --
 asterisk (apo)
 --
+cacti
+--
 chromium (dilinger)
 --
 cryptojs



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f1bf0a58c73efe3599c44f0d0c87ca91c58169

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f1bf0a58c73efe3599c44f0d0c87ca91c58169
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240104/1cf1a8e7/attachment.htm>

More information about the debian-security-tracker-commits mailing list