[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jan 22 17:16:34 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5e1266ff by Moritz Muehlenhoff at 2024-01-22T18:16:11+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -32,6 +32,8 @@ CVE-2024-0770 (A vulnerability, which was classified as critical, was found in E
 	NOT-FOR-US: European Chemicals Agency EUCLID
 CVE-2023-52354 (chasquid before 1.13 allows SMTP smuggling because LF-terminated lines ...)
 	- chasquid 1.13-1
+	[bookworm] - chasquid <no-dsa> (Minor issue)
+	[bullseye] - chasquid <no-dsa> (Minor issue)
 	NOTE: https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24
 CVE-2023-52353 (An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_sess ...)
 	- mbedtls <unfixed>
@@ -1043,38 +1045,56 @@ CVE-2021-4432 (A vulnerability was found in PCMan FTP Server 2.0.7. It has been
 	NOT-FOR-US: PCMan FTP Server
 CVE-2023-45237 (EDK2's Network Package is susceptible to a predictable TCP Initial Seq ...)
 	- edk2 <unfixed> (bug #1061256)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
 CVE-2023-45236 (EDK2's Network Package is susceptible to a predictable TCP Initial Seq ...)
 	- edk2 <unfixed> (bug #1061256)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
 CVE-2023-45235 (EDK2's Network Package is susceptible to a buffer overflow vulnerabili ...)
 	- edk2 <unfixed> (bug #1061256)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
 CVE-2023-45234 (EDK2's Network Package is susceptible to a buffer overflow vulnerabili ...)
 	- edk2 <unfixed> (bug #1061256)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
 CVE-2023-45233 (EDK2's Network Package is susceptible to an infinite lop vulnerability ...)
 	- edk2 <unfixed> (bug #1061256)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
 CVE-2023-45232 (EDK2's Network Package is susceptible to an infinite loop vulnerabilit ...)
 	- edk2 <unfixed> (bug #1061256)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
 CVE-2023-45231 (EDK2's Network Package is susceptible to an out-of-bounds read  vulner ...)
 	- edk2 <unfixed> (bug #1061256)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
 CVE-2023-45230 (EDK2's Network Package is susceptible to a buffer overflow vulnerabili ...)
 	- edk2 <unfixed> (bug #1061256)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
 CVE-2023-45229 (EDK2's Network Package is susceptible to an out-of-bounds read  vulner ...)
 	- edk2 <unfixed> (bug #1061256)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
 CVE-2023-6395 (The Mock software contains a vulnerability wherein an attacker could p ...)
@@ -1392,6 +1412,8 @@ CVE-2024-0481 (A vulnerability was found in Taokeyun up to 1.0.5. It has been ra
 	NOT-FOR-US: Taokeyun
 CVE-2024-23301 (Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable init ...)
 	- rear <unfixed> (bug #1060747)
+	[bookworm] - rear <no-dsa> (Minor issue)
+	[bullseye] - rear <no-dsa> (Minor issue)
 	NOTE: https://github.com/rear/rear/issues/3122
 	NOTE: https://github.com/rear/rear/pull/3123
 	NOTE: https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
@@ -2370,21 +2392,33 @@ CVE-2023-48864 (SEMCMS v4.8 was discovered to contain a SQL injection vulnerabil
 	NOT-FOR-US: SEMCMS
 CVE-2023-47997 (An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in F ...)
 	- freeimage <unfixed> (bug #1060691)
+	[bookworm] - freeimage <postponed> (Revisit when fixed upstream)
+	[bullseye] - freeimage <postponed> (Revisit when fixed upstream)
 	NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997
 CVE-2023-47996 (An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in F ...)
 	- freeimage <unfixed> (bug #1060691)
+	[bookworm] - freeimage <postponed> (Revisit when fixed upstream)
+	[bullseye] - freeimage <postponed> (Revisit when fixed upstream)
 	NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47996
 CVE-2023-47995 (Buffer Overflow vulnerability in BitmapAccess.cpp::FreeImage_AllocateB ...)
 	- freeimage <unfixed> (bug #1060862)
+	[bookworm] - freeimage <postponed> (Revisit when fixed upstream)
+	[bullseye] - freeimage <postponed> (Revisit when fixed upstream)
 	NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47995
 CVE-2023-47994 (An integer overflow vulnerability in LoadPixelDataRLE4 function in Plu ...)
 	- freeimage <unfixed> (bug #1060691)
+	[bookworm] - freeimage <postponed> (Revisit when fixed upstream)
+	[bullseye] - freeimage <postponed> (Revisit when fixed upstream)
 	NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47994
 CVE-2023-47993 (A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in Fre ...)
 	- freeimage <unfixed> (bug #1060691)
+	[bookworm] - freeimage <postponed> (Revisit when fixed upstream)
+	[bullseye] - freeimage <postponed> (Revisit when fixed upstream)
 	NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47993
 CVE-2023-47992 (An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc  ...)
 	- freeimage <unfixed> (bug #1060691)
+	[bookworm] - freeimage <postponed> (Revisit when fixed upstream)
+	[bullseye] - freeimage <postponed> (Revisit when fixed upstream)
 	NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47992
 CVE-2023-41781 (There is a Cross-sitescripting (XSS) vulnerability in ZTE MF258. Due t ...)
 	NOT-FOR-US: ZTE
@@ -3791,6 +3825,8 @@ CVE-2015-10128 (A vulnerability was found in rt-prettyphoto Plugin up to 1.2 on
 	NOT-FOR-US: WordPress plugin
 CVE-2023-6693 (A stack based buffer overflow was found in the virtio-net device of QE ...)
 	- qemu 1:8.2.0+ds-3
+	[bookworm] - qemu <no-dsa> (Minor issue)
+	[bullseye] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2254580
 	NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/e22f0603fb2fc274920a9e3a1d1306260b9a4cc4 (v5.1.0-rc0)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg00045.html


=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
+--
+atril
 --
 cacti
 --
@@ -36,6 +38,10 @@ linux (carnil)
 nbconvert/oldstable
   Guilhem Moulin proposed an update ready for review
 --
+openjdk-11/oldstable (jmm)
+--
+openjdk-17 (jmm)
+--
 php-cas/oldstable
 --
 php-dompdf-svg-lib/stable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e1266ff93556e178c24e8e69d6c3e68de508496

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e1266ff93556e178c24e8e69d6c3e68de508496
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240122/2c483fd0/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list