[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Jan 26 14:23:05 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bd6ce902 by Moritz Muehlenhoff at 2024-01-26T14:42:49+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -111,6 +111,8 @@ CVE-2023-48126 (An issue in Luxe Beauty Clinic mini-app on Line v13.6.1 allows a
 	NOT-FOR-US: Luxe Beauty Clinic mini-app on Line
 CVE-2024-0914
 	- opencryptoki <unfixed>
+	[bookworm] - opencryptoki <no-dsa> (Minor issue)
+	[bullseye] - opencryptoki <no-dsa> (Minor issue)
 	NOTE: https://github.com/opencryptoki/opencryptoki/issues/731
 	NOTE: https://github.com/opencryptoki/opencryptoki/pull/737
 	NOTE: https://github.com/opencryptoki/opencryptoki/commit/2ea019ee2b09f15724d808382d53baca03403288
@@ -227,11 +229,15 @@ CVE-2023-5675
 	NOT-FOR-US: Quarkus
 CVE-2023-52356 (A segment fault (SEGV) flaw was found in libtiff that could be trigger ...)
 	- tiff <unfixed> (bug #1061524)
+	[bookworm] - tiff <no-dsa> (Minor issue)
+	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/622
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/546
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
 CVE-2023-52355 (An out-of-memory flaw was found in libtiff that could be triggered by  ...)
 	- tiff <unfixed>
+	[bookworm] - tiff <no-dsa> (Minor issue)
+	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/621
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/553
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4
@@ -275,9 +281,12 @@ CVE-2024-23641 (SvelteKit is a web development kit. In SvelteKit 2, sending a GE
 	NOT-FOR-US: SvelteKit
 CVE-2024-22725 (Orthanc versions before 1.12.2 are affected by a reflected cross-site  ...)
 	- orthanc 1.12.2+dfsg-1
+	[bookworm] - orthanc <no-dsa> (Minor issue)
+	[bullseye] - orthanc <no-dsa> (Minor issue)
 	NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/505416b269a0
 CVE-2024-22720 (Kanboard 1.2.34 is vulnerable to Html Injection in the group managemen ...)
 	- kanboard <unfixed>
+	[bookworm] - kanboard <no-dsa> (Minor issue)
 	NOTE: https://cupc4k3.medium.com/html-injection-vulnerability-in-kanboard-group-management-d9fe5154bb1b
 CVE-2024-22651 (There is a command injection vulnerability in the ssdpcgi_main functio ...)
 	NOT-FOR-US: D-Link
@@ -316,22 +325,33 @@ CVE-2023-52039 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 al
 CVE-2023-52038 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows a ...)
 	NOT-FOR-US: TOTOLINK
 CVE-2023-51890 (An infinite loop issue discovered in Mathtex 1.05 and before allows a  ...)
-	- mathtex <unfixed> (bug #1061520)
+	- mathtex <unfixed> (bug #1061520; unimportant)
+	NOTE: Hang in CLI tool, no security impact
 	NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51889 (Stack Overflow vulnerability in the validate() function in Mathtex v.1 ...)
 	- mathtex <unfixed> (bug #1061520)
+	[bookworm] - mathtex <no-dsa> (Minor issue)
+	[bullseye] - mathtex <no-dsa> (Minor issue)
 	NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51888 (Buffer Overflow vulnerability in the nomath() function in Mathtex v.1. ...)
 	- mathtex <unfixed> (bug #1061520)
+	[bookworm] - mathtex <no-dsa> (Minor issue)
+	[bullseye] - mathtex <no-dsa> (Minor issue)
 	NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51887 (Command Injection vulnerability in Mathtex v.1.05 and before allows a  ...)
 	- mathtex <unfixed> (bug #1061520)
+	[bookworm] - mathtex <no-dsa> (Minor issue)
+	[bullseye] - mathtex <no-dsa> (Minor issue)
 	NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51886 (Buffer Overflow vulnerability in the main() function in Mathtex 1.05 a ...)
 	- mathtex <unfixed> (bug #1061520)
+	[bookworm] - mathtex <no-dsa> (Minor issue)
+	[bullseye] - mathtex <no-dsa> (Minor issue)
 	NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51885 (Buffer Overflow vulnerability in Mathtex v.1.05 and before allows a re ...)
 	- mathtex <unfixed> (bug #1061520)
+	[bookworm] - mathtex <no-dsa> (Minor issue)
+	[bullseye] - mathtex <no-dsa> (Minor issue)
 	NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51702 (Since version 5.2.0, when using deferrable mode with the path of a Kub ...)
 	- airflow <itp> (bug #819700)
@@ -775,9 +795,11 @@ CVE-2024-23675 (In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app
 CVE-2024-23345 (Nautobot is a Network Source of Truth and Network Automation Platform  ...)
 	NOT-FOR-US: Nautobot
 CVE-2024-23342 (The `ecdsa` PyPI package is a pure Python implementation of ECC (Ellip ...)
-	- python-ecdsa <unfixed>
+	- python-ecdsa <unfixed> (unimportant)
 	NOTE: https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
 	NOTE: https://minerva.crocs.fi.muni.cz/
+	NOTE: Side channel attacks not covered by their security policy:
+	NOTE: https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
 CVE-2024-23340 (@hono/node-server is an adapter that allows users to run Hono applicat ...)
 	NOT-FOR-US: Hono
 CVE-2024-23339 (hoolock is a suite of lightweight utilities designed to maintain a sma ...)
@@ -927,6 +949,8 @@ CVE-2024-23750 (MetaGPT through 0.6.4 allows the QaEngineer role to execute arbi
 	NOT-FOR-US: MetaGPTLlamaIndex
 CVE-2024-23744 (An issue was discovered in Mbed TLS 3.5.1. There is persistent handsha ...)
 	- mbedtls <unfixed>
+	[bookworm] - mbedtls <no-dsa> (Minor issue)
+	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8694
 	NOTE: https://github.com/Mbed-TLS/mbedtls/pull/8595
 CVE-2024-22113 (Open redirect vulnerability in Access analysis CGI An-Analyzer release ...)
@@ -953,6 +977,8 @@ CVE-2023-52354 (chasquid before 1.13 allows SMTP smuggling because LF-terminated
 	NOTE: https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24
 CVE-2023-52353 (An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_sess ...)
 	- mbedtls <unfixed>
+	[bookworm] - mbedtls <no-dsa> (Minor issue)
+	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8654
 CVE-2023-47352 (Technicolor TC8715D devices have predictable default WPA2 security pas ...)
 	NOT-FOR-US: Technicolor
@@ -1286,6 +1312,7 @@ CVE-2023-32337 (IBM Maximo Spatial Asset Management 8.10 is vulnerable to server
 	NOT-FOR-US: IBM
 CVE-2024-0690 [possible information leak in tasks that ignore ANSIBLE_NO_LOG configuration]
 	- ansible-core <unfixed> (bug #1061156)
+	[bookworm] - ansible-core <no-dsa> (Minor issue)
 	- ansible 5.4.0-1
 	[bullseye] - ansible <no-dsa> (Minor issue)
 	NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
@@ -61510,6 +61537,8 @@ CVE-2023-0438 (Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/mo
 	NOT-FOR-US: Modoboa
 CVE-2023-0437 (When calling bson_utf8_validateon some inputs a loop with an exit cond ...)
 	- mongo-c-driver 1.25.0-1
+	[bookworm] - mongo-c-driver <no-dsa> (Minor issue)
+	[bullseye] - mongo-c-driver <no-dsa> (Minor issue)
 	[buster] - mongo-c-driver <ignored> (Minor issue)
 	NOTE: https://jira.mongodb.org/browse/CDRIVER-4747
 CVE-2023-0436 (The affected versions of MongoDB Atlas Kubernetes Operator may print s ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -37,6 +37,7 @@ nbconvert/oldstable
   Guilhem Moulin proposed an update ready for review
 --
 openjdk-17 (jmm)
+  latest release needs backport of jtreg7 for bookworm
 --
 php-cas/oldstable
 --
@@ -89,6 +90,8 @@ squid (apo)
 --
 varnish
 --
+zabbix
+--
 zbar (carnil)
   Prepared update but needs some additional testing before the release
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd6ce902fa291fdf1f91df60c2c26ba72b8c2722

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd6ce902fa291fdf1f91df60c2c26ba72b8c2722
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240126/c7d9410a/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list