[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2024-22365 in pam for buster LTS.

Chris Lamb (@lamby) lamby at debian.org
Fri Jan 19 15:17:53 GMT 2024 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e9657309 by Chris Lamb at 2024-01-19T07:14:13-08:00
Triage CVE-2024-22365 in pam for buster LTS.

- - - - -
1c0a7782 by Chris Lamb at 2024-01-19T07:14:38-08:00
Triage CVE-2023-50658 in golang-github-dvsekhvalnov-jose2go for buster LTS.

- - - - -
eac2152c by Chris Lamb at 2024-01-19T07:15:01-08:00
Triage CVE-2024-22368 in libspreadsheet-parsexlsx-perl for buster LTS.

- - - - -
304bbdbe by Chris Lamb at 2024-01-19T07:15:37-08:00
Triage CVE-2024-23659 in spip for buster LTS.

- - - - -
27854d72 by Chris Lamb at 2024-01-19T07:17:24-08:00
data/dla-needed.txt: Triage qemu for buster LTS (CVE-2023-1544 & CVE-2023-3354)

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -237,6 +237,7 @@ CVE-2024-22365 [pam_namespace: protect_dir(): use O_DIRECTORY to prevent local D
 	- pam <unfixed> (bug #1061097)
 	[bookworm] - pam <no-dsa> (Minor issue)
 	[bullseye] - pam <no-dsa> (Minor issue)
+	[buster] - pam <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/18/3
 	NOTE: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb (v1.6.0)
 CVE-2023-6596
@@ -1282,6 +1283,7 @@ CVE-2024-23659 (SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the nam
 	- spip 4.1.15+dfsg-1
 	[bookworm] - spip <no-dsa> (Minor issue)
 	[bullseye] - spip <not-affected> (Vulnerable code not present)
+	[buster] - spip <not-affected> (Vulnerable code not present)
 	NOTE: https://git.spip.net/spip/bigup/commit/ada821c076d67d1147a195178223d0b4a6d8cecc
 	NOTE: https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2
 	NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-8-SPIP-4-1-14.html?lang=fr
@@ -2113,6 +2115,7 @@ CVE-2024-22368 (The Spreadsheet::ParseXLSX package before 0.28 for Perl can enco
 	- libspreadsheet-parsexlsx-perl 0.29-1
 	[bookworm] - libspreadsheet-parsexlsx-perl <no-dsa> (Minor issue; DoS, can be fixed in point release)
 	[bullseye] - libspreadsheet-parsexlsx-perl <no-dsa> (Minor issue; DoS, can be fixed in point release)
+	[buster] - libspreadsheet-parsexlsx-perl <no-dsa> (Minor issue)
 	NOTE: https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
 	NOTE: Fixed by: https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/39b25b91fcb939a9c8ea807fdc80386c1ae5be0c (0.28)
 	NOTE: Minor rewrite followup: https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/47ff82d74fbd014b8ec3cab80fa4fd25db9e8242
@@ -4389,6 +4392,7 @@ CVE-2023-50658 (The jose2go component before 1.6.0 for Go allows attackers to ca
 	- golang-github-dvsekhvalnov-jose2go <unfixed> (bug #1059507)
 	[bookworm] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
 	[bullseye] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
+	[buster] - golang-github-dvsekhvalnov-jose2go <no-dsa> (Minor issue)
 	NOTE: https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d5317 (v1.6.0)
 CVE-2023-50339 (Stored cross-site scripting vulnerability exists in the User Managemen ...)
 	NOT-FOR-US: GROWI


=====================================
data/dla-needed.txt
=====================================
@@ -193,6 +193,10 @@ python-os-brick
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
 --
+qemu
+  NOTE: 20240119: Added by Front-Desk (lamby)
+  NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or <ignored>. (lamby)
+--
 rails
   NOTE: 20220909: Re-added due to regression (abhijith)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e815576af40189b41a25e9e45ac3397e994de86...27854d722fae2fa0488177670a66ab6c80b8b9c6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e815576af40189b41a25e9e45ac3397e994de86...27854d722fae2fa0488177670a66ab6c80b8b9c6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240119/4989bcbd/attachment.htm>

More information about the debian-security-tracker-commits mailing list