[Git][security-tracker-team/security-tracker][master] 18 commits: CVE-2022-41678,activemq: mark as unimportant
Markus Koschany (@apo)
apo at debian.org
Sun Jan 21 19:40:15 GMT 2024
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
03d4849f by Markus Koschany at 2024-01-21T20:39:28+01:00
CVE-2022-41678,activemq: mark as unimportant
We don't ship or use Jolokia. The assembly module in ActiveMQ is also
ignored/disabled by default.
- - - - -
3ea987f1 by Markus Koschany at 2024-01-21T20:39:29+01:00
CVE-2023-6879,aom: Buster is postponed
Minor issue. Hard to see the security impact here. Can be fixed later.
- - - - -
ea933894 by Markus Koschany at 2024-01-21T20:39:29+01:00
Add atril to dla-needed.txt
- - - - -
38a44441 by Markus Koschany at 2024-01-21T20:39:29+01:00
Add exiftags to dla-needed.txt
- - - - -
71338533 by Markus Koschany at 2024-01-21T20:39:29+01:00
Add freeimage to dla-needed.txt
- - - - -
6af4d6bb by Markus Koschany at 2024-01-21T20:39:30+01:00
CVE-2024-22211,freerdp2: Buster is postponed
Minor issue, can be fixed later.
- - - - -
802c59fb by Markus Koschany at 2024-01-21T20:39:30+01:00
Add jinja2 to dla-needed.txt
- - - - -
10676421 by Markus Koschany at 2024-01-21T20:39:30+01:00
Add libspreadsheet-parsexlsx-perl to dla-needed.txt
- - - - -
310fe293 by Markus Koschany at 2024-01-21T20:39:32+01:00
CVE-2023-0437,mongo-c-driver: Buster is ignored
Minor issue
- - - - -
e8938541 by Markus Koschany at 2024-01-21T20:39:32+01:00
Add nss to dla-needed.txt
- - - - -
73d72703 by Markus Koschany at 2024-01-21T20:39:32+01:00
Add openjdk-11 to dla-needed.txt
- - - - -
9c6b5418 by Markus Koschany at 2024-01-21T20:39:33+01:00
CVE-2023-50262,php-dompdf: Buster is not-affected
SVG images are rejected by default. See also test case for CVE-2021-3902
- - - - -
0ca9fefc by Markus Koschany at 2024-01-21T20:39:33+01:00
Add pillow to dla-needed.txt
- - - - -
21b4556b by Markus Koschany at 2024-01-21T20:39:33+01:00
Add rear to dla-needed.txt
- - - - -
eaf23c37 by Markus Koschany at 2024-01-21T20:39:33+01:00
Add ruby-httparty to dla-needed.txt
- - - - -
9a1853c9 by Markus Koschany at 2024-01-21T20:39:34+01:00
CVE-2023-46749,shiro: Debian is not affected
The blockSemicolon feature has been introduced with the fix for CVE-2020-13933.
It is enabled by default. Mark CVE-2023-46749 fixed by the same versions as
CVE-2020-13933.
- - - - -
ca0ea21c by Markus Koschany at 2024-01-21T20:39:36+01:00
CVE-2023-48104,sogo: Buster is ignored
Minor issue similar to the previously ignored ones.
- - - - -
4ddb296c by Markus Koschany at 2024-01-21T20:39:36+01:00
Claim tomcat9 in dla-needed.txt
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -129,6 +129,7 @@ CVE-2024-22562 (swftools 0.9.2 was discovered to contain a Stack Buffer Underflo
NOTE: https://github.com/matthiaskramm/swftools/issues/210
CVE-2024-22211 (FreeRDP is a set of free and open source remote desktop protocol libra ...)
- freerdp2 <unfixed> (bug #1061173)
+ [buster] - freerdp2 <postponed> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rjhp-44rv-7v59
NOTE: https://github.com/FreeRDP/FreeRDP/commit/939e922936e9c3ae8fc204968645e5e7563a2fff (3.2.0)
NOTE: https://github.com/FreeRDP/FreeRDP/commit/aeac3040cc99eeaff1e1171a822114c857b9dca9 (2.11.5)
@@ -1112,6 +1113,7 @@ CVE-2023-49106 (Missing Password Field Masking vulnerability in Hitachi Device M
NOT-FOR-US: Hitachi
CVE-2023-48104 (Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.)
- sogo <unfixed> (bug #1060925)
+ [buster] - sogo <ignored> (Minor issue)
NOTE: Fixed by: https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098 (SOGo-5.9.1)
CVE-2023-47460 (SQL injection vulnerability in Knovos Discovery v.22.67.0 allows a rem ...)
NOT-FOR-US: Knovos Discovery
@@ -1443,7 +1445,9 @@ CVE-2022-4962 (A vulnerability was found in Apollo 2.0.0/2.0.1 and classified as
CVE-2023-50290 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
- lucene-solr <not-affected> (Vulnerable code not yet present)
CVE-2023-46749 (Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a p ...)
- - shiro <unfixed> (bug #1060754)
+ - shiro 1.3.2-5 (bug #1060754)
+ [bullseye] - shiro 1.3.2-4+deb11u1
+ [buster] - shiro 1.3.2-4+deb10u1
NOTE: https://www.openwall.com/lists/oss-security/2024/01/12/2
CVE-2024-0232 (A heap use-after-free issue has been identified in SQLite in the jsonP ...)
- sqlite3 3.43.2-1
@@ -4401,6 +4405,7 @@ CVE-2023-7123 (A vulnerability, which was classified as critical, has been found
NOT-FOR-US: SourceCodester Medicine Tracking System
CVE-2023-6879 (Increasing the resolution of video frames, while performing a multi-th ...)
- aom 3.7.1-1
+ [buster] - aom <postponed> (Minor issue)
NOTE: https://crbug.com/aomedia/3491
NOTE: Fixed by: https://aomedia.googlesource.com/aom/+/7ae7bef246e85c8f349513d668b4571c79a43c5c (v3.7.1-rc1)
NOTE: Followup: https://aomedia.googlesource.com/aom/+/24467e8ac3b0f6f5d09457d342327393b8e3da3d (v3.7.1-rc1)
@@ -7214,6 +7219,7 @@ CVE-2023-50268 (jq is a command-line JSON processor. Version 1.7 is vulnerable t
NOTE: Fixed by: https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b (jq-1.7.1)
CVE-2023-50262 (Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Do ...)
- php-dompdf 2.0.4+dfsg-1 (bug #1058793)
+ [buster] - php-dompdf <not-affected> (SVG images are rejected by default)
NOTE: https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2
NOTE: https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593 (v2.0.4)
TODO: check sources embedding php-dompdf if affected
@@ -60457,6 +60463,7 @@ CVE-2023-0438 (Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/mo
NOT-FOR-US: Modoboa
CVE-2023-0437 (When calling bson_utf8_validateon some inputs a loop with an exit cond ...)
- mongo-c-driver 1.25.0-1
+ [buster] - mongo-c-driver <ignored> (Minor issue)
NOTE: https://jira.mongodb.org/browse/CDRIVER-4747
CVE-2023-0436 (The affected versions of MongoDB Atlas Kubernetes Operator may print s ...)
NOT-FOR-US: MongoDB Atlas Kubernetes Operator
@@ -90524,7 +90531,7 @@ CVE-2022-41680 (Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQ
CVE-2022-41679 (Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scri ...)
NOT-FOR-US: Forma LMS
CVE-2022-41678 (Once an user is authenticated on Jolokia, he can potentially trigger a ...)
- - activemq 5.17.6+dfsg-1
+ - activemq 5.17.6+dfsg-1 (unimportant)
NOTE: https://lists.apache.org/thread/7g17kwbtjl011mm4tr8bn1vnoq9wh4sl
NOTE: https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt
CVE-2022-41677 (An information disclosure vulnerability was discovered in Bosch IP cam ...)
=====================================
data/dla-needed.txt
=====================================
@@ -30,6 +30,10 @@ ansible
NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca)
NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
--
+atril
+ NOTE: 20240121: Added by Front-Desk (apo)
+ NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead.
+--
bind9 (Thorsten Alteholz)
NOTE: 20230921: Added by Front-Desk (apo)
--
@@ -77,6 +81,12 @@ edk2
NOTE: 20231230: Added by Front-Desk (lamby)
NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby)
--
+exiftags
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
+freeimage
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
frr (Abhijith PA)
NOTE: 20231119: Added by Front-Desk (apo)
--
@@ -107,6 +117,9 @@ jenkins-htmlunit-core-js
NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may
NOTE: 20231231: … indeed be vulnerable. (lamby)
--
+jinja2
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
keystone (rouca)
NOTE: 20231102: Added by Front-Desk (lamby)
NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby)
@@ -123,6 +136,9 @@ libreswan
NOTE: 20230909: all due to code refactoring. I intend to package the version
NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo)
--
+libspreadsheet-parsexlsx-perl
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
libssh (Sean Whitton)
NOTE: 20231219: Added by Front-Desk (ta)
NOTE: 20240111: Still working on backporting the patches (spwhitton).
@@ -157,6 +173,9 @@ nova
NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby)
--
+nss
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
nvidia-cuda-toolkit
NOTE: 20230514: Added by Front-Desk (utkarsh)
NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
@@ -164,12 +183,18 @@ nvidia-cuda-toolkit
NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
--
+openjdk-11
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
php-phpseclib (guilhem)
NOTE: 20240114: Added by Front-Desk (apo)
--
phpseclib (guilhem)
NOTE: 20240114: Added by Front-Desk (apo)
--
+pillow
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
putty
NOTE: 20231224: Added by Front-Desk (ta)
NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca)
@@ -211,10 +236,16 @@ rails
NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
--
+rear
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
ring
NOTE: 20230903: Added by Front-Desk (gladk)
NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
--
+ruby-httparty
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
salt
NOTE: 20220814: Added by Front-Desk (gladk)
NOTE: 20220814: I am not sure, whether it is possible to fix issues
@@ -266,6 +297,9 @@ tinymce
NOTE: 20231216: upstream's patch is backportable, as the code has changed a
NOTE: 20231216: lot. (spwhitton)
--
+tomcat9 (Markus Koschany)
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
varnish (Abhijith PA)
NOTE: 20231117: Added by Front-Desk (apo)
NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b5542d6949246c804483ef72d1d148be52715f83...4ddb296cecf6cc1a89eef1f17df318421127c109
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b5542d6949246c804483ef72d1d148be52715f83...4ddb296cecf6cc1a89eef1f17df318421127c109
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240121/ecc14fad/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list