[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jan 29 15:22:55 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
852a6b96 by Moritz Muehlenhoff at 2024-01-29T16:22:12+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1444,6 +1444,8 @@ CVE-2024-22562 (swftools 0.9.2 was discovered to contain a Stack Buffer Underflo
 	NOTE: https://github.com/matthiaskramm/swftools/issues/210
 CVE-2024-22211 (FreeRDP is a set of free and open source remote desktop protocol libra ...)
 	- freerdp2 <unfixed> (bug #1061173)
+	[bookworm] - freerdp2 <no-dsa> (Minor issue)
+	[bullseye] - freerdp2 <no-dsa> (Minor issue)
 	[buster] - freerdp2 <postponed> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rjhp-44rv-7v59
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/939e922936e9c3ae8fc204968645e5e7563a2fff (3.2.0)
@@ -2808,6 +2810,7 @@ CVE-2023-46749 (Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/12/2
 CVE-2024-0232 (A heap use-after-free issue has been identified in SQLite in the jsonP ...)
 	- sqlite3 3.43.2-1
+	[bookworm] - sqlite3 <no-dsa> (Minor issue)
 	[bullseye] - sqlite3 <not-affected> (Vulnerable code not present)
 	[buster] - sqlite3 <not-affected> (Vulnerable code not present)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2243754
@@ -2856,9 +2859,11 @@ CVE-2023-51790 (Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a r
 	- piwigo <removed>
 CVE-2023-49569 (A path traversal vulnerability was discovered in go-git versions prior ...)
 	- golang-github-go-git-go-git <unfixed> (bug #1060701)
+	[bookworm] - golang-github-go-git-go-git <no-dsa> (Minor issue)
 	NOTE: https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88
 CVE-2023-49568 (A denial of service (DoS) vulnerability was discovered in go-git versi ...)
 	- golang-github-go-git-go-git <unfixed> (bug #1060701)
+	[bookworm] - golang-github-go-git-go-git <no-dsa> (Minor issue)
 	NOTE: https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r
 CVE-2023-49262 (The authentication mechanism can be bypassed by overflowing the value  ...)
 	NOT-FOR-US: Hongdian
@@ -3228,6 +3233,8 @@ CVE-2023-51748 (ScaleFusion 10.5.2 does not properly limit users to the Edge app
 	NOT-FOR-US: ScaleFusion
 CVE-2023-50671 (In exiftags 1.01, nikon_prop1 in nikon.c has a heap-based buffer overf ...)
 	- exiftags <unfixed> (bug #1060753)
+	[bookworm] - exiftags <no-dsa> (Minor issue)
+	[bullseye] - exiftags <no-dsa> (Minor issue)
 	NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-exiftags/
 CVE-2023-50159 (In ScaleFusion (Windows Desktop App) agent 10.5.2, Kiosk mode applicat ...)
 	NOT-FOR-US: ScaleFusion
@@ -5779,6 +5786,8 @@ CVE-2023-7123 (A vulnerability, which was classified as critical, has been found
 	NOT-FOR-US: SourceCodester Medicine Tracking System
 CVE-2023-6879 (Increasing the resolution of video frames, while performing a multi-th ...)
 	- aom 3.7.1-1
+	[bookworm] - aom <no-dsa> (Minor issue)
+	[bullseye] - aom <no-dsa> (Minor issue)
 	[buster] - aom <postponed> (Minor issue)
 	NOTE: https://crbug.com/aomedia/3491
 	NOTE: Fixed by: https://aomedia.googlesource.com/aom/+/7ae7bef246e85c8f349513d668b4571c79a43c5c (v3.7.1-rc1)
@@ -18260,7 +18269,6 @@ CVE-2023-45146 (XXL-RPC is a high performance, distributed RPC framework. With i
 CVE-2023-45145 (Redis is an in-memory database that persists on disk. On startup, Redi ...)
 	{DLA-3627-1}
 	- redis 5:7.0.14-1 (bug #1054225)
-	[bookworm] - redis <no-dsa> (Minor issue)
 	[bullseye] - redis <no-dsa> (Minor issue)
 	NOTE: https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx
 	NOTE: https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1 (unstable)
@@ -24767,7 +24775,6 @@ CVE-2023-41327 (WireMock is a tool for mocking HTTP services. WireMock can be co
 	NOT-FOR-US: WireMock
 CVE-2023-41053 (Redis is an in-memory database that persists on disk. Redis does not c ...)
 	- redis 5:7.0.13-1 (bug #1051512)
-	[bookworm] - redis <no-dsa> (Minor issue)
 	[bullseye] - redis <not-affected> (Vulnerable code introduced later)
 	[buster] - redis <not-affected> (Vulnerable code introduced later)
 	NOTE: Introduced after: https://github.com/redis/redis/commit/55c81f2cd3da82f9f570000875e006b9046ddef3 (7.0-rc1)
@@ -32981,7 +32988,6 @@ CVE-2023-36825 (Orchid is a Laravel package that allows application development
 	NOT-FOR-US: Decidim
 CVE-2023-36824 (Redis is an in-memory database that persists on disk. In Redit 7.0 pri ...)
 	- redis 5:7.0.12-1 (bug #1040879)
-	[bookworm] - redis <no-dsa> (Minor issue)
 	[bullseye] - redis <not-affected> (Vulnerable code introduced later)
 	[buster] - redis <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3
@@ -139571,7 +139577,6 @@ CVE-2022-24835
 	RESERVED
 CVE-2022-24834 (Redis is an in-memory database that persists on disk. A specially craf ...)
 	- redis 5:7.0.12-1
-	[bookworm] - redis <no-dsa> (Minor issue)
 	[bullseye] - redis <no-dsa> (Minor issue)
 	[buster] - redis <no-dsa> (Minor issue)
 	NOTE: https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES
@@ -335209,6 +335214,7 @@ CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, pote
 	- trafficserver 8.0.5+ds-1 (bug #934887)
 	- h2o 2.2.5+dfsg2-3 (bug #934886)
 	- rust-h2 <unfixed>
+	[bookworm] - rust-h2 <no-dsa> (Minor issue)
 	NOTE: Issue: https://github.com/golang/go/issues/33606
 	NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11)
 	NOTE: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12)


=====================================
data/dsa-needed.txt
=====================================
@@ -57,6 +57,8 @@ python3.9/oldstable
 --
 python-asyncssh
 --
+redis/stable (jmm)
+--
 redmine/stable
 --
 ring



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/852a6b96849477b932071282802cfa3129b25e53

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/852a6b96849477b932071282802cfa3129b25e53
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240129/cf65de28/attachment.htm>

More information about the debian-security-tracker-commits mailing list