[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jan 29 09:06:48 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4b58d06b by Moritz Muehlenhoff at 2024-01-29T09:59:40+01:00
bookworm/bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -72,18 +72,24 @@ CVE-2024-23506 (Exposure of Sensitive Information to an Unauthorized Actor vulne
 	NOT-FOR-US: WordPress plugin
 CVE-2024-22862 (Integer overflow vulnerability in FFmpeg before n6.1, allows remote at ...)
 	- ffmpeg 7:6.1-1
+	[bookworm] - ffmpeg <not-affected> (jpegxl support added in 6.1)
+	[bullseye] - ffmpeg <not-affected> (jpegxl support added in 6.1)
+	[buster] - ffmpeg <not-affected> (jpegxl support added in 6.1)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/ca09d8a0dcd82e3128e62463231296aaf63ae6f7 (n6.1)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62113
-	TODO: check details for older versions
 CVE-2024-22861 (Integer overflow vulnerability in FFmpeg before n6.1, allows attackers ...)
 	- ffmpeg 7:6.1-1
+	[bookworm] - ffmpeg <not-affected> (osq support added in 6.1)
+	[bullseye] - ffmpeg <not-affected> (osq support added in 6.1)
+	[buster] - ffmpeg <not-affected> (osq support added in 6.1)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/87b8c1081959e45ffdcbabb3d53ac9882ef2b5ce (n6.1)
-	TODO: check details for older versions
 CVE-2024-22860 (Integer overflow vulnerability in FFmpeg before n6.1, allows remote at ...)
 	- ffmpeg 7:6.1-1
+	[bookworm] - ffmpeg <not-affected> (jpegxl support added in 6.1)
+	[bullseye] - ffmpeg <not-affected> (jpegxl support added in 6.1)
+	[buster] - ffmpeg <not-affected> (jpegxl support added in 6.1)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/d2e8974699a9e35cc1a926bf74a972300d629cd5 (n6.1)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61991
-	TODO: check details for older versions
 CVE-2024-22283 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-22147 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
@@ -115,6 +121,8 @@ CVE-2023-6470
 CVE-2023-52389 (UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow a ...)
 	[experimental] - poco 1.13.0-1
 	- poco <unfixed>
+	[bookworm] - poco <no-dsa> (Minor issue)
+	[bullseye] - poco <no-dsa> (Minor issue)
 	NOTE: https://pocoproject.org/blog/?p=1226
 	NOTE: https://github.com/pocoproject/poco/issues/4320
 	NOTE: https://github.com/pocoproject/poco/commit/62f875dfe1298041289f926a6a1a39cb765b13ee
@@ -133,7 +141,8 @@ CVE-2024-0444 [GStreamer-SA-2024-0001: AV1 codec parser potential buffer overflo
 	NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5970
 	NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/394d5066f8a7b728df02fe9084e955b2f7d7f6fe (1.22.9)
 CVE-2023-46045 [buffer overflow via a crafted config6a file]
-	- graphviz 2.42.2-8
+	- graphviz 2.42.2-8 (unimportant)
+	NOTE: Crosses no security boundary, config files are under local control
 	NOTE: https://gitlab.com/graphviz/graphviz/-/issues/2441
 	NOTE: Introduced by: https://gitlab.com/graphviz/graphviz/-/commit/cf95714837f06f684929b54659523c2c9b1fc19f (2.38.0)
 	NOTE: Fixed by: https://gitlab.com/graphviz/graphviz/-/commit/361f274ca901c3c476697a6404662d95f4dd43cb
@@ -707,6 +716,8 @@ CVE-2024-23897 (Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disa
 	- jenkins <removed>
 CVE-2024-XXXX [RUSTSEC-2024-0006]
 	- rust-shlex 1.3.0-1
+	[bookworm] - rust-shlex <no-dsa> (Minor issue)
+	[bullseye] - rust-shlex <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0006.html
 	NOTE: https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27
 CVE-2024-23638 (Squid is a caching proxy for the Web. Due to an expired pointer refere ...)
@@ -53765,10 +53776,10 @@ CVE-2023-27044
 CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-mail ad ...)
 	- python3.12 <unfixed> (bug #1059299)
 	- python3.11 <unfixed> (bug #1059298)
-	[bookworm] - python3.11 <no-dsa> (Minor issue)
+	[bookworm] - python3.11 <postponed> (Minor issue, wait until upstream has decided whether to backport to older branches)
 	- python3.10 <unfixed>
 	- python3.9 <removed>
-	[bullseye] - python3.9 <no-dsa> (Minor issue)
+	[bullseye] - python3.9 <postponed> (Minor issue, wait until upstream has decided whether to backport to older branches)
 	- python3.7 <removed>
 	[buster] - python3.7 <postponed> (Minor issue)
 	- python2.7 <removed>
@@ -53946,6 +53957,7 @@ CVE-2023-26965 (loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a h
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf (v4.5.1rc1)
 CVE-2023-26964 (An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occ ...)
 	- rust-h2 0.3.13-2 (bug #1034723)
+	[bookworm] - rust-h2 <no-dsa> (Minor issue)
 	[buster] - rust-h2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/hyperium/hyper/issues/2877
 	NOTE: https://github.com/hyperium/h2/commit/5bc8e72e5fcbd8ae2d3d9bc78a1c0ef0040bcc39 (v0.3.17)
@@ -105290,14 +105302,20 @@ CVE-2022-36766
 	RESERVED
 CVE-2022-36765 (EDK2 is susceptible to a vulnerability in the CreateHob() function, al ...)
 	- edk2 2023.11-5 (bug #1060408)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
 CVE-2022-36764 (EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() fun ...)
 	- edk2 2023.11-5 (bug #1060408)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4118
 CVE-2022-36763 (EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() fu ...)
 	- edk2 2023.11-5 (bug #1060408)
+	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4117
 CVE-2022-36762



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b58d06b2a012cb4b09e2829a775e1b51337af69

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b58d06b2a012cb4b09e2829a775e1b51337af69
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240129/9df8d84f/attachment.htm>

More information about the debian-security-tracker-commits mailing list